DEBIAN-CVE-2022-49082

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in scsihexpandernoderemove() The function mpt3sastransportportremove() called in scsihexpandernoderemove() frees the port field of the sasexpander structure, leading to the following use-after-free splat from KASAN when the iocinfo() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dumpstacklvl+0x45/0x59 [ 3479.417582] printaddressdescription.constprop.0+0x1f/0x120 [ 3479.423389] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.429469] kasanreport.cold+0x83/0xdf [ 3479.433438] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.439514] scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.445411] ? rawspinunlockirqrestore+0x2d/0x40 [ 3479.452032] scsihremove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sasexpanderremove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? downwrite+0xde/0x150 [ 3479.470746] ? upwrite+0x14d/0x460 [ 3479.475840] ? kernfsfindns+0x137/0x310 [ 3479.481438] pcidevice_remove+0x65/0x110 [ 3479.487013] __devicereleasedriver+0x316/0x680 [ 3479.493180] driverdetach+0x1ec/0x2d0 [ 3479.498499] busremovedriver+0xe7/0x2d0 [ 3479.504081] pciunregister_driver+0x26/0x250 [ 3479.510033] mpt3sasexit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64sysdeletemodule+0x2fd/0x510 [ 3479.522315] ? freemodule+0xaa0/0xaa0 [ 3479.527593] ? _condresched+0x1c/0x90 [ 3479.532951] ? lockdephardirqsonprepare+0x273/0x3e0 [ 3479.539607] ? syscallenterfromusermode+0x21/0x70 [ 3479.546161] ? tracehardirqson+0x1c/0x110 [ 3479.551828] dosyscall64+0x35/0x80 [ 3479.556884] entrySYSCALL64afterhwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ================================================================== Fix this by introducing the local variable portid to store the port ID value before executing mpt3sastransportportremove(). This local variable is then used in the call to iocinfo() instead of dereferencing the freed port structure.