Received: by 10.213.65.68 with SMTP id h4csp1732405imn; Mon, 19 Mar 2018 11:44:01 -0700 (PDT) X-Google-Smtp-Source: AG47ELuHIofjXtCwcjGPqMUPlrGAIsMOK/+xr414qG6iOAGVp+gIdAAHLmYX59o5p7XSjnNIlT8f X-Received: by 2002:a17:902:167:: with SMTP id 94-v6mr13607895plb.294.1521485041150; Mon, 19 Mar 2018 11:44:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521485041; cv=none; d=google.com; s=arc-20160816; b=bM3aR9X6PiMBPIrAiBsXbDfCNDrm/Q3/WsUoJic31rIoM6SBDnVvQL9KQ01fpzznWY cQ13L6gqR9gK5Jb9CJaj7Mudq7+YT5w0whCcACrWPY6FDwWtjbdxp8KSD1VLZQit0WOA ZZ05DVuHu28A2MSpDQqdb/hCm/NefbU1bz7U1/uZdtKyqvjUyvZ5azj35cMrrwF8dKTF kMZ4xm0ZhYVK92nWjmk4Sfh4l42iHRe6rzNPe3xAaY6tWW3omU1JdON0IWqCTIinef1U W0yopzmaoGg2B88MqG5Ra1PGIhbfEJdtYmPHMBaRGR09YTqsOtFSNKa2TbBzlOcHusDo QTaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=9bGtU55IyayehqUU96e3L1wB7sncz5I8KwwWPqiQrOw=; b=RlwGudqvLnk8xSKT9amQ+tRohWTrzOdAXKNFbK/MEMnfrdKhnaIHrOR4h8fLXeG2aL DL8XYaiOUHYjWgmPPCx6vQ4GRL95Mjb3oJcLlggZ1xz/QIXIRgQsoN7l8qyi/pQskWOy s6Uw2AzKIJYBf21Z7dM3FSPIUSCVB/OuBqWOdr8q6EmX2iKbCa8DNAhZJltc0q1IgmH5 yZ4OeF2mo39ppGs+cXsrRJUpUrXCtwtqbs5UoTS/Tb55JrYZDYgxd1Qgh1Ed+xsaZzde 05cpwkTK10Y4Zkd13lAKWWQgmg73GLW2PjEhUIn2GD/D8hToaQQisX4r1HDrOxcCXKL4 +Dpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d3si383678pfh.77.2018.03.19.11.43.46; Mon, 19 Mar 2018 11:44:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S970322AbeCSScj (ORCPT + 99 others); Mon, 19 Mar 2018 14:32:39 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54012 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934606AbeCSScf (ORCPT ); Mon, 19 Mar 2018 14:32:35 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id BFEE81291; Mon, 19 Mar 2018 18:32:34 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bill Kuzeja , Himanshu Madhani , Hannes Reinecke , "Martin K. Petersen" Subject: [PATCH 4.15 41/52] scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Date: Mon, 19 Mar 2018 19:08:39 +0100 Message-Id: <20180319180737.287104302@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180734.976730813@linuxfoundation.org> References: <20180319180734.976730813@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bill Kuzeja commit 6a2cf8d3663e13e19af636c2a8d92e766261dc45 upstream. Because of the shifting around of code in qla2x00_probe_one recently, failures during adapter initialization can lead to problems, i.e. NULL pointer crashes and doubly freed data structures which cause eventual panics. This V2 version makes the relevant memory free routines idempotent, so repeat calls won't cause any harm. I also removed the problematic probe_init_failed exit point as it is not needed. Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure") Signed-off-by: Bill Kuzeja Acked-by: Himanshu Madhani Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 22 deletions(-) --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c @@ -449,7 +449,7 @@ static int qla2x00_alloc_queues(struct q ha->req_q_map[0] = req; set_bit(0, ha->rsp_qid_map); set_bit(0, ha->req_qid_map); - return 1; + return 0; fail_qpair_map: kfree(ha->base_qpair); @@ -466,6 +466,9 @@ fail_req_map: static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) { + if (!ha->req_q_map) + return; + if (IS_QLAFX00(ha)) { if (req && req->ring_fx00) dma_free_coherent(&ha->pdev->dev, @@ -476,14 +479,17 @@ static void qla2x00_free_req_que(struct (req->length + 1) * sizeof(request_t), req->ring, req->dma); - if (req) + if (req) { kfree(req->outstanding_cmds); - - kfree(req); + kfree(req); + } } static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) { + if (!ha->rsp_q_map) + return; + if (IS_QLAFX00(ha)) { if (rsp && rsp->ring) dma_free_coherent(&ha->pdev->dev, @@ -494,7 +500,8 @@ static void qla2x00_free_rsp_que(struct (rsp->length + 1) * sizeof(response_t), rsp->ring, rsp->dma); } - kfree(rsp); + if (rsp) + kfree(rsp); } static void qla2x00_free_queues(struct qla_hw_data *ha) @@ -1717,6 +1724,8 @@ qla2x00_abort_all_cmds(scsi_qla_host_t * struct qla_tgt_cmd *cmd; uint8_t trace = 0; + if (!ha->req_q_map) + return; spin_lock_irqsave(&ha->hardware_lock, flags); for (que = 0; que < ha->max_req_queues; que++) { req = ha->req_q_map[que]; @@ -3071,14 +3080,14 @@ qla2x00_probe_one(struct pci_dev *pdev, /* Set up the irqs */ ret = qla2x00_request_irqs(ha, rsp); if (ret) - goto probe_hw_failed; + goto probe_failed; /* Alloc arrays of request and response ring ptrs */ - if (!qla2x00_alloc_queues(ha, req, rsp)) { + if (qla2x00_alloc_queues(ha, req, rsp)) { ql_log(ql_log_fatal, base_vha, 0x003d, "Failed to allocate memory for queue pointers..." "aborting.\n"); - goto probe_init_failed; + goto probe_failed; } if (ha->mqenable && shost_use_blk_mq(host)) { @@ -3363,15 +3372,6 @@ skip_dpc: return 0; -probe_init_failed: - qla2x00_free_req_que(ha, req); - ha->req_q_map[0] = NULL; - clear_bit(0, ha->req_qid_map); - qla2x00_free_rsp_que(ha, rsp); - ha->rsp_q_map[0] = NULL; - clear_bit(0, ha->rsp_qid_map); - ha->max_req_queues = ha->max_rsp_queues = 0; - probe_failed: if (base_vha->timer_active) qla2x00_stop_timer(base_vha); @@ -4451,11 +4451,17 @@ qla2x00_mem_free(struct qla_hw_data *ha) if (ha->init_cb) dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, ha->init_cb, ha->init_cb_dma); - vfree(ha->optrom_buffer); - kfree(ha->nvram); - kfree(ha->npiv_info); - kfree(ha->swl); - kfree(ha->loop_id_map); + + if (ha->optrom_buffer) + vfree(ha->optrom_buffer); + if (ha->nvram) + kfree(ha->nvram); + if (ha->npiv_info) + kfree(ha->npiv_info); + if (ha->swl) + kfree(ha->swl); + if (ha->loop_id_map) + kfree(ha->loop_id_map); ha->srb_mempool = NULL; ha->ctx_mempool = NULL; @@ -4471,6 +4477,15 @@ qla2x00_mem_free(struct qla_hw_data *ha) ha->ex_init_cb_dma = 0; ha->async_pd = NULL; ha->async_pd_dma = 0; + ha->loop_id_map = NULL; + ha->npiv_info = NULL; + ha->optrom_buffer = NULL; + ha->swl = NULL; + ha->nvram = NULL; + ha->mctp_dump = NULL; + ha->dcbx_tlv = NULL; + ha->xgmac_data = NULL; + ha->sfp_data = NULL; ha->s_dma_pool = NULL; ha->dl_dma_pool = NULL;