diff options
author | Mike Christie <michael.christie@oracle.com> | 2021-05-25 20:18:15 +0200 |
---|---|---|
committer | Martin K. Petersen <martin.petersen@oracle.com> | 2021-06-02 07:28:22 +0200 |
commit | f7eea75262fc8e4f2e329f36ac6daf42da95bbdc (patch) | |
tree | b3faf128d204b9132d65b6d4d0cbe5f81664ee5e /drivers/scsi/qedi | |
parent | scsi: qedi: Fix use after free during abort cleanup (diff) | |
download | linux-f7eea75262fc8e4f2e329f36ac6daf42da95bbdc.tar.xz linux-f7eea75262fc8e4f2e329f36ac6daf42da95bbdc.zip |
scsi: qedi: Fix TMF tid allocation
qedi_iscsi_abort_work and qedi_tmf_work both allocate a tid then call
qedi_send_iscsi_tmf which also allocates a tid. This removes the tid
allocation from the callers.
Link: https://lore.kernel.org/r/20210525181821.7617-23-michael.christie@oracle.com
Reviewed-by: Manish Rangankar <mrangankar@marvell.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/qedi')
-rw-r--r-- | drivers/scsi/qedi/qedi_fw.c | 76 | ||||
-rw-r--r-- | drivers/scsi/qedi/qedi_gbl.h | 3 | ||||
-rw-r--r-- | drivers/scsi/qedi/qedi_iscsi.c | 2 |
3 files changed, 25 insertions, 56 deletions
diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c index 61c1ebb3004c..6812dc023def 100644 --- a/drivers/scsi/qedi/qedi_fw.c +++ b/drivers/scsi/qedi/qedi_fw.c @@ -14,8 +14,8 @@ #include "qedi_fw_iscsi.h" #include "qedi_fw_scsi.h" -static int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, - struct iscsi_task *mtask); +static int send_iscsi_tmf(struct qedi_conn *qedi_conn, + struct iscsi_task *mtask); void qedi_iscsi_unmap_sg_list(struct qedi_cmd *cmd) { @@ -1348,7 +1348,7 @@ static int qedi_wait_for_cleanup_request(struct qedi_ctx *qedi, return 0; } -static void qedi_tmf_work(struct work_struct *work) +static void qedi_abort_work(struct work_struct *work) { struct qedi_cmd *qedi_cmd = container_of(work, struct qedi_cmd, tmf_work); @@ -1361,7 +1361,6 @@ static void qedi_tmf_work(struct work_struct *work) struct iscsi_task *ctask; struct iscsi_tm *tmf_hdr; s16 rval = 0; - s16 tid = 0; mtask = qedi_cmd->task; tmf_hdr = (struct iscsi_tm *)mtask->hdr; @@ -1406,6 +1405,7 @@ static void qedi_tmf_work(struct work_struct *work) } qedi_cmd->type = TYPEIO; + qedi_cmd->state = CLEANUP_WAIT; list_work->qedi_cmd = qedi_cmd; list_work->rtid = cmd->task_id; list_work->state = QEDI_WORK_SCHEDULED; @@ -1433,15 +1433,7 @@ static void qedi_tmf_work(struct work_struct *work) } send_tmf: - tid = qedi_get_task_idx(qedi); - if (tid == -1) { - QEDI_ERR(&qedi->dbg_ctx, "Invalid tid, cid=0x%x\n", - qedi_conn->iscsi_conn_id); - goto ldel_exit; - } - - qedi_cmd->task_id = tid; - qedi_send_iscsi_tmf(qedi_conn, qedi_cmd->task); + send_iscsi_tmf(qedi_conn, qedi_cmd->task); clear_cleanup: clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags); @@ -1467,8 +1459,7 @@ ldel_exit: clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags); } -static int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, - struct iscsi_task *mtask) +static int send_iscsi_tmf(struct qedi_conn *qedi_conn, struct iscsi_task *mtask) { struct iscsi_tmf_request_hdr tmf_pdu_header; struct iscsi_task_params task_params; @@ -1483,7 +1474,6 @@ static int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, u32 scsi_lun[2]; s16 tid = 0; u16 sq_idx = 0; - int rval = 0; tmf_hdr = (struct iscsi_tm *)mtask->hdr; qedi_cmd = (struct qedi_cmd *)mtask->dd_data; @@ -1547,10 +1537,7 @@ static int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, task_params.sqe = &ep->sq[sq_idx]; memset(task_params.sqe, 0, sizeof(struct iscsi_wqe)); - rval = init_initiator_tmf_request_task(&task_params, - &tmf_pdu_header); - if (rval) - return -1; + init_initiator_tmf_request_task(&task_params, &tmf_pdu_header); spin_lock(&qedi_conn->list_lock); list_add_tail(&qedi_cmd->io_cmd, &qedi_conn->active_cmd_list); @@ -1562,47 +1549,30 @@ static int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, return 0; } -int qedi_iscsi_abort_work(struct qedi_conn *qedi_conn, - struct iscsi_task *mtask) +int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, struct iscsi_task *mtask) { + struct iscsi_tm *tmf_hdr = (struct iscsi_tm *)mtask->hdr; + struct qedi_cmd *qedi_cmd = mtask->dd_data; struct qedi_ctx *qedi = qedi_conn->qedi; - struct iscsi_tm *tmf_hdr; - struct qedi_cmd *qedi_cmd = (struct qedi_cmd *)mtask->dd_data; - s16 tid = 0; + int rc = 0; - tmf_hdr = (struct iscsi_tm *)mtask->hdr; - qedi_cmd->task = mtask; - - /* If abort task then schedule the work and return */ - if ((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == - ISCSI_TM_FUNC_ABORT_TASK) { - qedi_cmd->state = CLEANUP_WAIT; - INIT_WORK(&qedi_cmd->tmf_work, qedi_tmf_work); + switch (tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) { + case ISCSI_TM_FUNC_ABORT_TASK: + INIT_WORK(&qedi_cmd->tmf_work, qedi_abort_work); queue_work(qedi->tmf_thread, &qedi_cmd->tmf_work); - - } else if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == - ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) || - ((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == - ISCSI_TM_FUNC_TARGET_WARM_RESET) || - ((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == - ISCSI_TM_FUNC_TARGET_COLD_RESET)) { - tid = qedi_get_task_idx(qedi); - if (tid == -1) { - QEDI_ERR(&qedi->dbg_ctx, "Invalid tid, cid=0x%x\n", - qedi_conn->iscsi_conn_id); - return -1; - } - qedi_cmd->task_id = tid; - - qedi_send_iscsi_tmf(qedi_conn, qedi_cmd->task); - - } else { + break; + case ISCSI_TM_FUNC_LOGICAL_UNIT_RESET: + case ISCSI_TM_FUNC_TARGET_WARM_RESET: + case ISCSI_TM_FUNC_TARGET_COLD_RESET: + rc = send_iscsi_tmf(qedi_conn, mtask); + break; + default: QEDI_ERR(&qedi->dbg_ctx, "Invalid tmf, cid=0x%x\n", qedi_conn->iscsi_conn_id); - return -1; + return -EINVAL; } - return 0; + return rc; } int qedi_send_iscsi_text(struct qedi_conn *qedi_conn, diff --git a/drivers/scsi/qedi/qedi_gbl.h b/drivers/scsi/qedi/qedi_gbl.h index 116645c08c71..fb44a282613e 100644 --- a/drivers/scsi/qedi/qedi_gbl.h +++ b/drivers/scsi/qedi/qedi_gbl.h @@ -31,8 +31,7 @@ int qedi_send_iscsi_login(struct qedi_conn *qedi_conn, struct iscsi_task *task); int qedi_send_iscsi_logout(struct qedi_conn *qedi_conn, struct iscsi_task *task); -int qedi_iscsi_abort_work(struct qedi_conn *qedi_conn, - struct iscsi_task *mtask); +int qedi_send_iscsi_tmf(struct qedi_conn *qedi_conn, struct iscsi_task *mtask); int qedi_send_iscsi_text(struct qedi_conn *qedi_conn, struct iscsi_task *task); int qedi_send_iscsi_nopout(struct qedi_conn *qedi_conn, diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c index 5304a028db0a..0ece2c3b105b 100644 --- a/drivers/scsi/qedi/qedi_iscsi.c +++ b/drivers/scsi/qedi/qedi_iscsi.c @@ -753,7 +753,7 @@ static int qedi_iscsi_send_generic_request(struct iscsi_task *task) rc = qedi_send_iscsi_logout(qedi_conn, task); break; case ISCSI_OP_SCSI_TMFUNC: - rc = qedi_iscsi_abort_work(qedi_conn, task); + rc = qedi_send_iscsi_tmf(qedi_conn, task); break; case ISCSI_OP_TEXT: rc = qedi_send_iscsi_text(qedi_conn, task); |