git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tony Battersby <tonyb@cybernetics.com>
	Mon, 10 Nov 2025 16:05:53 +0000 (11:05 -0500)
committer	Martin K. Petersen <martin.petersen@oracle.com>
	Wed, 12 Nov 2025 23:17:28 +0000 (18:17 -0500)
commit	4f5eb50f7c8206b0b08dba8e01cf83812ddaaeb2
tree	81e01333e19fc3624f102d8cab5633d76f3b7598	tree \| snapshot
parent	c7bd85a7b9c5abcf2b69b32ac8c67f0d683b5113	commit \| diff

scsi: qla2xxx: target: Improve safety of cmd lookup by handle

The driver associates two different structs with numeric handles and
passes the handles to the hardware.  When the hardware passes the handle
back to the driver, the driver consults a table of void * to convert the
handle back to the struct without checking the type of struct.  This can
lead to type confusion if the HBA firmware misbehaves (and some firmware
versions do).  So verify the type of struct is what is expected before
using it.

But we can also do better than that.  Also verify that the exchange
address of the message sent from the hardware matches the exchange
address of the command being returned.  This adds an extra guard against
buggy HBA firmware that returns duplicate messages multiple times (which
has also been seen) in case the driver has reused the handle for a
different command of the same type.

These problems were seen on a QLE2694L with firmware 9.08.02 when
testing SLER / SRR support.  The SRR caused the HBA to flood the
response queue with hundreds of bogus entries.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/7c7cb574-fe62-42ae-b800-d136d8dd89ca@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

drivers/scsi/qla2xxx/qla_dbg.c		diff \| blob \| blame \| history
drivers/scsi/qla2xxx/qla_target.c		diff \| blob \| blame \| history