[PATCH 09/10] qla2xxx: Fix use after free in eh_abort path

Himanshu Madhani himanshu.madhani at oracle.com
Wed Sep 8 07:16:42 PDT 2021 


> On Sep 8, 2021, at 2:28 AM, Nilesh Javali <njavali at marvell.com> wrote:
> 
> From: Quinn Tran <qutran at marvell.com>
> 
> In eh_abort path, driver prematurely exit the call to upper layer.
> This patch would check for command is aborted / completed by FW
> before exiting the call.
> 
> 9 [ffff8b1ebf803c00] page_fault at ffffffffb0389778
>  [exception RIP: qla2x00_status_entry+0x48d]
>  RIP: ffffffffc04fa62d  RSP: ffff8b1ebf803cb0  RFLAGS: 00010082
>  RAX: 00000000ffffffff  RBX: 00000000000e0000  RCX: 0000000000000000
>  RDX: 0000000000000000  RSI: 00000000000013d8  RDI: fffff3253db78440
>  RBP: ffff8b1ebf803dd0   R8: ffff8b1ebcd9b0c0   R9: 0000000000000000
>  R10: ffff8b1e38a30808  R11: 0000000000001000  R12: 00000000000003e9
>  R13: 0000000000000000  R14: ffff8b1ebcd9d740  R15: 0000000000000028
>  ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
> 10 [ffff8b1ebf803cb0] enqueue_entity at ffffffffafce708f
> 11 [ffff8b1ebf803d00] enqueue_task_fair at ffffffffafce7b88
> 12 [ffff8b1ebf803dd8] qla24xx_process_response_queue at ffffffffc04fc9a6
> [qla2xxx]
> 13 [ffff8b1ebf803e78] qla24xx_msix_rsp_q at ffffffffc04ff01b [qla2xxx]
> 14 [ffff8b1ebf803eb0] __handle_irq_event_percpu at ffffffffafd50714
> 
> Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")

Cc: stable at vger.kernel.org

> Signed-off-by: David Jeffery <djeffery at redhat.com>
> Signed-off-by: Laurence Oberman <loberman at redhat.com>
> Signed-off-by: Quinn Tran <qutran at marvell.com>
> Signed-off-by: Nilesh Javali <njavali at marvell.com>
> ---
> drivers/scsi/qla2xxx/qla_os.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
> index 0454f79a8047..0f3048723965 100644
> --- a/drivers/scsi/qla2xxx/qla_os.c
> +++ b/drivers/scsi/qla2xxx/qla_os.c
> @@ -1258,6 +1258,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 	uint32_t ratov_j;
> 	struct qla_qpair *qpair;
> 	unsigned long flags;
> +	int fast_fail_status = SUCCESS;
> 
> 	if (qla2x00_isp_reg_stat(ha)) {
> 		ql_log(ql_log_info, vha, 0x8042,
> @@ -1266,9 +1267,10 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 		return FAILED;
> 	}
> 
> +	/* Save any FAST_IO_FAIL value to return later if abort succeeds */
> 	ret = fc_block_scsi_eh(cmd);
> 	if (ret != 0)
> -		return ret;
> +		fast_fail_status = ret;
> 
> 	sp = scsi_cmd_priv(cmd);
> 	qpair = sp->qpair;
> @@ -1276,7 +1278,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 	vha->cmd_timeout_cnt++;
> 
> 	if ((sp->fcport && sp->fcport->deleted) || !qpair)
> -		return SUCCESS;
> +		return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
> 
> 	spin_lock_irqsave(qpair->qp_lock_ptr, flags);
> 	sp->comp = ∁
> @@ -1311,7 +1313,7 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
> 			    __func__, ha->r_a_tov/10);
> 			ret = FAILED;
> 		} else {
> -			ret = SUCCESS;
> +			ret = fast_fail_status;
> 		}
> 		break;
> 	default:
> -- 
> 2.19.0.rc0
> 

Looks good.

Reviewed-by: Himanshu Madhani <himanshu.madhani at oracle.com>

--
Himanshu Madhani	 Oracle Linux Engineering

More information about the Linux-nvme mailing list