[PATCH AUTOSEL 5.8 081/101] scsi: qedi: Fix list_del corruption while removing active I/O

Sun, 18 Oct 2020 12:48:26 -0700 

From: Nilesh Javali <njav...@marvell.com>

[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ]

While aborting the I/O, the firmware cleanup task timed out and driver
deleted the I/O from active command list. Some time later the firmware
sent the cleanup task response and driver again deleted the I/O from
active command list causing firmware to send completion for non-existent
I/O and list_del corruption of active command list.

Add fix to check if I/O is present before deleting it from the active
command list to ensure firmware sends valid I/O completion and protect
against list_del corruption.

Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangan...@marvell.com
Signed-off-by: Nilesh Javali <njav...@marvell.com>
Signed-off-by: Manish Rangankar <mrangan...@marvell.com>
Signed-off-by: Martin K. Petersen <martin.peter...@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
index 32586800620bd..90aa64604ad78 100644
--- a/drivers/scsi/qedi/qedi_fw.c
+++ b/drivers/scsi/qedi/qedi_fw.c
@@ -825,8 +825,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx 
*qedi,
                        qedi_clear_task_idx(qedi_conn->qedi, rtid);
 
                        spin_lock(&qedi_conn->list_lock);
-                       list_del_init(&dbg_cmd->io_cmd);
-                       qedi_conn->active_cmd_count--;
+                       if (likely(dbg_cmd->io_cmd_in_list)) {
+                               dbg_cmd->io_cmd_in_list = false;
+                               list_del_init(&dbg_cmd->io_cmd);
+                               qedi_conn->active_cmd_count--;
+                       }
                        spin_unlock(&qedi_conn->list_lock);
                        qedi_cmd->state = CLEANUP_RECV;
                        wake_up_interruptible(&qedi_conn->wait_queue);
@@ -1244,6 +1247,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct 
qedi_conn *qedi_conn,
                qedi_conn->cmd_cleanup_req++;
                qedi_iscsi_cleanup_task(ctask, true);
 
+               cmd->io_cmd_in_list = false;
                list_del_init(&cmd->io_cmd);
                qedi_conn->active_cmd_count--;
                QEDI_WARN(&qedi->dbg_ctx,
@@ -1455,8 +1459,11 @@ static void qedi_tmf_work(struct work_struct *work)
        spin_unlock_bh(&qedi_conn->tmf_work_lock);
 
        spin_lock(&qedi_conn->list_lock);
-       list_del_init(&cmd->io_cmd);
-       qedi_conn->active_cmd_count--;
+       if (likely(cmd->io_cmd_in_list)) {
+               cmd->io_cmd_in_list = false;
+               list_del_init(&cmd->io_cmd);
+               qedi_conn->active_cmd_count--;
+       }
        spin_unlock(&qedi_conn->list_lock);
 
        clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags);
-- 
2.25.1

Reply via email to