git.fsl.cs.sunysb.edu Git - wrapfs-5.3.y.git/commit

author	Quinn Tran <qutran@marvell.com>
	Tue, 5 Nov 2019 15:06:54 +0000 (07:06 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 17 Dec 2019 19:08:30 +0000 (20:08 +0100)
commit	10fd34ac79b234d9bd4459c9b9c1f9d5a67f7bde
tree	4dc01e299d85a3d163512faba2365b2d8c6e3f70	tree \| snapshot
parent	95000d33752d22d46838a462afaaa3107a5dfab2	commit \| diff

scsi: qla2xxx: Fix double scsi_done for abort path

[ Upstream commit f45bca8c5052e8c59bab64ee90c44441678b9a52 ]

Current code assumes abort will remove the original command from the active
list where scsi_done will not be called. Instead, the eh_abort thread will
do the scsi_done. That is not the case. Instead, we have a double
scsi_done calls triggering use after free.

Abort will tell FW to release the command from FW possesion. The original
command will return to ULP with error in its normal fashion via scsi_done.
eh_abort path would wait for the original command completion before
returning. eh_abort path will not perform the scsi_done call.

Fixes: 219d27d7147e0 ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands")
Cc: stable@vger.kernel.org # 5.2
Link: https://lore.kernel.org/r/20191105150657.8092-6-hmadhani@marvell.com
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/scsi/qla2xxx/qla_def.h		diff \| blob \| history
drivers/scsi/qla2xxx/qla_isr.c		diff \| blob \| history
drivers/scsi/qla2xxx/qla_nvme.c		diff \| blob \| history
drivers/scsi/qla2xxx/qla_os.c		diff \| blob \| history