Merge: CVE-2025-39841: scsi: lpfc: Fix buffer free/clear order in deferred receive path

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7444

JIRA: https://issues.redhat.com/browse/RHEL-119116
CVE: CVE-2025-39841

```
commit 9dba9a4
Author: John Evans <evans1210144@gmail.com>
Date:   Thu Aug 28 12:40:08 2025 +0800

    scsi: lpfc: Fix buffer free/clear order in deferred receive path

    Fix a use-after-free window by correcting the buffer release sequence in
    the deferred receive path. The code freed the RQ buffer first and only
    then cleared the context pointer under the lock. Concurrent paths (e.g.,
    ABTS and the repost path) also inspect and release the same pointer under
    the lock, so the old order could lead to double-free/UAF.

    Note that the repost path already uses the correct pattern: detach the
    pointer under the lock, then free it after dropping the lock. The
    deferred path should do the same.

    Fixes: 472e146 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall")
    Cc: stable@vger.kernel.org
    Signed-off-by: John Evans <evans1210144@gmail.com>
    Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com
    Reviewed-by: Justin Tee <justin.tee@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-10-03 12:02 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small>

Approved-by: Ewan D. Milne <emilne@redhat.com>
Approved-by: Chris Leech <cleech@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Patrick Talbert <ptalbert@redhat.com>

Author: ptalbert

drivers/scsi/lpfc/lpfc_nvmet.c

@@ -1245,31 +1245,33 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_target_port *tgtport,
 	struct lpfc_nvmet_tgtport *tgtp;
 	struct lpfc_async_xchg_ctx *ctxp =
 		container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req);
-	struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer;
+	struct rqb_dmabuf *nvmebuf;
 	struct lpfc_hba *phba = ctxp->phba;
 	unsigned long iflag;
 
 
 	lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n",
 			 ctxp->oxid, ctxp->size, raw_smp_processor_id());
 
+	spin_lock_irqsave(&ctxp->ctxlock, iflag);
+	nvmebuf = ctxp->rqb_buffer;
 	if (!nvmebuf) {
+		spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
 		lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR,
 				"6425 Defer rcv: no buffer oxid x%x: "
 				"flg %x ste %x\n",
 				ctxp->oxid, ctxp->flag, ctxp->state);
 		return;
 	}
+	ctxp->rqb_buffer = NULL;
+	spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
 
 	tgtp = phba->targetport->private;
 	if (tgtp)
 		atomic_inc(&tgtp->rcv_fcp_cmd_defer);
 
 	/* Free the nvmebuf since a new buffer already replaced it */
 	nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf);
-	spin_lock_irqsave(&ctxp->ctxlock, iflag);
-	ctxp->rqb_buffer = NULL;
-	spin_unlock_irqrestore(&ctxp->ctxlock, iflag);
 }
 
 /**