diff options
| author | Bill Kuzeja <William.Kuzeja@stratus.com> | 2018-03-05 00:02:55 -0500 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2018-03-06 22:07:49 -0500 |
| commit | 6a2cf8d3663e13e19af636c2a8d92e766261dc45 (patch) | |
| tree | 56f12e3b1b65e6912480361c93b5a61442eac9d8 | |
| parent | 4b433924b2755a94f99258c178684a0e05c344de (diff) | |
scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
Because of the shifting around of code in qla2x00_probe_one recently,
failures during adapter initialization can lead to problems, i.e. NULL
pointer crashes and doubly freed data structures which cause eventual
panics.
This V2 version makes the relevant memory free routines idempotent, so
repeat calls won't cause any harm. I also removed the problematic
probe_init_failed exit point as it is not needed.
Fixes: d64d6c5671db ("scsi: qla2xxx: Fix NULL pointer crash due to probe failure")
Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
| -rw-r--r-- | drivers/scsi/qla2xxx/qla_os.c | 59 |
1 files changed, 37 insertions, 22 deletions
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c index 285911e81728..5c5dcca4d1da 100644 --- a/drivers/scsi/qla2xxx/qla_os.c +++ b/drivers/scsi/qla2xxx/qla_os.c | |||
| @@ -454,7 +454,7 @@ static int qla2x00_alloc_queues(struct qla_hw_data *ha, struct req_que *req, | |||
| 454 | ha->req_q_map[0] = req; | 454 | ha->req_q_map[0] = req; |
| 455 | set_bit(0, ha->rsp_qid_map); | 455 | set_bit(0, ha->rsp_qid_map); |
| 456 | set_bit(0, ha->req_qid_map); | 456 | set_bit(0, ha->req_qid_map); |
| 457 | return 1; | 457 | return 0; |
| 458 | 458 | ||
| 459 | fail_qpair_map: | 459 | fail_qpair_map: |
| 460 | kfree(ha->base_qpair); | 460 | kfree(ha->base_qpair); |
| @@ -471,6 +471,9 @@ fail_req_map: | |||
| 471 | 471 | ||
| 472 | static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) | 472 | static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) |
| 473 | { | 473 | { |
| 474 | if (!ha->req_q_map) | ||
| 475 | return; | ||
| 476 | |||
| 474 | if (IS_QLAFX00(ha)) { | 477 | if (IS_QLAFX00(ha)) { |
| 475 | if (req && req->ring_fx00) | 478 | if (req && req->ring_fx00) |
| 476 | dma_free_coherent(&ha->pdev->dev, | 479 | dma_free_coherent(&ha->pdev->dev, |
| @@ -481,14 +484,17 @@ static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req) | |||
| 481 | (req->length + 1) * sizeof(request_t), | 484 | (req->length + 1) * sizeof(request_t), |
| 482 | req->ring, req->dma); | 485 | req->ring, req->dma); |
| 483 | 486 | ||
| 484 | if (req) | 487 | if (req) { |
| 485 | kfree(req->outstanding_cmds); | 488 | kfree(req->outstanding_cmds); |
| 486 | 489 | kfree(req); | |
| 487 | kfree(req); | 490 | } |
| 488 | } | 491 | } |
| 489 | 492 | ||
| 490 | static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) | 493 | static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) |
| 491 | { | 494 | { |
| 495 | if (!ha->rsp_q_map) | ||
| 496 | return; | ||
| 497 | |||
| 492 | if (IS_QLAFX00(ha)) { | 498 | if (IS_QLAFX00(ha)) { |
| 493 | if (rsp && rsp->ring) | 499 | if (rsp && rsp->ring) |
| 494 | dma_free_coherent(&ha->pdev->dev, | 500 | dma_free_coherent(&ha->pdev->dev, |
| @@ -499,7 +505,8 @@ static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp) | |||
| 499 | (rsp->length + 1) * sizeof(response_t), | 505 | (rsp->length + 1) * sizeof(response_t), |
| 500 | rsp->ring, rsp->dma); | 506 | rsp->ring, rsp->dma); |
| 501 | } | 507 | } |
| 502 | kfree(rsp); | 508 | if (rsp) |
| 509 | kfree(rsp); | ||
| 503 | } | 510 | } |
| 504 | 511 | ||
| 505 | static void qla2x00_free_queues(struct qla_hw_data *ha) | 512 | static void qla2x00_free_queues(struct qla_hw_data *ha) |
| @@ -1723,6 +1730,8 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res) | |||
| 1723 | struct qla_tgt_cmd *cmd; | 1730 | struct qla_tgt_cmd *cmd; |
| 1724 | uint8_t trace = 0; | 1731 | uint8_t trace = 0; |
| 1725 | 1732 | ||
| 1733 | if (!ha->req_q_map) | ||
| 1734 | return; | ||
| 1726 | spin_lock_irqsave(qp->qp_lock_ptr, flags); | 1735 | spin_lock_irqsave(qp->qp_lock_ptr, flags); |
| 1727 | req = qp->req; | 1736 | req = qp->req; |
| 1728 | for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { | 1737 | for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) { |
| @@ -3095,14 +3104,14 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) | |||
| 3095 | /* Set up the irqs */ | 3104 | /* Set up the irqs */ |
| 3096 | ret = qla2x00_request_irqs(ha, rsp); | 3105 | ret = qla2x00_request_irqs(ha, rsp); |
| 3097 | if (ret) | 3106 | if (ret) |
| 3098 | goto probe_hw_failed; | 3107 | goto probe_failed; |
| 3099 | 3108 | ||
| 3100 | /* Alloc arrays of request and response ring ptrs */ | 3109 | /* Alloc arrays of request and response ring ptrs */ |
| 3101 | if (!qla2x00_alloc_queues(ha, req, rsp)) { | 3110 | if (qla2x00_alloc_queues(ha, req, rsp)) { |
| 3102 | ql_log(ql_log_fatal, base_vha, 0x003d, | 3111 | ql_log(ql_log_fatal, base_vha, 0x003d, |
| 3103 | "Failed to allocate memory for queue pointers..." | 3112 | "Failed to allocate memory for queue pointers..." |
| 3104 | "aborting.\n"); | 3113 | "aborting.\n"); |
| 3105 | goto probe_init_failed; | 3114 | goto probe_failed; |
| 3106 | } | 3115 | } |
| 3107 | 3116 | ||
| 3108 | if (ha->mqenable && shost_use_blk_mq(host)) { | 3117 | if (ha->mqenable && shost_use_blk_mq(host)) { |
| @@ -3387,15 +3396,6 @@ skip_dpc: | |||
| 3387 | 3396 | ||
| 3388 | return 0; | 3397 | return 0; |
| 3389 | 3398 | ||
| 3390 | probe_init_failed: | ||
| 3391 | qla2x00_free_req_que(ha, req); | ||
| 3392 | ha->req_q_map[0] = NULL; | ||
| 3393 | clear_bit(0, ha->req_qid_map); | ||
| 3394 | qla2x00_free_rsp_que(ha, rsp); | ||
| 3395 | ha->rsp_q_map[0] = NULL; | ||
| 3396 | clear_bit(0, ha->rsp_qid_map); | ||
| 3397 | ha->max_req_queues = ha->max_rsp_queues = 0; | ||
| 3398 | |||
| 3399 | probe_failed: | 3399 | probe_failed: |
| 3400 | if (base_vha->timer_active) | 3400 | if (base_vha->timer_active) |
| 3401 | qla2x00_stop_timer(base_vha); | 3401 | qla2x00_stop_timer(base_vha); |
| @@ -4508,11 +4508,17 @@ qla2x00_mem_free(struct qla_hw_data *ha) | |||
| 4508 | if (ha->init_cb) | 4508 | if (ha->init_cb) |
| 4509 | dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, | 4509 | dma_free_coherent(&ha->pdev->dev, ha->init_cb_size, |
| 4510 | ha->init_cb, ha->init_cb_dma); | 4510 | ha->init_cb, ha->init_cb_dma); |
| 4511 | vfree(ha->optrom_buffer); | 4511 | |
| 4512 | kfree(ha->nvram); | 4512 | if (ha->optrom_buffer) |
| 4513 | kfree(ha->npiv_info); | 4513 | vfree(ha->optrom_buffer); |
| 4514 | kfree(ha->swl); | 4514 | if (ha->nvram) |
| 4515 | kfree(ha->loop_id_map); | 4515 | kfree(ha->nvram); |
| 4516 | if (ha->npiv_info) | ||
| 4517 | kfree(ha->npiv_info); | ||
| 4518 | if (ha->swl) | ||
| 4519 | kfree(ha->swl); | ||
| 4520 | if (ha->loop_id_map) | ||
| 4521 | kfree(ha->loop_id_map); | ||
| 4516 | 4522 | ||
| 4517 | ha->srb_mempool = NULL; | 4523 | ha->srb_mempool = NULL; |
| 4518 | ha->ctx_mempool = NULL; | 4524 | ha->ctx_mempool = NULL; |
| @@ -4528,6 +4534,15 @@ qla2x00_mem_free(struct qla_hw_data *ha) | |||
| 4528 | ha->ex_init_cb_dma = 0; | 4534 | ha->ex_init_cb_dma = 0; |
| 4529 | ha->async_pd = NULL; | 4535 | ha->async_pd = NULL; |
| 4530 | ha->async_pd_dma = 0; | 4536 | ha->async_pd_dma = 0; |
| 4537 | ha->loop_id_map = NULL; | ||
| 4538 | ha->npiv_info = NULL; | ||
| 4539 | ha->optrom_buffer = NULL; | ||
| 4540 | ha->swl = NULL; | ||
| 4541 | ha->nvram = NULL; | ||
| 4542 | ha->mctp_dump = NULL; | ||
| 4543 | ha->dcbx_tlv = NULL; | ||
| 4544 | ha->xgmac_data = NULL; | ||
| 4545 | ha->sfp_data = NULL; | ||
| 4531 | 4546 | ||
| 4532 | ha->s_dma_pool = NULL; | 4547 | ha->s_dma_pool = NULL; |
| 4533 | ha->dl_dma_pool = NULL; | 4548 | ha->dl_dma_pool = NULL; |