[09/10] qla2xxx: Fix use after free in eh_abort path

Message ID	20210908072846.10011-10-njavali@marvell.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-scsi-owner@kernel.org> From: Nilesh Javali <njavali@marvell.com> To: <martin.petersen@oracle.com>, <linux-nvme@lists.infradead.org> CC: <linux-scsi@vger.kernel.org>, <GR-QLogic-Storage-Upstream@marvell.com>, <djeffery@redhat.com>, <loberman@redhat.com> Subject: [PATCH 09/10] qla2xxx: Fix use after free in eh_abort path Date: Wed, 8 Sep 2021 00:28:45 -0700 Message-ID: <20210908072846.10011-10-njavali@marvell.com> In-Reply-To: <20210908072846.10011-1-njavali@marvell.com> References: <20210908072846.10011-1-njavali@marvell.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk
Series	qla2xxx driver bug fixes \| expand [00/10] qla2xxx driver bug fixes [01/10] qla2xxx: Add support for mailbox passthru [02/10] qla2xxx: Display 16G only as supported speeds for 3830c card [03/10] qla2xxx: Check for firmware capability before creating QPair [04/10] qla2xxx: Fix crash in NVME abort path [05/10] qla2xxx: edif: Use link event to wake up app [06/10] qla2xxx: Fix kernel crash when accessing port_speed sysfs file [07/10] qla2xxx: Call process_response_queue() in Tx path [08/10] qla2xxx: Move heart beat handling from dpc thread to workqueue [09/10] qla2xxx: Fix use after free in eh_abort path [10/10] qla2xxx: Update version to 10.02.07.100-k

Message ID

20210908072846.10011-10-njavali@marvell.com (mailing list archive)

State

Superseded

Headers

From: Nilesh Javali <njavali@marvell.com>
To: <martin.petersen@oracle.com>, <linux-nvme@lists.infradead.org>
CC: <linux-scsi@vger.kernel.org>,
        <GR-QLogic-Storage-Upstream@marvell.com>, <djeffery@redhat.com>,
        <loberman@redhat.com>
Subject: [PATCH 09/10] qla2xxx: Fix use after free in eh_abort path
Date: Wed, 8 Sep 2021 00:28:45 -0700
Message-ID: <20210908072846.10011-10-njavali@marvell.com>
In-Reply-To: <20210908072846.10011-1-njavali@marvell.com>
References: <20210908072846.10011-1-njavali@marvell.com>
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk

Series

qla2xxx driver bug fixes | expand

Commit Message

Nilesh Javali Sept. 8, 2021, 7:28 a.m. UTC

From: Quinn Tran <qutran@marvell.com>

In eh_abort path, driver prematurely exit the call to upper layer.
This patch would check for command is aborted / completed by FW
before exiting the call.

9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778
  [exception RIP: qla2x00_status_entry+0x48d]
  RIP: ffffffffc04fa62d  RSP: ffff8b1ebf803cb0  RFLAGS: 00010082
  RAX: 00000000ffffffff  RBX: 00000000000e0000  RCX: 0000000000000000
  RDX: 0000000000000000  RSI: 00000000000013d8  RDI: fffff3253db78440
  RBP: ffff8b1ebf803dd0   R8: ffff8b1ebcd9b0c0   R9: 0000000000000000
  R10: ffff8b1e38a30808  R11: 0000000000001000  R12: 00000000000003e9
  R13: 0000000000000000  R14: ffff8b1ebcd9d740  R15: 0000000000000028
  ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f
11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88
12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6
[qla2xxx]
13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx]
14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714

Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")
Signed-off-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
---
 drivers/scsi/qla2xxx/qla_os.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Himanshu Madhani Sept. 8, 2021, 2:16 p.m. UTC | #1

> On Sep 8, 2021, at 2:28 AM, Nilesh Javali <njavali@marvell.com> wrote:
> 
> From: Quinn Tran <qutran@marvell.com>
> 
> In eh_abort path, driver prematurely exit the call to upper layer.
> This patch would check for command is aborted / completed by FW
> before exiting the call.
> 
> 9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778
>  [exception RIP: qla2x00_status_entry+0x48d]
>  RIP: ffffffffc04fa62d  RSP: ffff8b1ebf803cb0  RFLAGS: 00010082
>  RAX: 00000000ffffffff  RBX: 00000000000e0000  RCX: 0000000000000000
>  RDX: 0000000000000000  RSI: 00000000000013d8  RDI: fffff3253db78440
>  RBP: ffff8b1ebf803dd0   R8: ffff8b1ebcd9b0c0   R9: 0000000000000000
>  R10: ffff8b1e38a30808  R11: 0000000000001000  R12: 00000000000003e9
>  R13: 0000000000000000  R14: ffff8b1ebcd9d740  R15: 0000000000000028
>  ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
> 10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f
> 11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88
> 12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6
> [qla2xxx]
> 13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx]
> 14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714
> 
> Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")

Cc: stable@vger.kernel.org

> Signed-off-by: David Jeffery <djeffery@redhat.com>
> Signed-off-by: Laurence Oberman <loberman@redhat.com>
> Signed-off-by: Quinn Tran <qutran@marvell.com>
> Signed-off-by: Nilesh Javali <njavali@marvell.com>
> ---
> drivers/scsi/qla2xxx/qla_os.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
> index 0454f79a8047..0f3048723965 100644
> --- a/drivers/scsi/qla2xxx/qla_os.c
> +++ b/drivers/scsi/qla2xxx/qla_os.c
> @@ -1258,6 +1258,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 	uint32_t ratov_j;
> 	struct qla_qpair *qpair;
> 	unsigned long flags;
> +	int fast_fail_status = SUCCESS;
> 
> 	if (qla2x00_isp_reg_stat(ha)) {
> 		ql_log(ql_log_info, vha, 0x8042,
> @@ -1266,9 +1267,10 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 		return FAILED;
> 	}
> 
> +	/* Save any FAST_IO_FAIL value to return later if abort succeeds */
> 	ret = fc_block_scsi_eh(cmd);
> 	if (ret != 0)
> -		return ret;
> +		fast_fail_status = ret;
> 
> 	sp = scsi_cmd_priv(cmd);
> 	qpair = sp->qpair;
> @@ -1276,7 +1278,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 	vha->cmd_timeout_cnt++;
> 
> 	if ((sp->fcport && sp->fcport->deleted) || !qpair)
> -		return SUCCESS;
> +		return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
> 
> 	spin_lock_irqsave(qpair->qp_lock_ptr, flags);
> 	sp->comp = &comp;
> @@ -1311,7 +1313,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 			    __func__, ha->r_a_tov/10);
> 			ret = FAILED;
> 		} else {
> -			ret = SUCCESS;
> +			ret = fast_fail_status;
> 		}
> 		break;
> 	default:
> -- 
> 2.19.0.rc0
> 

Looks good.

Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>

--
Himanshu Madhani	 Oracle Linux Engineering

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 0454f79a8047..0f3048723965 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1258,6 +1258,7 @@  qla2xxx_eh_abort(struct scsi_cmnd *cmd)
 	uint32_t ratov_j;
 	struct qla_qpair *qpair;
 	unsigned long flags;
+	int fast_fail_status = SUCCESS;
 
 	if (qla2x00_isp_reg_stat(ha)) {
 		ql_log(ql_log_info, vha, 0x8042,
@@ -1266,9 +1267,10 @@  qla2xxx_eh_abort(struct scsi_cmnd *cmd)
 		return FAILED;
 	}
 
+	/* Save any FAST_IO_FAIL value to return later if abort succeeds */
 	ret = fc_block_scsi_eh(cmd);
 	if (ret != 0)
-		return ret;
+		fast_fail_status = ret;
 
 	sp = scsi_cmd_priv(cmd);
 	qpair = sp->qpair;
@@ -1276,7 +1278,7 @@  qla2xxx_eh_abort(struct scsi_cmnd *cmd)
 	vha->cmd_timeout_cnt++;
 
 	if ((sp->fcport && sp->fcport->deleted) || !qpair)
-		return SUCCESS;
+		return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
 
 	spin_lock_irqsave(qpair->qp_lock_ptr, flags);
 	sp->comp = &comp;
@@ -1311,7 +1313,7 @@  qla2xxx_eh_abort(struct scsi_cmnd *cmd)
 			    __func__, ha->r_a_tov/10);
 			ret = FAILED;
 		} else {
-			ret = SUCCESS;
+			ret = fast_fail_status;
 		}
 		break;
 	default:

[09/10] qla2xxx: Fix use after free in eh_abort path

Commit Message

Comments

Patch