scsi: qla2xxx: Get mutex lock before checking optrom_state

mpg-rh · martinkpetersen · commit c7702b8c2271 · 2017-01-09T23:15:02.000-05:00
There is a race condition with qla2xxx optrom functions where one thread
might modify optrom buffer, optrom_state while other thread is still
reading from it.

In couple of crashes, it was found that we had successfully passed the
following 'if' check where we confirm optrom_state to be
QLA_SREADING. But by the time we acquired mutex lock to proceed with
memory_read_from_buffer function, some other thread/process had already
modified that option rom buffer and optrom_state from QLA_SREADING to
QLA_SWAITING. Then we got ha-&gt;optrom_buffer 0x0 and crashed the system:

        if (ha-&gt;optrom_state != QLA_SREADING)
                return 0;

        mutex_lock(&amp;ha-&gt;optrom_mutex);
        rval = memory_read_from_buffer(buf, count, &amp;off, ha-&gt;optrom_buffer,
            ha-&gt;optrom_region_size);
        mutex_unlock(&amp;ha-&gt;optrom_mutex);

With current optrom function we get following crash due to a race
condition:

[ 1479.466679] BUG: unable to handle kernel NULL pointer dereference at           (null)
[ 1479.466707] IP: [&lt;ffffffff81326756&gt;] memcpy+0x6/0x110
[...]
[ 1479.473673] Call Trace:
[ 1479.474296]  [&lt;ffffffff81225cbc&gt;] ? memory_read_from_buffer+0x3c/0x60
[ 1479.474941]  [&lt;ffffffffa01574dc&gt;] qla2x00_sysfs_read_optrom+0x9c/0xc0 [qla2xxx]
[ 1479.475571]  [&lt;ffffffff8127e76b&gt;] read+0xdb/0x1f0
[ 1479.476206]  [&lt;ffffffff811fdf9e&gt;] vfs_read+0x9e/0x170
[ 1479.476839]  [&lt;ffffffff811feb6f&gt;] SyS_read+0x7f/0xe0
[ 1479.477466]  [&lt;ffffffff816964c9&gt;] system_call_fastpath+0x16/0x1b

Below patch modifies qla2x00_sysfs_read_optrom,
qla2x00_sysfs_write_optrom functions to get the mutex_lock before
checking ha-&gt;optrom_state to avoid similar crashes.

The patch was applied and tested and same crashes were no longer
observed again.

Tested-by: Milan P. Gandhi &lt;mgandhi@redhat.com&gt;
Signed-off-by: Milan P. Gandhi &lt;mgandhi@redhat.com&gt;
Reviewed-by: Laurence Oberman &lt;loberman@redhat.com&gt;
Acked-by: Himanshu Madhani &lt;himanshu.madhani@cavium.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
@@ -243,12 +243,15 @@ qla2x00_sysfs_read_optrom(struct file *filp, struct kobject *kobj,
 	struct qla_hw_data *ha = vha->hw;
 	ssize_t rval = 0;
 
+	mutex_lock(&ha->optrom_mutex);
+
 	if (ha->optrom_state != QLA_SREADING)
-		return 0;
+		goto out;
 
-	mutex_lock(&ha->optrom_mutex);
 	rval = memory_read_from_buffer(buf, count, &off, ha->optrom_buffer,
 	    ha->optrom_region_size);
+
+out:
 	mutex_unlock(&ha->optrom_mutex);
 
 	return rval;
@@ -263,14 +266,19 @@ qla2x00_sysfs_write_optrom(struct file *filp, struct kobject *kobj,
 	    struct device, kobj)));
 	struct qla_hw_data *ha = vha->hw;
 
-	if (ha->optrom_state != QLA_SWRITING)
+	mutex_lock(&ha->optrom_mutex);
+
+	if (ha->optrom_state != QLA_SWRITING) {
+		mutex_unlock(&ha->optrom_mutex);
 		return -EINVAL;
-	if (off > ha->optrom_region_size)
+	}
+	if (off > ha->optrom_region_size) {
+		mutex_unlock(&ha->optrom_mutex);
 		return -ERANGE;
+	}
 	if (off + count > ha->optrom_region_size)
 		count = ha->optrom_region_size - off;
 
-	mutex_lock(&ha->optrom_mutex);
 	memcpy(&ha->optrom_buffer[off], buf, count);
 	mutex_unlock(&ha->optrom_mutex);
 
