From: Ewan Milne <emilne@redhat.com>
To: James Smart <jsmart2021@gmail.com>
Cc: linux-scsi@vger.kernel.org, Justin Tee <justin.tee@broadcom.com>
Subject: Re: [PATCH] lpfc: Fix memory overwrite during FC-GS IO abort handling
Date: Tue, 5 Oct 2021 13:11:44 -0400 [thread overview]
Message-ID: <CAGtn9rmsV9QcMr2-dKR8GEN+Ln7MtaCy5ruY+5gzXoUy+gg3pw@mail.gmail.com> (raw)
In-Reply-To: <20211004231210.35524-1-jsmart2021@gmail.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
On Mon, Oct 4, 2021 at 7:12 PM James Smart <jsmart2021@gmail.com> wrote:
>
> When an FC-GS IO is aborted by lpfc, the driver requires a node pointer
> for a dereference operation. In the abort IO routine, the driver
> miscasts a context pointer to the wrong data type and overwrites a
> single byte outside of the allocated space. This miscast is done in the
> abort io function handler because the abort io handler works on FC-GS
> and FC-LS commands but the code neglected to get the correct job location
> for the node.
>
> Fix this by acquiring the necessary node pointer from the correct
> job structure depending on the IO type.
>
> Co-developed-by: Justin Tee <justin.tee@broadcom.com>
> Signed-off-by: Justin Tee <justin.tee@broadcom.com>
> Signed-off-by: James Smart <jsmart2021@gmail.com>
> ---
> drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
> index 3f911cb48cf2..d8c01114442f 100644
> --- a/drivers/scsi/lpfc/lpfc_sli.c
> +++ b/drivers/scsi/lpfc/lpfc_sli.c
> @@ -12308,12 +12308,12 @@ void
> lpfc_ignore_els_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
> struct lpfc_iocbq *rspiocb)
> {
> - struct lpfc_nodelist *ndlp = (struct lpfc_nodelist *) cmdiocb->context1;
> + struct lpfc_nodelist *ndlp = NULL;
> IOCB_t *irsp = &rspiocb->iocb;
>
> /* ELS cmd tag <ulpIoTag> completes */
> lpfc_printf_log(phba, KERN_INFO, LOG_ELS,
> - "0139 Ignoring ELS cmd tag x%x completion Data: "
> + "0139 Ignoring ELS cmd code x%x completion Data: "
> "x%x x%x x%x\n",
> irsp->ulpIoTag, irsp->ulpStatus,
> irsp->un.ulpWord[4], irsp->ulpTimeout);
> @@ -12321,10 +12321,13 @@ lpfc_ignore_els_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
> * Deref the ndlp after free_iocb. sli_release_iocb will access the ndlp
> * if exchange is busy.
> */
> - if (cmdiocb->iocb.ulpCommand == CMD_GEN_REQUEST64_CR)
> + if (cmdiocb->iocb.ulpCommand == CMD_GEN_REQUEST64_CR) {
> + ndlp = cmdiocb->context_un.ndlp;
> lpfc_ct_free_iocb(phba, cmdiocb);
> - else
> + } else {
> + ndlp = (struct lpfc_nodelist *) cmdiocb->context1;
> lpfc_els_free_iocb(phba, cmdiocb);
> + }
>
> lpfc_nlp_put(ndlp);
> }
> --
> 2.26.2
>
prev parent reply other threads:[~2021-10-05 17:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 23:12 [PATCH] lpfc: Fix memory overwrite during FC-GS IO abort handling James Smart
2021-10-05 4:33 ` Martin K. Petersen
2021-10-05 17:11 ` Ewan Milne [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGtn9rmsV9QcMr2-dKR8GEN+Ln7MtaCy5ruY+5gzXoUy+gg3pw@mail.gmail.com \
--to=emilne@redhat.com \
--cc=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.