qla2xxx: fix system crash due to bad pointer access

Message ID	20231030064912.37912-1-njavali@marvell.com
State	New
Headers	show Return-Path: <linux-scsi-owner@vger.kernel.org> From: Nilesh Javali <njavali@marvell.com> To: <martin.petersen@oracle.com> CC: <linux-scsi@vger.kernel.org>, <GR-QLogic-Storage-Upstream@marvell.com>, <agurumurthy@marvell.com>, <sdeodhar@marvell.com> Subject: [PATCH] qla2xxx: fix system crash due to bad pointer access Date: Mon, 30 Oct 2023 12:19:12 +0530 Message-ID: <20231030064912.37912-1-njavali@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: bulk
Series	qla2xxx: fix system crash due to bad pointer access \| expand qla2xxx: fix system crash due to bad pointer access

Message ID

20231030064912.37912-1-njavali@marvell.com

State

New

Headers

From: Nilesh Javali <njavali@marvell.com>
To: <martin.petersen@oracle.com>
CC: <linux-scsi@vger.kernel.org>,
        <GR-QLogic-Storage-Upstream@marvell.com>,
        <agurumurthy@marvell.com>, <sdeodhar@marvell.com>
Subject: [PATCH] qla2xxx: fix system crash due to bad pointer access
Date: Mon, 30 Oct 2023 12:19:12 +0530
Message-ID: <20231030064912.37912-1-njavali@marvell.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Precedence: bulk

Series

qla2xxx: fix system crash due to bad pointer access | expand

Commit Message

Nilesh Javali Oct. 30, 2023, 6:49 a.m. UTC

From: Quinn Tran <qutran@marvell.com>

User experience system crash when running AER error injection.
The perturbation cause the abort all IO path to trigger. The driver
assume all IO in this path are FCP only. Instead, there
are both NVME & FCP IO's. Due to the false assumption, system
crash is the result. Add additional check to see if IO is
FCP or not before access.

PID: 999019  TASK: ff35d769f24722c0  CPU: 53  COMMAND: "kworker/53:1"
 0 [ff3f78b964847b58] machine_kexec at ffffffffae86973d
 1 [ff3f78b964847ba8] __crash_kexec at ffffffffae9be29d
 2 [ff3f78b964847c70] crash_kexec at ffffffffae9bf528
 3 [ff3f78b964847c78] oops_end at ffffffffae8282ab
 4 [ff3f78b964847c98] exc_page_fault at ffffffffaf2da502
 5 [ff3f78b964847cc0] asm_exc_page_fault at ffffffffaf400b62
   [exception RIP: qla2x00_abort_srb+444]
   RIP: ffffffffc07b5f8c  RSP: ff3f78b964847d78  RFLAGS: 00010046
   RAX: 0000000000000282  RBX: ff35d74a0195a200  RCX: ff35d76886fd03a0
   RDX: 0000000000000001  RSI: ffffffffc07c5ec8  RDI: ff35d74a0195a200
   RBP: ff35d76913d22080   R8: ff35d7694d103200   R9: ff35d7694d103200
   R10: 0000000100000000  R11: ffffffffb05d6630  R12: 0000000000010000
   R13: ff3f78b964847df8  R14: ff35d768d8754000  R15: ff35d768877248e0
   ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 6 [ff3f78b964847d70] qla2x00_abort_srb at ffffffffc07b5f84 [qla2xxx]
 7 [ff3f78b964847de0] __qla2x00_abort_all_cmds at ffffffffc07b6238 [qla2xxx]
 8 [ff3f78b964847e38] qla2x00_abort_all_cmds at ffffffffc07ba635 [qla2xxx]
 9 [ff3f78b964847e58] qla2x00_terminate_rport_io at ffffffffc08145eb [qla2xxx]
10 [ff3f78b964847e70] fc_terminate_rport_io at ffffffffc045987e [scsi_transport_fc]
11 [ff3f78b964847e88] process_one_work at ffffffffae914f15
12 [ff3f78b964847ed0] worker_thread at ffffffffae9154c0
13 [ff3f78b964847f10] kthread at ffffffffae91c456
14 [ff3f78b964847f50] ret_from_fork at ffffffffae8036ef

Cc: stable@vger.kernel.org
Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
---
 drivers/scsi/qla2xxx/qla_os.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Comments

Martin K. Petersen Nov. 9, 2023, 2:33 a.m. UTC | #1

Nilesh,

> User experience system crash when running AER error injection. The
> perturbation cause the abort all IO path to trigger. The driver assume
> all IO in this path are FCP only. Instead, there are both NVME & FCP
> IO's. Due to the false assumption, system crash is the result. Add
> additional check to see if IO is FCP or not before access.

Applied to 6.7/scsi-staging, thanks!

Martin K. Petersen Nov. 15, 2023, 3:13 p.m. UTC | #2

On Mon, 30 Oct 2023 12:19:12 +0530, Nilesh Javali wrote:

> User experience system crash when running AER error injection.
> The perturbation cause the abort all IO path to trigger. The driver
> assume all IO in this path are FCP only. Instead, there
> are both NVME & FCP IO's. Due to the false assumption, system
> crash is the result. Add additional check to see if IO is
> FCP or not before access.
> 
> [...]

Applied to 6.7/scsi-fixes, thanks!

[1/1] qla2xxx: fix system crash due to bad pointer access
      https://git.kernel.org/mkp/scsi/c/19597cad64d6

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 7e103d711825..d24410944f7d 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1837,8 +1837,16 @@  static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
 		}
 
 		spin_lock_irqsave(qp->qp_lock_ptr, *flags);
-		if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd)))
-			sp->done(sp, res);
+		switch (sp->type) {
+		case SRB_SCSI_CMD:
+			if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd)))
+				sp->done(sp, res);
+			break;
+		default:
+			if (ret_cmd)
+				sp->done(sp, res);
+			break;
+		}
 	} else {
 		sp->done(sp, res);
 	}

qla2xxx: fix system crash due to bad pointer access

Commit Message

Comments

Patch