Commit fa085d77 authored by Quinn Tran's avatar Quinn Tran Committed by Greg Kroah-Hartman

scsi: qla2xxx: Fix memory leak for allocating abort IOCB

commit 5e53be8e upstream.

In the case of IOCB QFull, Initiator code can leave behind a stale pointer
to an SRB structure on the outstanding command array.

Fixes: 82de802a ("scsi: qla2xxx: Preparation for Target MQ.")
Cc: stable@vger.kernel.org #v4.16+
Signed-off-by: default avatarQuinn Tran <quinn.tran@cavium.com>
Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 71b7ca57
...@@ -2128,34 +2128,11 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp) ...@@ -2128,34 +2128,11 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
req_cnt = 1; req_cnt = 1;
handle = 0; handle = 0;
if (!sp) if (sp && (sp->type != SRB_SCSI_CMD)) {
goto skip_cmd_array; /* Adjust entry-counts as needed. */
/* Check for room in outstanding command list. */
handle = req->current_outstanding_cmd;
for (index = 1; index < req->num_outstanding_cmds; index++) {
handle++;
if (handle == req->num_outstanding_cmds)
handle = 1;
if (!req->outstanding_cmds[handle])
break;
}
if (index == req->num_outstanding_cmds) {
ql_log(ql_log_warn, vha, 0x700b,
"No room on outstanding cmd array.\n");
goto queuing_error;
}
/* Prep command array. */
req->current_outstanding_cmd = handle;
req->outstanding_cmds[handle] = sp;
sp->handle = handle;
/* Adjust entry-counts as needed. */
if (sp->type != SRB_SCSI_CMD)
req_cnt = sp->iocbs; req_cnt = sp->iocbs;
}
skip_cmd_array:
/* Check for room on request queue. */ /* Check for room on request queue. */
if (req->cnt < req_cnt + 2) { if (req->cnt < req_cnt + 2) {
if (ha->mqenable || IS_QLA83XX(ha) || IS_QLA27XX(ha)) if (ha->mqenable || IS_QLA83XX(ha) || IS_QLA27XX(ha))
...@@ -2179,6 +2156,28 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp) ...@@ -2179,6 +2156,28 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
if (req->cnt < req_cnt + 2) if (req->cnt < req_cnt + 2)
goto queuing_error; goto queuing_error;
if (sp) {
/* Check for room in outstanding command list. */
handle = req->current_outstanding_cmd;
for (index = 1; index < req->num_outstanding_cmds; index++) {
handle++;
if (handle == req->num_outstanding_cmds)
handle = 1;
if (!req->outstanding_cmds[handle])
break;
}
if (index == req->num_outstanding_cmds) {
ql_log(ql_log_warn, vha, 0x700b,
"No room on outstanding cmd array.\n");
goto queuing_error;
}
/* Prep command array. */
req->current_outstanding_cmd = handle;
req->outstanding_cmds[handle] = sp;
sp->handle = handle;
}
/* Prep packet */ /* Prep packet */
req->cnt -= req_cnt; req->cnt -= req_cnt;
pkt = req->ring_ptr; pkt = req->ring_ptr;
...@@ -2191,6 +2190,8 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp) ...@@ -2191,6 +2190,8 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
pkt->handle = handle; pkt->handle = handle;
} }
return pkt;
queuing_error: queuing_error:
qpair->tgt_counters.num_alloc_iocb_failed++; qpair->tgt_counters.num_alloc_iocb_failed++;
return pkt; return pkt;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment