diff options
| author | Tony Battersby <tonyb@cybernetics.com> | 2025-11-10 11:05:53 -0500 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2025-11-12 18:17:28 -0500 |
| commit | 4f5eb50f7c8206b0b08dba8e01cf83812ddaaeb2 (patch) | |
| tree | 81e01333e19fc3624f102d8cab5633d76f3b7598 /drivers/scsi/scsi_devinfo.c | |
| parent | c7bd85a7b9c5abcf2b69b32ac8c67f0d683b5113 (diff) | |
scsi: qla2xxx: target: Improve safety of cmd lookup by handle
The driver associates two different structs with numeric handles and
passes the handles to the hardware. When the hardware passes the handle
back to the driver, the driver consults a table of void * to convert the
handle back to the struct without checking the type of struct. This can
lead to type confusion if the HBA firmware misbehaves (and some firmware
versions do). So verify the type of struct is what is expected before
using it.
But we can also do better than that. Also verify that the exchange
address of the message sent from the hardware matches the exchange
address of the command being returned. This adds an extra guard against
buggy HBA firmware that returns duplicate messages multiple times (which
has also been seen) in case the driver has reused the handle for a
different command of the same type.
These problems were seen on a QLE2694L with firmware 9.08.02 when
testing SLER / SRR support. The SRR caused the HBA to flood the
response queue with hundreds of bogus entries.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/7c7cb574-fe62-42ae-b800-d136d8dd89ca@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/scsi_devinfo.c')
0 files changed, 0 insertions, 0 deletions