--- /dev/null
+From 3e8ffccc636737105c4be40fff979749de2d63e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2019 23:02:01 +0200
+Subject: scsi: zfcp: fix request object use-after-free in send path causing
+ wrong traces
+
+From: Benjamin Block <bblock@linux.ibm.com>
+
+[ Upstream commit 106d45f350c7cac876844dc685845cba4ffdb70b ]
+
+When tracing instances where we open and close WKA ports, we also pass the
+request-ID of the respective FSF command.
+
+But after successfully sending the FSF command we must not use the
+request-object anymore, as this might result in an use-after-free (see
+"zfcp: fix request object use-after-free in send path causing seqno
+errors" ).
+
+To fix this add a new variable that caches the request-ID before sending
+the request. This won't change during the hand-off to the FCP channel,
+and so it's safe to trace this cached request-ID later, instead of using
+the request object.
+
+Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
+Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Steffen Maier <maier@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/scsi/zfcp_fsf.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
+index a3aaef4c53a3..0d2bcb33697f 100644
+--- a/drivers/s390/scsi/zfcp_fsf.c
++++ b/drivers/s390/scsi/zfcp_fsf.c
+@@ -1594,6 +1594,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+ struct zfcp_fsf_req *req;
++ unsigned long req_id = 0;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1616,6 +1617,8 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ hton24(req->qtcb->bottom.support.d_id, wka_port->d_id);
+ req->data = wka_port;
+
++ req_id = req->req_id;
++
+ zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ retval = zfcp_fsf_req_send(req);
+ if (retval)
+@@ -1623,7 +1626,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+ if (!retval)
+- zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
++ zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req_id);
+ return retval;
+ }
+
+@@ -1649,6 +1652,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ {
+ struct zfcp_qdio *qdio = wka_port->adapter->qdio;
+ struct zfcp_fsf_req *req;
++ unsigned long req_id = 0;
+ int retval = -EIO;
+
+ spin_lock_irq(&qdio->req_q_lock);
+@@ -1671,6 +1675,8 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ req->data = wka_port;
+ req->qtcb->header.port_handle = wka_port->handle;
+
++ req_id = req->req_id;
++
+ zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
+ retval = zfcp_fsf_req_send(req);
+ if (retval)
+@@ -1678,7 +1684,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
+ out:
+ spin_unlock_irq(&qdio->req_q_lock);
+ if (!retval)
+- zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
++ zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req_id);
+ return retval;
+ }
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
