From: sashiko-bot@kernel.org
To: "Nilesh Javali" <njavali@marvell.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v2 05/60] scsi: qla2xxx: Add 29xx support in queue initialisation path
Date: Fri, 12 Jun 2026 10:17:56 +0000 [thread overview]
Message-ID: <20260612101756.EEAF51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612095333.1666592-6-njavali@marvell.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free (UAF) in queue pair teardown due to missing work item cancellation.
--
commit a6fdb9faf346a1dfcb7285602fa98749fbabf7ba
Author: Manish Rangankar <mrangankar@marvell.com>
scsi: qla2xxx: Add 29xx support in queue initialisation path
This commit extends the queue initialization and management to include 29xx
adapters. It introduces support for 128-byte request and response entries by
adding new extended structures and adjusting pointer arithmetic and allocations.
> diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
> --- a/drivers/scsi/qla2xxx/qla_mid.c
> +++ b/drivers/scsi/qla2xxx/qla_mid.c
[ ... ]
> @@ -594,6 +598,10 @@ qla25xx_free_rsp_que(struct scsi_qla_host *vha, struct rsp_que *rsp)
> {
> struct qla_hw_data *ha = vha->hw;
> uint16_t que_id = rsp->id;
> + uint16_t rspsz;
> +
> + rspsz = IS_QLA29XX(ha) ? sizeof(struct response_ext) :
> + sizeof(response_t);
>
> if (rsp->msix && rsp->msix->have_irq) {
> free_irq(rsp->msix->vector, rsp->msix->handle);
> @@ -601,8 +609,9 @@ qla25xx_free_rsp_que(struct scsi_qla_host *vha, struct rsp_que *rsp)
> rsp->msix->in_use = 0;
> rsp->msix->handle = NULL;
> }
[Severity: High]
This is a pre-existing issue, but can this lead to a use-after-free when
tearing down the queue pair?
The q_work item is initialized in qla25xx_create_rsp_que() to process
responses. During teardown, qla2xxx_delete_qpair() calls
qla25xx_free_rsp_que(), which unregisters the interrupt using free_irq()
as seen here.
While free_irq() waits for running hardirq handlers, it does not flush or
cancel work items already placed on the workqueue.
After qla25xx_free_rsp_que() returns, qla2xxx_delete_qpair() immediately
frees the qpair structure:
qla2xxx_delete_qpair() {
...
mempool_destroy(qpair->srb_mempool);
kfree(qpair);
mutex_unlock(&ha->mq_lock);
}
If qpair->q_work was pending, it will later execute qla_do_work(),
dereferencing the freed qpair pointer to access vha and lock
qpair->qp_lock:
qla_do_work() {
struct qla_qpair *qpair = container_of(work, struct qla_qpair, q_work);
struct scsi_qla_host *vha = qpair->vha;
spin_lock_irqsave(&qpair->qp_lock, flags);
...
}
This seems especially problematic in full adapter teardown, where
destroy_workqueue(ha->wq) forces pending work to run right after the queue
pairs are freed. Should a cancel_work_sync(&qpair->q_work) be added?
> +
> dma_free_coherent(&ha->pdev->dev, (rsp->length + 1) *
> - sizeof(response_t), rsp->ring, rsp->dma);
> + rspsz, rsp->ring, rsp->dma);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612095333.1666592-1-njavali@marvell.com?part=5
next prev parent reply other threads:[~2026-06-12 10:17 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 9:52 [PATCH v2 00/60] scsi: qla2xxx: Add QLA29xx series adapter support Nilesh Javali
2026-06-12 9:52 ` [PATCH v2 01/60] scsi: qla2xxx: Add 29xx series PCI device ID support Nilesh Javali
2026-06-12 10:30 ` sashiko-bot
2026-06-12 10:40 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 02/60] scsi: qla2xxx: Add flash read/write interface for 29xx Nilesh Javali
2026-06-12 10:16 ` sashiko-bot
2026-06-12 10:43 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 03/60] scsi: qla2xxx: Add NVRAM config support for 29xx adapters Nilesh Javali
2026-06-12 10:46 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 04/60] scsi: qla2xxx: Add get_flash_version " Nilesh Javali
2026-06-12 10:18 ` sashiko-bot
2026-06-12 10:48 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 05/60] scsi: qla2xxx: Add 29xx support in queue initialisation path Nilesh Javali
2026-06-12 10:17 ` sashiko-bot [this message]
2026-06-12 10:49 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 06/60] scsi: qla2xxx: Add FC operational firmware load for 29xx Nilesh Javali
2026-06-12 10:14 ` sashiko-bot
2026-06-12 10:52 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 07/60] scsi: qla2xxx: Add flash block read/write BSG support " Nilesh Javali
2026-06-12 10:11 ` sashiko-bot
2026-06-12 10:55 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 08/60] scsi: qla2xxx: Add BSG MPI firmware load/dump " Nilesh Javali
2026-06-12 10:14 ` sashiko-bot
2026-06-12 10:57 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 09/60] scsi: qla2xxx: Add 128-byte IOCB definitions " Nilesh Javali
2026-06-12 11:01 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 10/60] scsi: qla2xxx: Add extended status continuation and marker IOCBs Nilesh Javali
2026-06-12 11:02 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 11/60] scsi: qla2xxx: Remove duplicate flash memo block definitions Nilesh Javali
2026-06-12 11:03 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 12/60] scsi: qla2xxx: Update IO path to use 128-byte IOCBs for 29xx Nilesh Javali
2026-06-12 10:29 ` sashiko-bot
2026-06-12 11:12 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 13/60] scsi: qla2xxx: Replace IS_QLA29XX() size checks with entry-size helpers Nilesh Javali
2026-06-12 11:14 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 14/60] scsi: qla2xxx: Skip image-set-valid attribute for 29xx Nilesh Javali
2026-06-12 11:14 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 15/60] scsi: qla2xxx: Skip unsupported sysfs attributes " Nilesh Javali
2026-06-12 10:28 ` sashiko-bot
2026-06-12 11:15 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 16/60] scsi: qla2xxx: Enable get_fw_version mailbox " Nilesh Javali
2026-06-12 10:31 ` sashiko-bot
2026-06-12 11:16 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 17/60] scsi: qla2xxx: Extend execute_fw mailbox to include 29xx Nilesh Javali
2026-06-12 10:25 ` sashiko-bot
2026-06-12 11:17 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 18/60] scsi: qla2xxx: Enable get_adapter_id mailbox for 29xx Nilesh Javali
2026-06-12 11:18 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 19/60] scsi: qla2xxx: Enable init_firmware " Nilesh Javali
2026-06-12 11:18 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 20/60] scsi: qla2xxx: Enable get_firmware_state " Nilesh Javali
2026-06-12 11:19 ` Hannes Reinecke
2026-06-12 11:22 ` sashiko-bot
2026-06-12 9:52 ` [PATCH v2 21/60] scsi: qla2xxx: Enable serdes, resource count and FCE trace " Nilesh Javali
2026-06-12 10:38 ` sashiko-bot
2026-06-12 11:19 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 22/60] scsi: qla2xxx: Enable set_els_cmds and echo_test " Nilesh Javali
2026-06-12 11:20 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 23/60] scsi: qla2xxx: Add support for QLA29XX in data rate functions Nilesh Javali
2026-06-12 11:20 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 24/60] scsi: qla2xxx: Enable qla2x00_shutdown for 29xx Nilesh Javali
2026-06-12 11:21 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 25/60] scsi: qla2xxx: Use ring-slot helpers in __qla2x00_alloc_iocbs Nilesh Javali
2026-06-12 10:41 ` sashiko-bot
2026-06-12 11:21 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 26/60] scsi: qla2xxx: Add support for QLA29XX in memory allocation Nilesh Javali
2026-06-12 10:40 ` sashiko-bot
2026-06-12 11:22 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 27/60] scsi: qla2xxx: Refactor marker IOCB handling for 29xx series Nilesh Javali
2026-06-12 11:36 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 28/60] scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters Nilesh Javali
2026-06-12 10:54 ` sashiko-bot
2026-06-12 11:47 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 29/60] scsi: qla2xxx: Update handling of status entries for 29xx series Nilesh Javali
2026-06-12 10:44 ` sashiko-bot
2026-06-12 12:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 30/60] scsi: qla2xxx: Enhance ct_entry_24xx_ext iocb handling " Nilesh Javali
2026-06-12 12:14 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 31/60] scsi: qla2xxx: Enhance purex_entry " Nilesh Javali
2026-06-12 10:54 ` sashiko-bot
2026-06-12 12:16 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 32/60] scsi: qla2xxx: Update handling of ELS IOCBs " Nilesh Javali
2026-06-12 12:33 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 33/60] scsi: qla2xxx: Add size check for ELS status entry layout on 29xx Nilesh Javali
2026-06-12 12:34 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 34/60] scsi: qla2xxx: Add 29xx extended logio IOCB support Nilesh Javali
2026-06-12 12:36 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 35/60] scsi: qla2xxx: Enhance task management IOCB handling for 29xx series Nilesh Javali
2026-06-12 11:13 ` sashiko-bot
2026-06-12 12:37 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 36/60] scsi: qla2xxx: Add abort command " Nilesh Javali
2026-06-12 11:15 ` sashiko-bot
2026-06-12 12:38 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 37/60] scsi: qla2xxx: Enhance ABTS processing " Nilesh Javali
2026-06-12 12:41 ` Hannes Reinecke
2026-06-12 15:12 ` sashiko-bot
2026-06-12 9:53 ` [PATCH v2 38/60] scsi: qla2xxx: Update VP control IOCB handling " Nilesh Javali
2026-06-12 12:45 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 39/60] scsi: qla2xxx: Add build-time size check for VP config IOCB layout Nilesh Javali
2026-06-12 12:45 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 40/60] scsi: qla2xxx: Add size check for extended VP report ID entry Nilesh Javali
2026-06-12 11:05 ` sashiko-bot
2026-06-12 12:46 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 41/60] scsi: qla2xxx: Unify NVMe IOCB build path for 29xx and legacy adapters Nilesh Javali
2026-06-12 11:02 ` sashiko-bot
2026-06-12 12:49 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 42/60] scsi: qla2xxx: Add LS4 pass-through IOCB handling for 29xx series Nilesh Javali
2026-06-12 12:50 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 43/60] scsi: qla2xxx: Convert NVMe ring advance to use qla_req_ring_advance() Nilesh Javali
2026-06-12 12:52 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 44/60] scsi: qla2xxx: Adjust feature gating in BSG paths for 29xx support Nilesh Javali
2026-06-12 11:16 ` sashiko-bot
2026-06-12 12:53 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 45/60] scsi: qla2xxx: Fix queue teardown NULL dma_free and bitmap locking Nilesh Javali
2026-06-12 12:56 ` Hannes Reinecke
2026-06-12 13:23 ` sashiko-bot
2026-06-12 9:53 ` [PATCH v2 46/60] scsi: qla2xxx: Replace __le16 bitfields with scalar and accessors Nilesh Javali
2026-06-12 12:57 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 47/60] scsi: qla2xxx: Fix endianness annotations in vp_rpt_id_entry structures Nilesh Javali
2026-06-12 12:59 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 48/60] scsi: qla2xxx: Use 64-bit FPM word counters for 29xx host stats Nilesh Javali
2026-06-12 13:00 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 49/60] scsi: qla2xxx: Add 64G/128G port speed setting support Nilesh Javali
2026-06-12 13:02 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 50/60] scsi: qla2xxx: Fix 64G link speed reporting in get_data_rate Nilesh Javali
2026-06-12 13:03 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 51/60] scsi: qla2xxx: edif: Fix NULL pointer deref in RX SA delete check Nilesh Javali
2026-06-12 11:43 ` sashiko-bot
2026-06-12 13:04 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 52/60] scsi: qla2xxx: Fix Name Server logout detection on FWI2 adapters Nilesh Javali
2026-06-12 13:08 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 53/60] scsi: qla2xxx: Bound VP index against VP_CTRL IOCB bitmap size Nilesh Javali
2026-06-12 11:35 ` sashiko-bot
2026-06-12 13:09 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 54/60] scsi: qla2xxx: Check entry_status in qla24xx_modify_vp_config() Nilesh Javali
2026-06-12 13:10 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 55/60] scsi: qla2xxx: Hold vport reference in qla24xx_report_id_acquisition() Nilesh Javali
2026-06-12 11:38 ` sashiko-bot
2026-06-12 13:10 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 56/60] scsi: qla2xxx: Initialize NVMe abort_work once at submission Nilesh Javali
2026-06-12 11:34 ` sashiko-bot
2026-06-12 13:11 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 57/60] scsi: qla2xxx: Hold qpair lock when sending NVMe LS reject Nilesh Javali
2026-06-12 11:39 ` sashiko-bot
2026-06-12 13:11 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 58/60] scsi: qla2xxx: Zero dport diagnostics buffer to avoid info leak Nilesh Javali
2026-06-12 11:40 ` sashiko-bot
2026-06-12 13:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 59/60] scsi: qla2xxx: Fix BSG job leak on validate flash image error path Nilesh Javali
2026-06-12 11:38 ` sashiko-bot
2026-06-12 13:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 60/60] scsi: qla2xxx: Bound image count in qla2x00_update_fru_versions() Nilesh Javali
2026-06-12 11:45 ` sashiko-bot
2026-06-12 13:13 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612101756.EEAF51F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=njavali@marvell.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox