From patchwork Mon Aug 31 16:18:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Wagner X-Patchwork-Id: 257813 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B91FC433E6 for ; Mon, 31 Aug 2020 16:19:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DB0032073A for ; Mon, 31 Aug 2020 16:19:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728625AbgHaQTY (ORCPT ); Mon, 31 Aug 2020 12:19:24 -0400 Received: from mx2.suse.de ([195.135.220.15]:45884 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728394AbgHaQTW (ORCPT ); Mon, 31 Aug 2020 12:19:22 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 8234DAC6F; Mon, 31 Aug 2020 16:19:19 +0000 (UTC) From: Daniel Wagner To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Nilesh Javali , Martin Wilck , Daniel Wagner Subject: [PATCH v2 1/4] qla2xxx: Warn if done() or free() are called on an already freed srb Date: Mon, 31 Aug 2020 18:18:51 +0200 Message-Id: <20200831161854.70879-2-dwagner@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200831161854.70879-1-dwagner@suse.de> References: <20200831161854.70879-1-dwagner@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Emit a warning when ->done or ->free are called on an already freed srb. There is a hidden use-after-free bug in the driver which corrupts the srb memory pool which originates from the cleanup callbacks. By explicitly resetting the callbacks to NULL, we workaround the memory corruption. An extensive search didn't bring any lights on the real problem. The initial idea was to set both pointers to NULL and try to catch invalid accesses. But instead the memory corruption was gone and the driver didn't crash. Signed-off-by: Daniel Wagner --- drivers/scsi/qla2xxx/qla_init.c | 10 ++++++++++ drivers/scsi/qla2xxx/qla_inline.h | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index 57a2d76aa691..9e9360a4aeb5 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -63,6 +63,16 @@ void qla2x00_sp_free(srb_t *sp) qla2x00_rel_sp(sp); } +void qla2xxx_rel_done_warning(srb_t *sp, int res) +{ + WARN_ONCE(1, "Calling done() of an already freed srb object\n"); +} + +void qla2xxx_rel_free_warning(srb_t *sp) +{ + WARN_ONCE(1, "Calling free() of an already freed srb object\n"); +} + /* Asynchronous Login/Logout Routines -------------------------------------- */ unsigned long diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h index 861dc522723c..2aa6f81f87c4 100644 --- a/drivers/scsi/qla2xxx/qla_inline.h +++ b/drivers/scsi/qla2xxx/qla_inline.h @@ -207,10 +207,15 @@ qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair, return sp; } +void qla2xxx_rel_done_warning(srb_t *sp, int res); +void qla2xxx_rel_free_warning(srb_t *sp); + static inline void qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp) { sp->qpair = NULL; + sp->done = qla2xxx_rel_done_warning; + sp->free = qla2xxx_rel_free_warning; mempool_free(sp, qpair->srb_mempool); QLA_QPAIR_MARK_NOT_BUSY(qpair); } From patchwork Mon Aug 31 16:18:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Wagner X-Patchwork-Id: 296937 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 954F1C433E2 for ; Mon, 31 Aug 2020 16:19:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 770C12073A for ; Mon, 31 Aug 2020 16:19:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728586AbgHaQTX (ORCPT ); Mon, 31 Aug 2020 12:19:23 -0400 Received: from mx2.suse.de ([195.135.220.15]:45878 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728384AbgHaQTW (ORCPT ); Mon, 31 Aug 2020 12:19:22 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 82578AD7A; Mon, 31 Aug 2020 16:19:19 +0000 (UTC) From: Daniel Wagner To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Nilesh Javali , Martin Wilck , Daniel Wagner Subject: [PATCH v2 2/4] qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() Date: Mon, 31 Aug 2020 18:18:52 +0200 Message-Id: <20200831161854.70879-3-dwagner@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200831161854.70879-1-dwagner@suse.de> References: <20200831161854.70879-1-dwagner@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Refactor qla2x00_get_sp_from_handle() to avoid the unecessary goto if early returns are used. With this we can also avoid preinitilzing the sp pointer. Signed-off-by: Daniel Wagner --- drivers/scsi/qla2xxx/qla_isr.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index 27bcd346af7c..5d278155e4e7 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c @@ -1716,7 +1716,7 @@ qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, { struct qla_hw_data *ha = vha->hw; sts_entry_t *pkt = iocb; - srb_t *sp = NULL; + srb_t *sp; uint16_t index; index = LSW(pkt->handle); @@ -1728,13 +1728,13 @@ qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, set_bit(FCOE_CTX_RESET_NEEDED, &vha->dpc_flags); else set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); - goto done; + return NULL; } sp = req->outstanding_cmds[index]; if (!sp) { ql_log(ql_log_warn, vha, 0x5032, "Invalid completion handle (%x) -- timed-out.\n", index); - return sp; + return NULL; } if (sp->handle != index) { ql_log(ql_log_warn, vha, 0x5033, @@ -1743,8 +1743,6 @@ qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, } req->outstanding_cmds[index] = NULL; - -done: return sp; } From patchwork Mon Aug 31 16:18:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Wagner X-Patchwork-Id: 257811 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CF60C433E6 for ; Mon, 31 Aug 2020 16:19:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2AB1D20936 for ; Mon, 31 Aug 2020 16:19:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728653AbgHaQTv (ORCPT ); Mon, 31 Aug 2020 12:19:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:45890 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728404AbgHaQTW (ORCPT ); Mon, 31 Aug 2020 12:19:22 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 85518AEA5; Mon, 31 Aug 2020 16:19:19 +0000 (UTC) From: Daniel Wagner To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Nilesh Javali , Martin Wilck , Daniel Wagner Subject: [PATCH v2 3/4] qla2xxx: Drop unused function argument from qla2x00_get_sp_from_handle() Date: Mon, 31 Aug 2020 18:18:53 +0200 Message-Id: <20200831161854.70879-4-dwagner@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200831161854.70879-1-dwagner@suse.de> References: <20200831161854.70879-1-dwagner@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Commit 7c3df1320e5e ("[SCSI] qla2xxx: Code changes to support new dynamic logging infrastructure.") removed the use of the func argument. Signed-off-by: Daniel Wagner --- drivers/scsi/qla2xxx/qla_gbl.h | 3 +-- drivers/scsi/qla2xxx/qla_isr.c | 36 ++++++++++++------------------------ drivers/scsi/qla2xxx/qla_mr.c | 9 +++------ 3 files changed, 16 insertions(+), 32 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h index 0ced18f3104e..bbe3dca6d0ab 100644 --- a/drivers/scsi/qla2xxx/qla_gbl.h +++ b/drivers/scsi/qla2xxx/qla_gbl.h @@ -561,8 +561,7 @@ extern void qla2x00_free_irqs(scsi_qla_host_t *); extern int qla2x00_get_data_rate(scsi_qla_host_t *); extern const char *qla2x00_get_link_speed_str(struct qla_hw_data *, uint16_t); extern srb_t * -qla2x00_get_sp_from_handle(scsi_qla_host_t *, const char *, struct req_que *, - void *); +qla2x00_get_sp_from_handle(scsi_qla_host_t *, struct req_que *, void *); extern void qla2x00_process_completed_request(struct scsi_qla_host *, struct req_que *, uint32_t); diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index 5d278155e4e7..b787643f5031 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c @@ -1711,8 +1711,7 @@ qla2x00_process_completed_request(struct scsi_qla_host *vha, } srb_t * -qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, const char *func, - struct req_que *req, void *iocb) +qla2x00_get_sp_from_handle(scsi_qla_host_t *vha, struct req_que *req, void *iocb) { struct qla_hw_data *ha = vha->hw; sts_entry_t *pkt = iocb; @@ -1750,7 +1749,6 @@ static void qla2x00_mbx_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, struct mbx_entry *mbx) { - const char func[] = "MBX-IOCB"; const char *type; fc_port_t *fcport; srb_t *sp; @@ -1758,7 +1756,7 @@ qla2x00_mbx_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, uint16_t *data; uint16_t status; - sp = qla2x00_get_sp_from_handle(vha, func, req, mbx); + sp = qla2x00_get_sp_from_handle(vha, req, mbx); if (!sp) return; @@ -1836,13 +1834,12 @@ static void qla24xx_mbx_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, struct mbx_24xx_entry *pkt) { - const char func[] = "MBX-IOCB2"; srb_t *sp; struct srb_iocb *si; u16 sz, i; int res; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -1861,11 +1858,10 @@ static void qla24xxx_nack_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, struct nack_to_isp *pkt) { - const char func[] = "nack"; srb_t *sp; int res = 0; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -1879,7 +1875,6 @@ static void qla2x00_ct_entry(scsi_qla_host_t *vha, struct req_que *req, sts_entry_t *pkt, int iocb_type) { - const char func[] = "CT_IOCB"; const char *type; srb_t *sp; struct bsg_job *bsg_job; @@ -1887,7 +1882,7 @@ qla2x00_ct_entry(scsi_qla_host_t *vha, struct req_que *req, uint16_t comp_status; int res = 0; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -1952,7 +1947,6 @@ qla24xx_els_ct_entry(scsi_qla_host_t *vha, struct req_que *req, struct sts_entry_24xx *pkt, int iocb_type) { struct els_sts_entry_24xx *ese = (struct els_sts_entry_24xx *)pkt; - const char func[] = "ELS_CT_IOCB"; const char *type; srb_t *sp; struct bsg_job *bsg_job; @@ -1962,7 +1956,7 @@ qla24xx_els_ct_entry(scsi_qla_host_t *vha, struct req_que *req, int res; struct srb_iocb *els; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -2077,7 +2071,6 @@ static void qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que *req, struct logio_entry_24xx *logio) { - const char func[] = "LOGIO-IOCB"; const char *type; fc_port_t *fcport; srb_t *sp; @@ -2085,7 +2078,7 @@ qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que *req, uint16_t *data; uint32_t iop[2]; - sp = qla2x00_get_sp_from_handle(vha, func, req, logio); + sp = qla2x00_get_sp_from_handle(vha, req, logio); if (!sp) return; @@ -2206,14 +2199,13 @@ qla24xx_logio_entry(scsi_qla_host_t *vha, struct req_que *req, static void qla24xx_tm_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, void *tsk) { - const char func[] = "TMF-IOCB"; const char *type; fc_port_t *fcport; srb_t *sp; struct srb_iocb *iocb; struct sts_entry_24xx *sts = (struct sts_entry_24xx *)tsk; - sp = qla2x00_get_sp_from_handle(vha, func, req, tsk); + sp = qla2x00_get_sp_from_handle(vha, req, tsk); if (!sp) return; @@ -2385,11 +2377,10 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, static void qla_ctrlvp_completed(scsi_qla_host_t *vha, struct req_que *req, struct vp_ctrl_entry_24xx *vce) { - const char func[] = "CTRLVP-IOCB"; srb_t *sp; int rval = QLA_SUCCESS; - sp = qla2x00_get_sp_from_handle(vha, func, req, vce); + sp = qla2x00_get_sp_from_handle(vha, req, vce); if (!sp) return; @@ -3287,7 +3278,6 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt) { srb_t *sp; struct qla_hw_data *ha = vha->hw; - const char func[] = "ERROR-IOCB"; uint16_t que = MSW(pkt->handle); struct req_que *req = NULL; int res = DID_ERROR << 16; @@ -3317,7 +3307,7 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt) case ABORT_IOCB_TYPE: case MBX_IOCB_TYPE: default: - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (sp) { sp->done(sp, res); return 0; @@ -3376,11 +3366,10 @@ static void qla24xx_abort_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, struct abort_entry_24xx *pkt) { - const char func[] = "ABT_IOCB"; srb_t *sp; struct srb_iocb *abt; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -3393,10 +3382,9 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha, struct pt_ls4_request *pkt, struct req_que *req) { srb_t *sp; - const char func[] = "LS4_IOCB"; uint16_t comp_status; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c index a8fe4f725fa0..ba41c78d063c 100644 --- a/drivers/scsi/qla2xxx/qla_mr.c +++ b/drivers/scsi/qla2xxx/qla_mr.c @@ -2187,11 +2187,10 @@ static void qlafx00_abort_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, struct abort_iocb_entry_fx00 *pkt) { - const char func[] = "ABT_IOCB"; srb_t *sp; struct srb_iocb *abt; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -2204,7 +2203,6 @@ static void qlafx00_ioctl_iosb_entry(scsi_qla_host_t *vha, struct req_que *req, struct ioctl_iocb_entry_fx00 *pkt) { - const char func[] = "IOSB_IOCB"; srb_t *sp; struct bsg_job *bsg_job; struct fc_bsg_reply *bsg_reply; @@ -2213,7 +2211,7 @@ qlafx00_ioctl_iosb_entry(scsi_qla_host_t *vha, struct req_que *req, struct qla_mt_iocb_rsp_fx00 fstatus; uint8_t *fw_sts_ptr; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (!sp) return; @@ -2687,14 +2685,13 @@ qlafx00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, { srb_t *sp; struct qla_hw_data *ha = vha->hw; - const char func[] = "ERROR-IOCB"; uint16_t que = 0; struct req_que *req = NULL; int res = DID_ERROR << 16; req = ha->req_q_map[que]; - sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + sp = qla2x00_get_sp_from_handle(vha, req, pkt); if (sp) { sp->done(sp, res); return; From patchwork Mon Aug 31 16:18:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Wagner X-Patchwork-Id: 296936 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68B9DC433E2 for ; Mon, 31 Aug 2020 16:19:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 37DE22073A for ; Mon, 31 Aug 2020 16:19:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728468AbgHaQTW (ORCPT ); Mon, 31 Aug 2020 12:19:22 -0400 Received: from mx2.suse.de ([195.135.220.15]:45866 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728361AbgHaQTV (ORCPT ); Mon, 31 Aug 2020 12:19:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 86E31AEA8; Mon, 31 Aug 2020 16:19:19 +0000 (UTC) From: Daniel Wagner To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Nilesh Javali , Martin Wilck , Daniel Wagner Subject: [PATCH v2 4/4] qla2xxx: Handle incorrect entry_type entries Date: Mon, 31 Aug 2020 18:18:54 +0200 Message-Id: <20200831161854.70879-5-dwagner@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200831161854.70879-1-dwagner@suse.de> References: <20200831161854.70879-1-dwagner@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org It was observed on an ISP8324 16Gb HBA with fw=8.08.203 (d0d5) that pkt->entry_type was MBX_IOCB_TYPE/0x39 with an sp->type SRB_SCSI_CMD which is invalid and should not be possible. A careful code review of the crash dump didn't reveal any short comings. Reading the entry_type from the crash dump shows the expected value of STATUS_TYPE/0x03 but the call trace shows that qla24xx_mbx_iocb_entry() is used. One possible explanation is when pkt->entry_type is read it doesn't contain the correct information. That means the driver observes an data race by the firmware. Signed-off-by: Daniel Wagner --- drivers/scsi/qla2xxx/qla_isr.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index b787643f5031..22aa4c0b901d 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c @@ -3392,6 +3392,33 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha, sp->done(sp, comp_status); } +static void qla24xx_process_mbx_iocb_response(struct scsi_qla_host *vha, + struct rsp_que *rsp, struct sts_entry_24xx *pkt) +{ + srb_t *sp; + + sp = qla2x00_get_sp_from_handle(vha, rsp->req, pkt); + if (!sp) + return; + + if (sp->type == SRB_SCSI_CMD || + sp->type == SRB_NVME_CMD || + sp->type == SRB_TM_CMD) { + /* Some firmware version don't update the entry_type + * correctly. It was observed entry_type contained + * MBCX_IOCB_TYPE instead of the expected STATUS_TYPE + * for sp->type SRB_SCSI_CMD, SRB_NVME_CMD or + * SRB_TM_CMD. + */ + ql_log(ql_log_warn, vha, 0x509d, + "Firmware didn't update entry_type correctly\n"); + qla2x00_status_entry(vha, rsp, pkt); + return; + } + + qla24xx_mbx_iocb_entry(vha, rsp->req, (struct mbx_24xx_entry *)pkt); +} + /** * qla24xx_process_response_queue() - Process response queue entries. * @vha: SCSI driver HA context @@ -3499,8 +3526,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha, (struct abort_entry_24xx *)pkt); break; case MBX_IOCB_TYPE: - qla24xx_mbx_iocb_entry(vha, rsp->req, - (struct mbx_24xx_entry *)pkt); + qla24xx_process_mbx_iocb_response(vha, rsp, pkt); break; case VP_CTRL_IOCB_TYPE: qla_ctrlvp_completed(vha, rsp->req,