CVE-2022-48758

In the Linux kernel, the following vulnerability has been resolved:

scsi: bnx2fc: Flush destroywork queue before calling bnx2fcinterface_put()

The bnx2fcdestroy() functions are removing the interface before calling destroywork. This results multiple WARNings from sysfsremovegroup() as the controller rport device attributes are removed too early.

Replace the fcoeport's destroywork queue. It's not needed.

The problem is easily reproducible with the following steps.

Example:

$ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfsremovegroup+0x6f/0x80 [ 583.607130] Modules linked in: dmservicetime 8021q garp mrp stp llc bnx2fc cnic uio rpcsecgsskrb5 authrpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x8664 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fcwq2 fcrportfinaldelete [scsitransportfc] [ 584.050691] RIP: 0010:sysfsremovegroup+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] devicedel+0xb2/0x3e0 [ 584.481701] deviceunregister+0x13/0x60 [ 584.501306] bsgunregisterqueue+0x5b/0x80 [ 584.522029] bsgremovequeue+0x1c/0x40 [ 584.541884] fcrportfinaldelete+0xf3/0x1d0 [scsitransportfc] [ 584.573823] processonework+0x1e3/0x3b0 [ 584.592396] workerthread+0x50/0x3b0 [ 584.609256] ? rescuerthread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? setkthreadstruct+0x40/0x40 [ 584.662909] retfromfork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]---