When unloading the driver, mailbox commands may be sent without holding a
reference on the ndlp. By the time the mailbox command completes, the ndlp
may have reduced its ref counts and been freed. The problem was reported
by KASAN.
While unregistering due to driver unload, have the completion noop'd by
setting the ndlp context NULL'd. Due to the unload, no further action was
necessary. Also, while reviewing this path, the generic nulling of the
context after handling should be slightly moved.
Reported by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
* accept PLOGIs after unreg_rpi_cmpl
*/
acc_plogi = 0;
+ } else if (vport->load_flag & FC_UNLOADING) {
+ mbox->ctx_ndlp = NULL;
+ mbox->mbox_cmpl =
+ lpfc_sli_def_mbox_cmpl;
} else {
mbox->ctx_ndlp = ndlp;
mbox->mbox_cmpl =
} else {
ndlp->nlp_flag &= ~NLP_UNREG_INP;
}
+ pmb->ctx_ndlp = NULL;
}
- pmb->ctx_ndlp = NULL;
}
/* Check security permission status on INIT_LINK mailbox command */
projects / mirror_ubuntu-hirsute-kernel.git / commitdiff