Bug 2347908 (CVE-2022-49535)

Summary: CVE-2022-49535 kernel: scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel's SCSI lpfc driver, which manages Fibre Channel Host Bus Adapters (HBAs). The issue arises when the driver attempts to handle failed login operations (FLOGI and PLOGI). If a login attempt fails and there is pending device loss event (dev-loss-evt) work, the node structure may be prematurely released. Subsequent operations referencing this released node can lead to a NULL pointer dereference, resulting in a kernel crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-26 03:10:57 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI

If lpfc_issue_els_flogi() fails and returns non-zero status, the node
reference count is decremented to trigger the release of the nodelist
structure. However, if there is a prior registration or dev-loss-evt work
pending, the node may be released prematurely.  When dev-loss-evt
completes, the released node is referenced causing a use-after-free null
pointer dereference.

Similarly, when processing non-zero ELS PLOGI completion status in
lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport
registration before triggering node removal.  If dev-loss-evt work is
pending, the node may be released prematurely and a subsequent call to
lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.

Add test for pending dev-loss before decrementing the node reference count
for FLOGI, PLOGI, PRLI, and ADISC handling.
Comment 1 Avinash Hanwate 2025-02-26 13:38:13 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022613-CVE-2022-49535-0abf@gregkh/T
Comment 4 Avinash Hanwate 2025-02-26 17:44:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022613-CVE-2022-49535-0abf@gregkh/T