提交 3b3c4d18 编写于 作者: Q Quinn Tran 提交者: Zheng Zengkai

scsi: qla2xxx: Fix use after free in eh_abort path

stable inclusion
from stable-5.10.80
commit c1d31266de3ddd5c5bc54f8e917c4f20453156ac
bugzilla: 185821 https://gitee.com/openeuler/kernel/issues/I4L7CG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c1d31266de3ddd5c5bc54f8e917c4f20453156ac

--------------------------------

commit 3d33b303 upstream.

In eh_abort path driver prematurely exits the call to upper layer. Check
whether command is aborted / completed by firmware before exiting the call.

9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778
  [exception RIP: qla2x00_status_entry+0x48d]
  RIP: ffffffffc04fa62d  RSP: ffff8b1ebf803cb0  RFLAGS: 00010082
  RAX: 00000000ffffffff  RBX: 00000000000e0000  RCX: 0000000000000000
  RDX: 0000000000000000  RSI: 00000000000013d8  RDI: fffff3253db78440
  RBP: ffff8b1ebf803dd0   R8: ffff8b1ebcd9b0c0   R9: 0000000000000000
  R10: ffff8b1e38a30808  R11: 0000000000001000  R12: 00000000000003e9
  R13: 0000000000000000  R14: ffff8b1ebcd9d740  R15: 0000000000000028
  ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f
11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88
12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6
[qla2xxx]
13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx]
14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714

Link: https://lore.kernel.org/r/20210908164622.19240-10-njavali@marvell.com
Fixes: f45bca8c ("scsi: qla2xxx: Fix double scsi_done for abort path")
Cc: stable@vger.kernel.org
Reviewed-by: NHimanshu Madhani <himanshu.madhani@oracle.com>
Co-developed-by: NDavid Jeffery <djeffery@redhat.com>
Signed-off-by: NDavid Jeffery <djeffery@redhat.com>
Co-developed-by: NLaurence Oberman <loberman@redhat.com>
Signed-off-by: NLaurence Oberman <loberman@redhat.com>
Signed-off-by: NQuinn Tran <qutran@marvell.com>
Signed-off-by: NNilesh Javali <njavali@marvell.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Acked-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 4bb0bca2
...@@ -1254,6 +1254,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) ...@@ -1254,6 +1254,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
uint32_t ratov_j; uint32_t ratov_j;
struct qla_qpair *qpair; struct qla_qpair *qpair;
unsigned long flags; unsigned long flags;
int fast_fail_status = SUCCESS;
if (qla2x00_isp_reg_stat(ha)) { if (qla2x00_isp_reg_stat(ha)) {
ql_log(ql_log_info, vha, 0x8042, ql_log(ql_log_info, vha, 0x8042,
...@@ -1261,15 +1262,16 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) ...@@ -1261,15 +1262,16 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
return FAILED; return FAILED;
} }
/* Save any FAST_IO_FAIL value to return later if abort succeeds */
ret = fc_block_scsi_eh(cmd); ret = fc_block_scsi_eh(cmd);
if (ret != 0) if (ret != 0)
return ret; fast_fail_status = ret;
sp = scsi_cmd_priv(cmd); sp = scsi_cmd_priv(cmd);
qpair = sp->qpair; qpair = sp->qpair;
if ((sp->fcport && sp->fcport->deleted) || !qpair) if ((sp->fcport && sp->fcport->deleted) || !qpair)
return SUCCESS; return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
spin_lock_irqsave(qpair->qp_lock_ptr, flags); spin_lock_irqsave(qpair->qp_lock_ptr, flags);
sp->comp = &comp; sp->comp = &comp;
...@@ -1304,7 +1306,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd) ...@@ -1304,7 +1306,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
__func__, ha->r_a_tov/10); __func__, ha->r_a_tov/10);
ret = FAILED; ret = FAILED;
} else { } else {
ret = SUCCESS; ret = fast_fail_status;
} }
break; break;
default: default:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册