Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3755006pxk;
        Tue, 8 Sep 2020 01:18:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzlLtVBGrKZkWtnK6W9wlz3zNgiZGXcT9rkj7FaQYfSAkaFkMUQa2qCTkEwYPw7+9dtxNRv
X-Received: by 2002:a17:906:2e14:: with SMTP id n20mr25547574eji.214.1599553100006;
        Tue, 08 Sep 2020 01:18:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599553100; cv=none;
        d=google.com; s=arc-20160816;
        b=GuP+m2PBXn5prnqwur7TooW8eRpCuVdQbrb/0lf/04XTIbJbBBp3GjMQz/hF4kPdAH
         6Wj4HqK4DryWcuooC+tiVHAvGpB8te0Ggup13Lq6k597ms7x5BJSUAEulsPyvx6ccwJS
         mHtCNX2wVIaMGVMMNsMPZtc6gvfuLQGl1K4qtevoX/ur5epli+57qEYISEyklscudWLe
         egJZgM6oa9v0mTSlr6/T4vobj7OBKqcWVX/NVvkYiY7pnEP1cdxqblFamKvhQzwlcXdK
         UXcCgXuC7ttZb/y+GfXchZrMPiOCerrxoJEVhXXRF78NJME3PK8AAILKPAyO8nXyti5T
         Qf4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=iRZBTLxSniq17JrgJ2CuDBWDapIaUY1DCBQe4dXG120=;
        b=PpALhXGri3K/T6xzVy/ea6fny+an93CfCfHBCl8JqF+a5jryQ/0nw2XknCESLXKqoI
         cvUH+S8bb5YeD9j7CDXsyJHqTHiRkPYEMWYn4TzkEYlh2EAu7vajGzbnhs8I19za1+iI
         Yi8tBGpspGjojlClZomEinFXDQr3OFhOz+Ri8hiogj4kL1NtthVc32Q/gsU/5s0FlA7E
         AVmmcPectqwPuoqgjf/3yYnehQ5Z0MBrrW+qrVX1PL61+gXHaVTyQIqs0mIuJLbN0juv
         fSWmo4xqHlahxa4M+09ieNyUYS7DR6T3GKILHjU4klmdeo65z0FJUgmzkQ4b+KMB7zqh
         v+Qg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id mf5si1962126ejb.131.2020.09.08.01.17.57;
        Tue, 08 Sep 2020 01:18:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729655AbgIHIPi (ORCPT <rfc822;zeqiangyin@gmail.com>
        + 99 others); Tue, 8 Sep 2020 04:15:38 -0400
Received: from mx2.suse.de ([195.135.220.15]:37144 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729744AbgIHIPZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Sep 2020 04:15:25 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 39646AD19;
        Tue,  8 Sep 2020 08:15:24 +0000 (UTC)
From:   Daniel Wagner <dwagner@suse.de>
To:     linux-scsi@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, Nilesh Javali <njavali@marvell.com>,
        Martin Wilck <mwilck@suse.com>, Arun Easi <aeasi@marvell.com>,
        Daniel Wagner <dwagner@suse.de>
Subject: [PATCH v3 1/4] qla2xxx: Warn if done() or free() are called on an already freed srb
Date:   Tue,  8 Sep 2020 10:15:13 +0200
Message-Id: <20200908081516.8561-2-dwagner@suse.de>
X-Mailer: git-send-email 2.16.4
In-Reply-To: <20200908081516.8561-1-dwagner@suse.de>
References: <20200908081516.8561-1-dwagner@suse.de>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Emit a warning when ->done or ->free are called on an already freed
srb. There is a hidden use-after-free bug in the driver which corrupts
the srb memory pool which originates from the cleanup callbacks.

An extensive search didn't bring any lights on the real problem. The
initial fix was to set both pointers to NULL and try to catch invalid
accesses. But instead the memory corruption was gone and the driver
didn't crash. Since not all calling places check for NULL pointer, add
explicitly default handlers. With this we workaround the memory
corruption and add a debug help.

Reviewed-by: Martin Wilck <mwilck@suse.com>
Signed-off-by: Daniel Wagner <dwagner@suse.de>
---
 drivers/scsi/qla2xxx/qla_init.c   | 10 ++++++++++
 drivers/scsi/qla2xxx/qla_inline.h |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 57a2d76aa691..fb7d57dc4e69 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -63,6 +63,16 @@ void qla2x00_sp_free(srb_t *sp)
 	qla2x00_rel_sp(sp);
 }
 
+void qla2xxx_rel_done_warning(srb_t *sp, int res)
+{
+	WARN_ONCE(1, "Calling done() of an already freed srb %p object\n", sp);
+}
+
+void qla2xxx_rel_free_warning(srb_t *sp)
+{
+	WARN_ONCE(1, "Calling free() of an already freed srb %p object\n", sp);
+}
+
 /* Asynchronous Login/Logout Routines -------------------------------------- */
 
 unsigned long
diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
index 861dc522723c..2aa6f81f87c4 100644
--- a/drivers/scsi/qla2xxx/qla_inline.h
+++ b/drivers/scsi/qla2xxx/qla_inline.h
@@ -207,10 +207,15 @@ qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair,
 	return sp;
 }
 
+void qla2xxx_rel_done_warning(srb_t *sp, int res);
+void qla2xxx_rel_free_warning(srb_t *sp);
+
 static inline void
 qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp)
 {
 	sp->qpair = NULL;
+	sp->done = qla2xxx_rel_done_warning;
+	sp->free = qla2xxx_rel_free_warning;
 	mempool_free(sp, qpair->srb_mempool);
 	QLA_QPAIR_MARK_NOT_BUSY(qpair);
 }
-- 
2.16.4