scsi: qla2xxx: Fix NULL pointer dereference in target mode

lnocturno · martinkpetersen · commit d54820b22e40 · 2023-05-22T18:00:16.000-04:00
When target mode is enabled, the pci_irq_get_affinity() function may return a NULL value in qla_mapq_init_qp_cpu_map() due to the qla24xx_enable_msix() code that handles IRQ settings for target mode. This leads to a crash due to a NULL pointer dereference. This patch fixes the issue by adding a check for the NULL value returned by pci_irq_get_affinity() and introducing a 'cpu_mapped' boolean flag to the qla_qpair structure, ensuring that the qpair's CPU affinity is updated when it has not been mapped to a CPU. Fixes: 1d201c8 ("scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called") Signed-off-by: Gleb Chesnokov <gleb.chesnokov@scst.dev> Link: https://lore.kernel.org/r/56b416f2-4e0f-b6cf-d6d5-b7c372e3c6a2@scst.dev Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
@@ -3796,6 +3796,7 @@ struct qla_qpair {
 	uint64_t retry_term_jiff;
 	struct qla_tgt_counters tgt_counters;
 	uint16_t cpuid;
+	bool cpu_mapped;
 	struct qla_fw_resources fwres ____cacheline_aligned;
 	struct  qla_buf_pool buf_pool;
 	u32	cmd_cnt;
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
@@ -9426,6 +9426,9 @@ struct qla_qpair *qla2xxx_create_qpair(struct scsi_qla_host *vha, int qos,
 		qpair->rsp->req = qpair->req;
 		qpair->rsp->qpair = qpair;
 
+		if (!qpair->cpu_mapped)
+			qla_cpu_update(qpair, raw_smp_processor_id());
+
 		if (IS_T10_PI_CAPABLE(ha) && ql2xenabledif) {
 			if (ha->fw_attributes & BIT_4)
 				qpair->difdix_supported = 1;
diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
@@ -539,11 +539,14 @@ qla_mapq_init_qp_cpu_map(struct qla_hw_data *ha,
 	if (!ha->qp_cpu_map)
 		return;
 	mask = pci_irq_get_affinity(ha->pdev, msix->vector_base0);
+	if (!mask)
+		return;
 	qpair->cpuid = cpumask_first(mask);
 	for_each_cpu(cpu, mask) {
 		ha->qp_cpu_map[cpu] = qpair;
 	}
 	msix->cpuid = qpair->cpuid;
+	qpair->cpu_mapped = true;
 }
 
 static inline void
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
@@ -3770,6 +3770,9 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
 
 	if (rsp->qpair->cpuid != smp_processor_id() || !rsp->qpair->rcv_intr) {
 		rsp->qpair->rcv_intr = 1;
+
+		if (!rsp->qpair->cpu_mapped)
+			qla_cpu_update(rsp->qpair, raw_smp_processor_id());
 	}
 
 #define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in)			\

Original file line number	Diff line number	Diff line change
`@@ -539,11 +539,14 @@ qla_mapq_init_qp_cpu_map(struct qla_hw_data *ha,`
`539`	`539`	`if (!ha->qp_cpu_map)`
`540`	`540`	`return;`
`541`	`541`	`mask = pci_irq_get_affinity(ha->pdev, msix->vector_base0);`
	`542`	`+ if (!mask)`
	`543`	`+ return;`
`542`	`544`	`qpair->cpuid = cpumask_first(mask);`
`543`	`545`	`for_each_cpu(cpu, mask) {`
`544`	`546`	`ha->qp_cpu_map[cpu] = qpair;`
`545`	`547`	`}`
`546`	`548`	`msix->cpuid = qpair->cpuid;`
	`549`	`+ qpair->cpu_mapped = true;`
`547`	`550`	`}`
`548`	`551`
`549`	`552`	`static inline void`
Original file line number	Diff line number	Diff line change
`@@ -3770,6 +3770,9 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,`
`3770`	`3770`
`3771`	`3771`	`if (rsp->qpair->cpuid != smp_processor_id() \|\| !rsp->qpair->rcv_intr) {`
`3772`	`3772`	`rsp->qpair->rcv_intr = 1;`
	`3773`	`+`
	`3774`	`+ if (!rsp->qpair->cpu_mapped)`
	`3775`	`+ qla_cpu_update(rsp->qpair, raw_smp_processor_id());`
`3773`	`3776`	`}`
`3774`	`3777`
`3775`	`3778`	`#define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in) \`