Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3417882pxf; Mon, 29 Mar 2021 01:27:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9cOCt94Fu0od18gZJzvrLK6ftf4fOZf0HMjO6enWYP/rQmtsc3efk8rYXb6qGksYm/fT/ X-Received: by 2002:a17:906:5acd:: with SMTP id x13mr27003946ejs.211.1617006437090; Mon, 29 Mar 2021 01:27:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617006437; cv=none; d=google.com; s=arc-20160816; b=RKKTvOjwLVGyw60zkYXKcGffasGbVwDEcWv/0IAb4t0lkXSXXSWuTPUSy+UCQOnUmB 1gwvn6G2Cp9nRrR1BbwhHSABNNJEFTYuzXSvCMcb30PP4i7nPuRxggrYXiMRbmhJiROy 0Dm9R5+qIidh1FPBQsbAHB64c5Q9guMiFhlh1bcOb2B1CStBhrJ8cosbnGCf42h/tujD CHGArPihfPyAid74NczYgWt9E5bi+8iCJPZGv5OGAq2ueVgqcuFhsiN0N/F/TofBSuPC hA9JAwLxBW3l6FSdNRGv9kNsfmUqE1r14fcamwCb/lP7iIg0YTOqDGTWBHwtwZOxzYHG uO0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ikJQs6xKXWLeHvuA1FoEvja3v1Epg+3yyzKhEtFtMwc=; b=PmvoOB+Yxtt/TniZnSRHPGowDgFw+I3Ik1/N8AMiZcRV8bakVQjAjHop5IgZvA4/qy OXAq9/0h91G6tCg0EZ4qXnAmOSahjqBnzLr4MpuBDl5UHdmT9Ct4HmYGzwv2hbpHNT05 MV9XYhch08ABvgL9IL4Vfgx+c1okYJ1u3hztqaMNREMeKAjHpFoPBapYi9snedgxCo6t i2zg+Q1rPKG+eCprDqe/6HOt/JUhLF9SJ66iIHH0uLXMCYaVfMTEAMnlcm2zh6ziwWsH 5bsg6Qr49gBb3hDDoSy5nCxt3JJHGn1geEdIz9YKanRs0ENjza09cO3dQhwkpzloJE8O kmTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nCEqkGMv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y13si12692871edv.220.2021.03.29.01.26.54; Mon, 29 Mar 2021 01:27:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nCEqkGMv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233429AbhC2IY4 (ORCPT + 99 others); Mon, 29 Mar 2021 04:24:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:59040 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231695AbhC2IQL (ORCPT ); Mon, 29 Mar 2021 04:16:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0542A619AA; Mon, 29 Mar 2021 08:15:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617005746; bh=VJzw9BmRApCexuoUtZY+2JVjSxabBvpEn+H/CC2jpdw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nCEqkGMvdYsMbc3GxRvtmilONYrp89zM/5ibMcX7BGbeJ3/rfavve93faAYKHKCKE v+ZDJZujZ2VxXp684X1/JZsn7kYuTFLEaQA5XkzuXiiFQnvY2ZqSmLkWIJZh7g6nvO DTTSWb/5bAbtGyPR1Fk8t7/aXn/9qXCtFVRkUFdo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Quinn Tran , Mike Christie , Daniel Wagner , Himanshu Madhani , Bart Van Assche , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.4 101/111] scsi: Revert "qla2xxx: Make sure that aborted commands are freed" Date: Mon, 29 Mar 2021 09:58:49 +0200 Message-Id: <20210329075618.581757788@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075615.186199980@linuxfoundation.org> References: <20210329075615.186199980@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Bart Van Assche [ Upstream commit 39c0c8553bfb5a3d108aa47f1256076d507605e3 ] Calling vha->hw->tgt.tgt_ops->free_cmd() from qlt_xmit_response() is wrong since the command for which a response is sent must remain valid until the SCSI target core calls .release_cmd(). It has been observed that the following scenario triggers a kernel crash: - qlt_xmit_response() calls qlt_check_reserve_free_req() - qlt_check_reserve_free_req() returns -EAGAIN - qlt_xmit_response() calls vha->hw->tgt.tgt_ops->free_cmd(cmd) - transport_handle_queue_full() tries to retransmit the response Fix this crash by reverting the patch that introduced it. Link: https://lore.kernel.org/r/20210320232359.941-2-bvanassche@acm.org Fixes: 0dcec41acb85 ("scsi: qla2xxx: Make sure that aborted commands are freed") Cc: Quinn Tran Cc: Mike Christie Reviewed-by: Daniel Wagner Reviewed-by: Himanshu Madhani Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/qla2xxx/qla_target.c | 13 +++++-------- drivers/scsi/qla2xxx/tcm_qla2xxx.c | 4 ---- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c index 412009e2b948..8fd0a568303b 100644 --- a/drivers/scsi/qla2xxx/qla_target.c +++ b/drivers/scsi/qla2xxx/qla_target.c @@ -3216,8 +3216,7 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type, if (!qpair->fw_started || (cmd->reset_count != qpair->chip_reset) || (cmd->sess && cmd->sess->deleted)) { cmd->state = QLA_TGT_STATE_PROCESSED; - res = 0; - goto free; + return 0; } ql_dbg_qp(ql_dbg_tgt, qpair, 0xe018, @@ -3228,8 +3227,9 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type, res = qlt_pre_xmit_response(cmd, &prm, xmit_type, scsi_status, &full_req_cnt); - if (unlikely(res != 0)) - goto free; + if (unlikely(res != 0)) { + return res; + } spin_lock_irqsave(qpair->qp_lock_ptr, flags); @@ -3249,8 +3249,7 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type, vha->flags.online, qla2x00_reset_active(vha), cmd->reset_count, qpair->chip_reset); spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); - res = 0; - goto free; + return 0; } /* Does F/W have an IOCBs for this request */ @@ -3353,8 +3352,6 @@ int qlt_xmit_response(struct qla_tgt_cmd *cmd, int xmit_type, qlt_unmap_sg(vha, cmd); spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); -free: - vha->hw->tgt.tgt_ops->free_cmd(cmd); return res; } EXPORT_SYMBOL(qlt_xmit_response); diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c index 744cd93189da..df8644da2c32 100644 --- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c +++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c @@ -623,7 +623,6 @@ static int tcm_qla2xxx_queue_data_in(struct se_cmd *se_cmd) { struct qla_tgt_cmd *cmd = container_of(se_cmd, struct qla_tgt_cmd, se_cmd); - struct scsi_qla_host *vha = cmd->vha; if (cmd->aborted) { /* Cmd can loop during Q-full. tcm_qla2xxx_aborted_task @@ -636,7 +635,6 @@ static int tcm_qla2xxx_queue_data_in(struct se_cmd *se_cmd) cmd->se_cmd.transport_state, cmd->se_cmd.t_state, cmd->se_cmd.se_cmd_flags); - vha->hw->tgt.tgt_ops->free_cmd(cmd); return 0; } @@ -664,7 +662,6 @@ static int tcm_qla2xxx_queue_status(struct se_cmd *se_cmd) { struct qla_tgt_cmd *cmd = container_of(se_cmd, struct qla_tgt_cmd, se_cmd); - struct scsi_qla_host *vha = cmd->vha; int xmit_type = QLA_TGT_XMIT_STATUS; if (cmd->aborted) { @@ -678,7 +675,6 @@ static int tcm_qla2xxx_queue_status(struct se_cmd *se_cmd) cmd, kref_read(&cmd->se_cmd.cmd_kref), cmd->se_cmd.transport_state, cmd->se_cmd.t_state, cmd->se_cmd.se_cmd_flags); - vha->hw->tgt.tgt_ops->free_cmd(cmd); return 0; } cmd->bufflen = se_cmd->data_length; -- 2.30.1