Received: by 10.213.65.68 with SMTP id h4csp1737010imn; Mon, 19 Mar 2018 11:53:02 -0700 (PDT) X-Google-Smtp-Source: AG47ELvQT0LjEph3P/gkVnPMpwOLeKOcyt1kJ2EB9dhJ5zl39FzHOTk0ydpzrIuEzBzTzR6EJMhR X-Received: by 10.99.154.81 with SMTP id e17mr9992383pgo.311.1521485582633; Mon, 19 Mar 2018 11:53:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521485582; cv=none; d=google.com; s=arc-20160816; b=Ory2U6rGgH4KIUS36DZkHnYXSWzX9qdfaHv3wCpuzQvK2Vq/5p2XYVv2bN3s3yW/Ge KYNZDJ7tKuJasWvhWuxoDrX0PWlqRR1qHYq0kiNiwtjyd8mOtnfYvEGTfhBFYbo2OXtl HAie/NLPdsX+GN1svL8Bo6BNOaocvWAd4u81fV6+0f0/XWB/NmckshNDkM+Ho+GnMhHo rcrAFhVnxS6rmj+/g6eS2VeIFT2GuCE+GhtuD18PHKArsW6evgZr0t4qARc28nghqtle 76eBHbcASnO57B37fG7+KVMuhjbC6OdQB9rJbS2Lun2v7GsnXnbmq9ounaUw+CKzr3pw Jcug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=kmE9j3GNHytBVPYvsggX5jluGGSDpayk60KjF1cpozk=; b=uUo1KTUSluiaRkjD/RkccjVe43FXy5qLSK57TxqohrR3Ryj0Rmowv7YcKM6p4kPAqP vShmhvfT4s72IPI1phPtQjE3VPwI0iNoZKvqdDKLS8bX0x2oL3jfssByrm/SdJsia2/E OCcmCETb1xWgs+CTfuuvr2a4hsGhK2/mTXqAI5fTFlY1ymhggMColq7ruZUHm5kO5Kcl MiYai3Hm/B8WRxPF67EU/0HVc9E594+7N2G0/Axh71X1BBk17kceSkUhIFmlO6xRGoK9 7iZHFsNRJlYJ/pQ++RTH7DooJpY102QIwy858fOeecTycUYo6dirIihfe5L/ODhgq5U7 ysyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si420694plr.440.2018.03.19.11.52.48; Mon, 19 Mar 2018 11:53:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S970557AbeCSSvL (ORCPT + 99 others); Mon, 19 Mar 2018 14:51:11 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53272 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031961AbeCSSag (ORCPT ); Mon, 19 Mar 2018 14:30:36 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3474110A7; Mon, 19 Mar 2018 18:30:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bill Kuzeja , Himanshu Madhani , Hannes Reinecke , "Martin K. Petersen" Subject: [PATCH 4.14 39/41] scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure Date: Mon, 19 Mar 2018 19:08:39 +0100 Message-Id: <20180319180734.739409337@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180732.195217948@linuxfoundation.org> References: <20180319180732.195217948@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bill Kuzeja commit 6a2cf8d3663e13e19af636c2a8d92e766261dc45 upstream. Because of the shifting around of code in qla2x00_probe_one recently, failures during adapter initialization can lead to problems, i.e. NULL pointer crashes and doubly freed data structures which cause eventual panics. This V2 version makes the relevant memory free routines idempotent, so repeat calls won't cause any harm. I also removed the problematic probe_init_failed exit point as it is not needed. Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure") Signed-off-by: Bill Kuzeja Acked-by: Himanshu Madhani Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/qla2xxx/qla_os.c | 59 ++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 22 deletions(-) --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c @@ -442,7 +442,7 @@ static int qla2x00_alloc_queues(struct q ha->req_q_map[0] = req; set_bit(0, ha->rsp_qid_map); set_bit(0, ha->req_qid_map); - return 1; + return 0; fail_qpair_map: kfree(ha->base_qpair); @@ -459,6 +459,9 @@ fail_req_map: static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) { + if (!ha->req_q_map) + return; + if (IS_QLAFX00(ha)) { if (req && req->ring_fx00) dma_free_coherent(&ha->pdev->dev, @@ -469,14 +472,17 @@ static void qla2x00_free_req_que(struct (req->length + 1) * sizeof(request_t), req->ring, req->dma); - if (req) + if (req) { kfree(req->outstanding_cmds); - - kfree(req); + kfree(req); + } } static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) { + if (!ha->rsp_q_map) + return; + if (IS_QLAFX00(ha)) { if (rsp && rsp->ring) dma_free_coherent(&ha->pdev->dev, @@ -487,7 +493,8 @@ static void qla2x00_free_rsp_que(struct (rsp->length + 1) * sizeof(response_t), rsp->ring, rsp->dma); } - kfree(rsp); + if (rsp) + kfree(rsp); } static void qla2x00_free_queues(struct qla_hw_data *ha) @@ -1710,6 +1717,8 @@ qla2x00_abort_all_cmds(scsi_qla_host_t * struct qla_tgt_cmd *cmd; uint8_t trace = 0; + if (!ha->req_q_map) + return; spin_lock_irqsave(&ha->hardware_lock, flags); for (que = 0; que < ha->max_req_queues; que++) { req = ha->req_q_map[que]; @@ -3063,14 +3072,14 @@ qla2x00_probe_one(struct pci_dev *pdev, /* Set up the irqs */ ret = qla2x00_request_irqs(ha, rsp); if (ret) - goto probe_hw_failed; + goto probe_failed; /* Alloc arrays of request and response ring ptrs */ - if (!qla2x00_alloc_queues(ha, req, rsp)) { + if (qla2x00_alloc_queues(ha, req, rsp)) { ql_log(ql_log_fatal, base_vha, 0x003d, "Failed to allocate memory for queue pointers..." "aborting.\n"); - goto probe_init_failed; + goto probe_failed; } if (ha->mqenable && shost_use_blk_mq(host)) { @@ -3347,15 +3356,6 @@ skip_dpc: return 0; -probe_init_failed: - qla2x00_free_req_que(ha, req); - ha->req_q_map[0] = NULL; - clear_bit(0, ha->req_qid_map); - qla2x00_free_rsp_que(ha, rsp); - ha->rsp_q_map[0] = NULL; - clear_bit(0, ha->rsp_qid_map); - ha->max_req_queues = ha->max_rsp_queues = 0; - probe_failed: if (base_vha->timer_active) qla2x00_stop_timer(base_vha); @@ -4435,11 +4435,17 @@ qla2x00_mem_free(struct qla_hw_data *ha) if (ha->init_cb) dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, ha->init_cb, ha->init_cb_dma); - vfree(ha->optrom_buffer); - kfree(ha->nvram); - kfree(ha->npiv_info); - kfree(ha->swl); - kfree(ha->loop_id_map); + + if (ha->optrom_buffer) + vfree(ha->optrom_buffer); + if (ha->nvram) + kfree(ha->nvram); + if (ha->npiv_info) + kfree(ha->npiv_info); + if (ha->swl) + kfree(ha->swl); + if (ha->loop_id_map) + kfree(ha->loop_id_map); ha->srb_mempool = NULL; ha->ctx_mempool = NULL; @@ -4455,6 +4461,15 @@ qla2x00_mem_free(struct qla_hw_data *ha) ha->ex_init_cb_dma = 0; ha->async_pd = NULL; ha->async_pd_dma = 0; + ha->loop_id_map = NULL; + ha->npiv_info = NULL; + ha->optrom_buffer = NULL; + ha->swl = NULL; + ha->nvram = NULL; + ha->mctp_dump = NULL; + ha->dcbx_tlv = NULL; + ha->xgmac_data = NULL; + ha->sfp_data = NULL; ha->s_dma_pool = NULL; ha->dl_dma_pool = NULL;