[PATCH openEuler-1.0-LTS] RDMA/srp: Do not call scsi_done() from srp_abort() - Kernel

12 Mar 2024

From: Bart Van Assche bvanassche@acm.org
stable inclusion
from stable-v5.10.199
commit 26788a5b48d9d5cd3283d777d238631c8cd7495a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95B1O
CVE: CVE-2023-52515
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit e193b7955dfad68035b983a0011f4ef3590c85eb ]
After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler
callback, it performs one of the following actions:
* Call scsi_queue_insert().
* Call scsi_finish_command().
* Call scsi_eh_scmd_add().
Hence, SCSI abort handlers must not call scsi_done(). Otherwise all
the above actions would trigger a use-after-free. Hence remove the
scsi_done() call from srp_abort(). Keep the srp_free_req() call
before returning SUCCESS because we may not see the command again if
SUCCESS is returned.
Cc: Bob Pearson rpearsonhpe@gmail.com
Cc: Shinichiro Kawasaki shinichiro.kawasaki@wdc.com
Fixes: d8536670916a ("IB/srp: Avoid having aborted requests hang")
Signed-off-by: Bart Van Assche bvanassche@acm.org
Link: https://lore.kernel.org/r/20230823205727.505681-1-bvanassche@acm.org
Signed-off-by: Leon Romanovsky leon@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Liu Jian liujian56@huawei.com
---
 drivers/infiniband/ulp/srp/ib_srp.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
index 6dcdc42ed081..ec54cd687ef1 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -2917,7 +2917,6 @@ static int srp_abort(struct scsi_cmnd *scmnd)
    u32 tag;
    u16 ch_idx;
    struct srp_rdma_ch *ch;
-	int ret;
shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n");
@@ -2933,19 +2932,14 @@ static int srp_abort(struct scsi_cmnd *scmnd)
    shost_printk(KERN_ERR, target->scsi_host,
    	     "Sending SRP abort for tag %#x\n", tag);
    if (srp_send_tsk_mgmt(ch, tag, scmnd->device->lun,
-			      SRP_TSK_ABORT_TASK, NULL) == 0)
-		ret = SUCCESS;
-	else if (target->rport->state == SRP_RPORT_LOST)
-		ret = FAST_IO_FAIL;
-	else
-		ret = FAILED;
-	if (ret == SUCCESS) {
+			      SRP_TSK_ABORT_TASK, NULL) == 0) {
    	srp_free_req(ch, req, scmnd, 0);
-		scmnd->result = DID_ABORT << 16;
-		scmnd->scsi_done(scmnd);
+		return SUCCESS;
    }
+	if (target->rport->state == SRP_RPORT_LOST)
+		return FAST_IO_FAIL;
-	return ret;
+	return FAILED;
 }
static int srp_reset_device(struct scsi_cmnd *scmnd)
-- 
2.34.1


    