* [PATCH] lpfc: Fix illegal memory access on Abort IOCBs
@ 2021-04-21 23:41 James Smart
0 siblings, 0 replies; only message in thread
From: James Smart @ 2021-04-21 23:41 UTC (permalink / raw)
To: linux-scsi; +Cc: James Smart, Justin Tee
In devloss timer handler and in backend calls to terminate remote port
io, there is logic to walk through all active IOCBs and validate them
to potentially trigger an abort request. This logic is causing illegal
memory accesses which leads to a crash. Abort IOCBs, which may be on
the list, do not have an associated lpfc_io_buf struct. The driver is
trying to map an lpfc_io_buf struct on the iocb and which results in a
bogus address thus the issue.
Fix by skipping over ABORT IOCBs (CLOSE IOCBs are ABORTS that don't send
ABTS) in the IOCB scan logic.
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
ECD submit header:
****************************************
COMMIT-TITLE: Logic to validate IOCB for aborts causes illegal memory access
COMMIT: 78307
COMMIT-BZ: 244869
COMMIT-QC:
r78307 | sb889165 | 2021-03-12 09:00:53 +0530 (Fri, 12 Mar 2021) | 32 lines
Logic to validate IOCB for aborts causes illegal memory access
Bugs: 244869
Reviewers: jsmart pely jinfante
Symptoms:
In devloss timer handler and in backend calls to terminate remote port io,
there is logic to walk through all active IOCBs and validate them to
potentially trigger abort request. This logic causes illegal memory access
which leads to a crash.
Cause:
Abort IOCBs are not associated with lpfc_io_buf structure. While validating
FCP IOCBs, the function tries to map abort IOCB request to lpfc_io_buf struct
using container_of macros. This causes illegal memory access and thus leads
to interpreting junk values eventually leading to crash.
Fix:
Skip over abort IOCBs and IOCBs that have already been aborted.
Notes:
Unit Testing:
System Testing:
- Tested with ocs_fc_ramd SCSI target driver
- Trigger lips on initiator node
- Trigger port swaps and run io in background
Review_ID: https://cmengapps1.lvn.broadcom.net/r/34278/
---
drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 06ccc0157bd8..579ac75dfe79 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -11804,13 +11804,20 @@ lpfc_sli_validate_fcp_iocb(struct lpfc_iocbq *iocbq, struct lpfc_vport *vport,
lpfc_ctx_cmd ctx_cmd)
{
struct lpfc_io_buf *lpfc_cmd;
+ IOCB_t *icmd = NULL;
int rc = 1;
if (!iocbq || iocbq->vport != vport)
return rc;
- if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
- !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ))
+ if (!(iocbq->iocb_flag & LPFC_IO_FCP) ||
+ !(iocbq->iocb_flag & LPFC_IO_ON_TXCMPLQ) ||
+ iocbq->iocb_flag & LPFC_DRIVER_ABORTED)
+ return rc;
+
+ icmd = &iocbq->iocb;
+ if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
+ icmd->ulpCommand == CMD_CLOSE_XRI_CN)
return rc;
lpfc_cmd = container_of(iocbq, struct lpfc_io_buf, cur_iocbq);
--
2.26.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-21 23:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-21 23:41 [PATCH] lpfc: Fix illegal memory access on Abort IOCBs James Smart
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.