Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp255817pxj; Thu, 20 May 2021 08:42:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLMALnljQT/oAScRSoTlGgQyul6CYeOHZjSneu7pHs5wlT4Hs5IBk8ryMOSta4LgDWM2WH X-Received: by 2002:a05:6402:3507:: with SMTP id b7mr5603818edd.101.1621525331290; Thu, 20 May 2021 08:42:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621525331; cv=none; d=google.com; s=arc-20160816; b=RmJwjQ68wtYD0SfggNP+oSOAalGrn4L51jlmEu0JFu8Rl/faJoPxNrzXMn3UQkBzY3 sQFjEPOQ5npk+Dt9Jy3QDFPAM+aaj/kuXGeuchvhHWtGzNiKSXQkxkjUmeDlZ7XR/uzK 6QA0C5PAfw1b6Kmv9101pdbNvlwLr3vX1BJmGLymgd6iBpJGLsyaEeS5chWQFUgUJoZi JU1huFEuauxXLSEcaqXRrKvFyk9h78NWaO2SfMpNPHhDX5xcEtsuGCo1p6CGt/i2GhuR O7k4oN4/P5Ud6g+zKZzE3q0GJmTcHIDmi4cGXL2ualKAW9Ld4vkdb5xFFez0XI0voiRN k4Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9vI711u8nuR9/6dRwHCNM3MTpBtD1HBqOPS7a0To9hY=; b=wN20s5poHLCBpcywf18CyUJQ4UcBppfnAff47j67RaSHu27+SvmOu+ENhqBJ8CtKoz UG00Tw7BNfc2TMBdYBhnD271/OPjVSX4ngqBuF7NQ75Go7E6K0sLV/woMhhLx1sjFqVK GUVxhqWg+BxIgNcJKr+XkQxnVWPrsfMe+yhxf5tVvYGS1WnQqzz3IV3RnT+JQbLEobn1 nEyFh6RfU27urcAqx6cqcC+qezKkK9qZHbUr4ERVQAnX6PDeVFfj1oVm4wnHQjJN6nq5 RftUptQDUVkorUAMM1BnTLtdIWJudv26LBQsoBxltwU8EdANxAZ1d8dXf5i4turAsMpX DxVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fZVTWY+Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ay13si2431741edb.577.2021.05.20.08.41.47; Thu, 20 May 2021 08:42:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fZVTWY+Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232983AbhETJg4 (ORCPT + 99 others); Thu, 20 May 2021 05:36:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:33420 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232950AbhETJec (ORCPT ); Thu, 20 May 2021 05:34:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 53E4F613AA; Thu, 20 May 2021 09:29:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621502955; bh=gNKRC7yC97zcuoCrJCEDsuGb3JoqS9SrcPTSoq1c/cE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fZVTWY+ZLK37kZsKypzdI33wNjfpCiBy8vQ0PEKnulJ1+uSPmtXwDMPTpPq7QSZgV pKm1NXq2GhPECVhMGFUJN+38HMo4UMAHZNOntgSzfr/q07PlxKkZSHnzpaQ8pYCfqO N7+vPyGHehb6l5GOUGiJZYtOe0DQw5sg1WANRVjI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Justin Tee , James Smart , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.4 21/37] scsi: lpfc: Fix illegal memory access on Abort IOCBs Date: Thu, 20 May 2021 11:22:42 +0200 Message-Id: <20210520092052.975357097@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092052.265851579@linuxfoundation.org> References: <20210520092052.265851579@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Smart [ Upstream commit e1364711359f3ced054bda9920477c8bf93b74c5 ] In devloss timer handler and in backend calls to terminate remote port I/O, there is logic to walk through all active IOCBs and validate them to potentially trigger an abort request. This logic is causing illegal memory accesses which leads to a crash. Abort IOCBs, which may be on the list, do not have an associated lpfc_io_buf struct. The driver is trying to map an lpfc_io_buf struct on the IOCB and which results in a bogus address thus the issue. Fix by skipping over ABORT IOCBs (CLOSE IOCBs are ABORTS that don't send ABTS) in the IOCB scan logic. Link: https://lore.kernel.org/r/20210421234433.102079-1-jsmart2021@gmail.com Co-developed-by: Justin Tee Signed-off-by: Justin Tee Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index ef7cef316d21..795460eda6a5 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -11337,13 +11337,20 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport, lpfc_ctx_cmd ctx_cmd) { struct lpfc_io_buf *lpfc_cmd; + IOCB_t *icmd = NULL; int rc = 1; if (iocbq->vport != vport) return rc; - if (!(iocbq->iocb_flag & LPFC_IO_FCP) || - !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ)) + if (!(iocbq->iocb_flag & LPFC_IO_FCP) || + !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) || + iocbq->iocb_flag & LPFC_DRIVER_ABORTED) + return rc; + + icmd = &iocbq->iocb; + if (icmd->ulpCommand == CMD_ABORT_XRI_CN || + icmd->ulpCommand == CMD_CLOSE_XRI_CN) return rc; lpfc_cmd = container_of(iocbq, struct lpfc_io_buf, cur_iocbq); -- 2.30.2