CVE-2022-49082

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix use after free in scsihexpandernoderemove()

The function mpt3sastransportportremove() called in _scsihexpandernoderemove() frees the port field of the sasexpander structure, leading to the following use-after-free splat from KASAN when the iocinfo() call following that function is executed (e.g. when doing rmmod of the driver module):

[ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dumpstacklvl+0x45/0x59 [ 3479.417582] printaddressdescription.constprop.0+0x1f/0x120 [ 3479.423389] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.429469] kasanreport.cold+0x83/0xdf [ 3479.433438] ? _scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.439514] scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.445411] ? rawspinunlockirqrestore+0x2d/0x40 [ 3479.452032] scsihremove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sasexpanderremove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? downwrite+0xde/0x150 [ 3479.470746] ? upwrite+0x14d/0x460 [ 3479.475840] ? kernfsfindns+0x137/0x310 [ 3479.481438] pcideviceremove+0x65/0x110 [ 3479.487013] _devicereleasedriver+0x316/0x680 [ 3479.493180] driverdetach+0x1ec/0x2d0 [ 3479.498499] busremovedriver+0xe7/0x2d0 [ 3479.504081] pciunregisterdriver+0x26/0x250 [ 3479.510033] _mpt3sasexit+0x2b/0x6cf [mpt3sas] [ 3479.516144] _x64sysdeletemodule+0x2fd/0x510 [ 3479.522315] ? freemodule+0xaa0/0xaa0 [ 3479.527593] ? _condresched+0x1c/0x90 [ 3479.532951] ? lockdephardirqsonprepare+0x273/0x3e0 [ 3479.539607] ? syscallenterfromusermode+0x21/0x70 [ 3479.546161] ? tracehardirqson+0x1c/0x110 [ 3479.551828] dosyscall64+0x35/0x80 [ 3479.556884] entrySYSCALL64afterhwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ==================================================================

Fix this by introducing the local variable portid to store the port ID value before executing mpt3sastransportportremove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.