CVE-2022-49701

In the Linux kernel, the following vulnerability has been resolved:

scsi: ibmvfc: Allocate/free queue resource only during probe/remove

Currently, the sub-queues and event pool resources are allocated/freed for every CRQ connection event such as reset and LPM. This exposes the driver to a couple issues. First the inefficiency of freeing and reallocating memory that can simply be resued after being sanitized. Further, a system under memory pressue runs the risk of allocation failures that could result in a crippled driver. Finally, there is a race window where command submission/compeletion can try to pull/return elements from/to an event pool that is being deleted or already has been deleted due to the lack of host state around freeing/allocating resources. The following is an example of list corruption following a live partition migration (LPM):

Oops: Exception in kernel mode, sig: 5 [#1] LE PAGESIZE=64K MMU=Hash SMP NRCPUS=2048 NUMA pSeries Modules linked in: vfat fat isofs cdrom ext4 mbcache jbd2 nftcounter nftcompat nftables nfnetlink rpadlpario rpaphp xskdiag nfsv3 nfsacl nfs lockd grace fscache netfs rfkill bonding tls sunrpc pseriesrng drm drmpanelorientationquirks xfs libcrc32c dmservicetime sdmod t10pi sg ibmvfc scsitransportfc ibmveth vmxcrypto dmmultipath dmmirror dmregionhash dmlog dmmod ipmidevintf ipmimsghandler fuse CPU: 0 PID: 2108 Comm: ibmvfc0 Kdump: loaded Not tainted 5.14.0-70.9.1.el90.ppc64le #1 NIP: c0000000007c4bb0 LR: c0000000007c4bac CTR: 00000000005b9a10 REGS: c00000025c10b760 TRAP: 0700 Not tainted (5.14.0-70.9.1.el90.ppc64le) MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 2800028f XER: 0000000f CFAR: c0000000001f55bc IRQMASK: 0 GPR00: c0000000007c4bac c00000025c10ba00 c000000002a47c00 000000000000004e GPR04: c0000031e3006f88 c0000031e308bd00 c00000025c10b768 0000000000000027 GPR08: 0000000000000000 c0000031e3009dc0 00000031e0eb0000 0000000000000000 GPR12: c0000031e2ffffa8 c000000002dd0000 c000000000187108 c00000020fcee2c0 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c008000002f81300 GPR24: 5deadbeef0000100 5deadbeef0000122 c000000263ba6910 c00000024cc88000 GPR28: 000000000000003c c0000002430a0000 c0000002430ac300 000000000000c300 NIP [c0000000007c4bb0] _listdelentryvalid+0x90/0x100 LR [c0000000007c4bac] _listdelentryvalid+0x8c/0x100 Call Trace: [c00000025c10ba00] [c0000000007c4bac] _listdelentryvalid+0x8c/0x100 (unreliable) [c00000025c10ba60] [c008000002f42284] ibmvfcfreequeue+0xec/0x210 [ibmvfc] [c00000025c10bb10] [c008000002f4246c] ibmvfcderegisterscsichannel+0xc4/0x160 [ibmvfc] [c00000025c10bba0] [c008000002f42580] ibmvfcreleasesubcrqs+0x78/0x130 [ibmvfc] [c00000025c10bc20] [c008000002f4f6cc] ibmvfcdowork+0x5c4/0xc70 [ibmvfc] [c00000025c10bce0] [c008000002f4fdec] ibmvfcwork+0x74/0x1e8 [ibmvfc] [c00000025c10bda0] [c0000000001872b8] kthread+0x1b8/0x1c0 [c00000025c10be10] [c00000000000cd64] retfromkernelthread+0x5c/0x64 Instruction dump: 40820034 38600001 38210060 4e800020 7c0802a6 7c641b78 3c62fe7a 7d254b78 3863b590 f8010070 4ba309cd 60000000 <0fe00000> 7c0802a6 3c62fe7a 3863b640 ---[ end trace 11a2b65a92f8b66c ]--- ibmvfc 30000003: Send warning. Receive queue closed, will retry.

Add registration/deregistration helpers that are called instead during connection resets to sanitize and reconfigure the queues.