[PATCH openEuler-22.03-LTS-SP1] scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths - Kernel

27 Nov 2024

From: Justin Tee justin.tee@broadcom.com
mainline inclusion
from mainline-v6.12-rc1
commit 2be1d4f11944cd6283cb97268b3e17c4424945ca
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Z
CVE: CVE-2024-49891
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
When the HBA is undergoing a reset or is handling an errata event, NULL ptr
dereference crashes may occur in routines such as
lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or
lpfc_abort_handler().
Add NULL ptr checks before dereferencing hdwq pointers that may have been
freed due to operations colliding with a reset or errata event handler.
Signed-off-by: Justin Tee justin.tee@broadcom.com
Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen martin.petersen@oracle.com
Conflicts:
    drivers/scsi/lpfc/lpfc.h
    drivers/scsi/lpfc/lpfc_hbadisc.c
    drivers/scsi/lpfc/lpfc_scsi.c
    drivers/scsi/lpfc/lpfc_sli.c
[Yongqiang: add HBA_SETUP flag from commit 02243836ad6f("scsi: lpfc: Add support
for the CM framework") for teardown logic]
Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com
---
 drivers/scsi/lpfc/lpfc.h         |  1 +
 drivers/scsi/lpfc/lpfc_hbadisc.c |  3 ++-
 drivers/scsi/lpfc/lpfc_scsi.c    | 13 +++++++++++--
 drivers/scsi/lpfc/lpfc_sli.c     | 15 +++++++++++++++
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index cf69f831a725..103ff1ce2aef 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -772,6 +772,7 @@ struct lpfc_hba {
    				 */
 #define HBA_FLOGI_ISSUED	0x100000 /* FLOGI was issued */
 #define HBA_DEFER_FLOGI		0x800000 /* Defer FLOGI till read_sparm cmpl */
+#define HBA_SETUP		0x1000000 /* Signifies HBA setup is completed */
struct completion *fw_dump_cmpl; /* cmpl event tracker for fw_dump */
    uint32_t fcp_ring_in_use; /* When polling test if intr-hndlr active*/
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index d1f28364356e..5d8f3797b1b6 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -140,7 +140,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport)
     * or unloading the driver. The unload will cleanup the node
     * appropriately we just need to cleanup the ndlp rport info here.
     */
-	if (vport->load_flag & FC_UNLOADING) {
+	if (vport->load_flag & FC_UNLOADING ||
+	    !(phba->hba_flag & HBA_SETUP)) {
    	put_node = rdata->pnode != NULL;
    	put_rport = ndlp->rport != NULL;
    	rdata->pnode = NULL;
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 983eeb0e3d07..2d2276aa0b63 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -4769,11 +4769,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmnd)
iocb = &lpfc_cmd->cur_iocbq;
    if (phba->sli_rev == LPFC_SLI_REV4) {
-		pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
-		if (!pring_s4) {
+		/* if the io_wq & pring are gone, the port was reset. */
+		if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq ||
+		    !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) {
+			lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP,
+					 "2877 SCSI Layer I/O Abort Request "
+					 "IO CMPL Status x%x ID %d LUN %llu "
+					 "HBA_SETUP %d\n", FAILED,
+					 cmnd->device->id,
+					 (u64)cmnd->device->lun,
+					 phba->hba_flag & HBA_SETUP);
    		ret = FAILED;
    		goto out_unlock_buf;
    	}
+		pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
    	spin_lock(&pring_s4->ring_lock);
    }
    /* the command is in process of being cancelled */
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 28fee498a3d2..e6f6ddc80ee5 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -4156,6 +4156,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba *phba)
    /* Look on all the FCP Rings for the iotag */
    if (phba->sli_rev >= LPFC_SLI_REV4) {
    	for (i = 0; i < phba->cfg_hdw_queue; i++) {
+			if (!phba->sli4_hba.hdwq ||
+			    !phba->sli4_hba.hdwq[i].io_wq) {
+				lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+						"7777 hdwq's deleted %x "
+						"%x %x %x\n",
+						phba->pport->load_flag,
+						phba->hba_flag,
+						phba->link_state,
+						phba->sli.sli_flag);
+				return;
+			}
    		pring = phba->sli4_hba.hdwq[i].io_wq->pring;
spin_lock_irq(&pring->ring_lock);
@@ -4304,6 +4315,7 @@ lpfc_sli_brdready_s4(struct lpfc_hba *phba, uint32_t mask)
    } else
    	phba->sli4_hba.intr_enable = 0;
+	phba->hba_flag &= ~HBA_SETUP;
    return retval;
 }
@@ -4623,6 +4635,7 @@ lpfc_sli4_brdreset(struct lpfc_hba *phba)
    phba->link_events = 0;
    phba->pport->fc_myDID = 0;
    phba->pport->fc_prevDID = 0;
+	phba->hba_flag &= ~HBA_SETUP;
spin_lock_irq(&phba->hbalock);
    psli->sli_flag &= ~(LPFC_PROCESS_LA);
@@ -7989,6 +8002,8 @@ lpfc_sli4_hba_setup(struct lpfc_hba *phba)
    	}
    }
    mempool_free(mboxq, phba->mbox_mem_pool);
+
+	phba->hba_flag |= HBA_SETUP;
    return rc;
 out_io_buff_free:
    /* Free allocated IO Buffers */
-- 
2.25.1


    