[PATCH] scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()

[PATCH] scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()

[Guilherme G. Piccoli]

We might have a NULL pring in lpfc_els_abort(), for example on
error recovery path, since queues are destroyed during error
recovery mechanism.

In this case, we should just drop the abort since the queues will
be recreated anyway. This patch just verifies for NULL pointer
and stop the abortion of the queue in case of a NULL pring.

Also, this patch converts return type of lpfc_els_abort() from int
to void, since it's not checked anywhere.

Reported-by: Harsha Thyagaraja <hathyaga@in.ibm.com>
Reported-by: Naresh Bannoth <nbannoth@in.ibm.com>
Tested-by: Raphael Silva <raphasil@linux.vnet.ibm.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
---
* This patch was rebased against Martin's 4.12/scsi-fixes.

 drivers/scsi/lpfc/lpfc_crtn.h      | 2 +-
 drivers/scsi/lpfc/lpfc_nportdisc.c | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h
index 8912767e7bc8..da669dce12fe 100644
--- a/drivers/scsi/lpfc/lpfc_crtn.h
+++ b/drivers/scsi/lpfc/lpfc_crtn.h
@@ -127,7 +127,7 @@ int lpfc_disc_state_machine(struct lpfc_vport *, struct lpfc_nodelist *, void *,
 void lpfc_do_scr_ns_plogi(struct lpfc_hba *, struct lpfc_vport *);
 int lpfc_check_sparm(struct lpfc_vport *, struct lpfc_nodelist *,
 		     struct serv_parm *, uint32_t, int);
-int lpfc_els_abort(struct lpfc_hba *, struct lpfc_nodelist *);
+void lpfc_els_abort(struct lpfc_hba *, struct lpfc_nodelist *);
 void lpfc_more_plogi(struct lpfc_vport *);
 void lpfc_more_adisc(struct lpfc_vport *);
 void lpfc_end_rscn(struct lpfc_vport *);
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index bff3de053df4..f74cb0142fd4 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -206,7 +206,7 @@ lpfc_check_elscmpl_iocb(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
  * associated with a LPFC_NODELIST entry. This
  * routine effectively results in a "software abort".
  */
-int
+void
 lpfc_els_abort(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp)
 {
 	LIST_HEAD(abort_list);
@@ -215,6 +215,10 @@ lpfc_els_abort(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp)
 
 	pring = lpfc_phba_elsring(phba);
 
+	/* In case of error recovery path, we might have a NULL pring here */
+	if (!pring)
+		return;
+
 	/* Abort outstanding I/O on NPort <nlp_DID> */
 	lpfc_printf_vlog(ndlp->vport, KERN_INFO, LOG_DISCOVERY,
 			 "2819 Abort outstanding I/O on NPort x%x "
@@ -273,7 +277,6 @@ lpfc_els_abort(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp)
 			      IOSTAT_LOCAL_REJECT, IOERR_SLI_ABORTED);
 
 	lpfc_cancel_retry_delay_tmo(phba->pport, ndlp);
-	return 0;
 }
 
 static int
-- 
2.12.0.rc0

Re: [PATCH] scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()

[Johannes Thumshirn]

On 05/24/2017 11:48 PM, Guilherme G. Piccoli wrote:
> We might have a NULL pring in lpfc_els_abort(), for example on
> error recovery path, since queues are destroyed during error
> recovery mechanism.
> 
> In this case, we should just drop the abort since the queues will
> be recreated anyway. This patch just verifies for NULL pointer
> and stop the abortion of the queue in case of a NULL pring.
> 
> Also, this patch converts return type of lpfc_els_abort() from int
> to void, since it's not checked anywhere.
> 
> Reported-by: Harsha Thyagaraja <hathyaga@in.ibm.com>
> Reported-by: Naresh Bannoth <nbannoth@in.ibm.com>
> Tested-by: Raphael Silva <raphasil@linux.vnet.ibm.com>
> Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
> ---

Looks good,
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>


-- 
Johannes Thumshirn                                          Storage
jthumshirn@suse.de                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

Re: [PATCH] scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()

[James Smart]

Change looks good

Signed-off-by: James Smart  <james.smart@broadcom.com>

-- james


On 5/24/2017 2:48 PM, Guilherme G. Piccoli wrote:
> We might have a NULL pring in lpfc_els_abort(), for example on
> error recovery path, since queues are destroyed during error
> recovery mechanism.
>
> In this case, we should just drop the abort since the queues will
> be recreated anyway. This patch just verifies for NULL pointer
> and stop the abortion of the queue in case of a NULL pring.
>
> Also, this patch converts return type of lpfc_els_abort() from int
> to void, since it's not checked anywhere.
>
> Reported-by: Harsha Thyagaraja <hathyaga@in.ibm.com>
> Reported-by: Naresh Bannoth <nbannoth@in.ibm.com>
> Tested-by: Raphael Silva <raphasil@linux.vnet.ibm.com>
> Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
>

Re: [PATCH] scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()

[Martin K. Petersen]

Guilherme,

> We might have a NULL pring in lpfc_els_abort(), for example on error
> recovery path, since queues are destroyed during error recovery
> mechanism.
>
> In this case, we should just drop the abort since the queues will be
> recreated anyway. This patch just verifies for NULL pointer and stop
> the abortion of the queue in case of a NULL pring.
>
> Also, this patch converts return type of lpfc_els_abort() from int to
> void, since it's not checked anywhere.

Applied to 4.12/scsi-fixes. Thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering