qla2xxx: fix stale memory access.

Orabug: 27235104

Name pointer describing each command is assigned with stack frame's memory.
The stack frame could eventually be re-use, where name pointer
access can get get garbage.  To fix the problem, use designated
static memory for name pointer.

Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Sawan Chandak <sawan.chandak@cavium.com>
Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>

diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index 117c71ad1c35e65f36190618e306a64403b6a1fa..f2a167d996974fc5a0614b77890552e6b41a1425 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -368,7 +368,7 @@ qla2x00_process_els(struct fc_bsg_job *bsg_job)
                SRB_ELS_CMD_RPT : SRB_ELS_CMD_HST);
        sp->name =
                (bsg_job->request->msgcode == FC_BSG_RPT_ELS ?
-               "bsg_els_rpt" : "bsg_els_hst");
+               sp_to_str(SPCN_BSG_RPT) : sp_to_str(SPCN_BSG_HST));
        sp->u.bsg_job = bsg_job;
        sp->free = qla2x00_bsg_sp_free;
        sp->done = qla2x00_bsg_job_done;
@@ -513,7 +513,7 @@ qla2x00_process_ct(struct fc_bsg_job *bsg_job)
        }
 
        sp->type = SRB_CT_CMD;
-       sp->name = "bsg_ct";
+       sp->name = sp_to_str(SPCN_BSG_CT);
        sp->iocbs = qla24xx_calc_ct_iocbs(req_sg_cnt + rsp_sg_cnt);
        sp->u.bsg_job = bsg_job;
        sp->free = qla2x00_bsg_sp_free;
@@ -1986,7 +1986,7 @@ qlafx00_mgmt_cmd(struct fc_bsg_job *bsg_job)
        fcport->loop_id = piocb_rqst->dataword;
 
        sp->type = SRB_FXIOCB_BCMD;
-       sp->name = "bsg_fx_mgmt";
+       sp->name = sp_to_str(SPCN_BSG_FX_MGMT);
        sp->iocbs = qla24xx_calc_ct_iocbs(req_sg_cnt + rsp_sg_cnt);
        sp->u.bsg_job = bsg_job;
        sp->free = qla2x00_bsg_sp_free;

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 3176de4256a23299df50088c885b402b79e28ad6..4a65b8c2ee14104cad434003dc3df7fa39b1cd06 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -424,6 +424,37 @@ struct srb_iocb {
        void (*timeout)(void *);
 };
 
+enum {
+       SPCN_UNKOWN,
+       SPCN_GIDPN,
+       SPCN_GPSC,
+       SPCN_GPNID,
+       SPCN_GPNFT,
+       SPCN_GNNID,
+       SPCN_GFPNID,
+       SPCN_LOGIN,
+       SPCN_LOGOUT,
+       SPCN_ADISC,
+       SPCN_GNLIST,
+       SPCN_GPDB,
+       SPCN_TMF,
+       SPCN_ABORT ,
+       SPCN_NACK,
+       SPCN_BSG_RPT,
+       SPCN_BSG_HST ,
+       SPCN_BSG_CT,
+       SPCN_BSG_FX_MGMT,
+       SPCN_ELS_DCMD,
+       SPCN_FXDISC,
+       SPCN_GIDLIST,
+       SPCN_STATS,
+       SPCN_MB_GPDB,
+};
+struct sp_name {
+        uint16_t cmd;
+        const char *str;
+};
+
 /* Values for srb_ctx type */
 #define SRB_LOGIN_CMD  1
 #define SRB_LOGOUT_CMD 2

diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index ca85bdd9c7972327f7aa3f52e34ddf5e2b269488..a4801b2189ec2dc12ba078dc75a178764b32fd32 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -626,6 +626,7 @@ void qla24xx_handle_gpnid_event(scsi_qla_host_t *, struct event_arg *);
 int qla24xx_post_gpsc_work(struct scsi_qla_host *, fc_port_t *);
 int qla24xx_async_gpsc(scsi_qla_host_t *, fc_port_t *);
 int qla2x00_mgmt_svr_login(scsi_qla_host_t *);
+const char *sp_to_str(uint16_t);
 
 /*
  * Global Function Prototypes in qla_attr.c source file.

diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
index 2d139447feb38b09d3410e37e6b14eb4a86022f0..a44ffbde332dd7271272463643e4b176da8cacf7 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_gs.c
+++ b/drivers/scsi/qla2xxx/qla_gs.c
@@ -15,6 +15,43 @@ static int qla2x00_sns_gnn_id(scsi_qla_host_t *, sw_info_t *);
 static int qla2x00_sns_rft_id(scsi_qla_host_t *);
 static int qla2x00_sns_rnn_id(scsi_qla_host_t *);
 
+struct sp_name sp_str[] = {
+       {SPCN_UNKOWN, "unknown"},
+       {SPCN_GIDPN, "gidpn"},
+       {SPCN_GPSC, "gpsc"},
+       {SPCN_GPNID, "gpnid"},
+       {SPCN_GPNFT, "gpnft"},
+       {SPCN_GNNID, "gnnid"},
+       {SPCN_GFPNID, "gfpnid"},
+       {SPCN_LOGIN, "login"},
+       {SPCN_LOGOUT, "logout"},
+       {SPCN_ADISC, "adisc"},
+       {SPCN_GNLIST, "gnlist"},
+       {SPCN_GPDB, "gpdb"},
+       {SPCN_TMF, "tmf"},
+       {SPCN_ABORT, "abort"},
+       {SPCN_NACK, "nack"},
+       {SPCN_BSG_RPT, "bsg_els_rpt"},
+       {SPCN_BSG_HST, "bsg_els_hst"},
+       {SPCN_BSG_CT, "bsg_ct"},
+       {SPCN_BSG_FX_MGMT, "bsg_fx_mgmt"},
+       {SPCN_ELS_DCMD, "ELS_DCMD"},
+       {SPCN_FXDISC, "fxdisc"},
+};
+const char *sp_to_str(uint16_t cmd)
+{
+        int i;
+        struct sp_name *e;
+
+        for (i = 1; i < ARRAY_SIZE(sp_str); i++) {
+                e = sp_str + i;
+                if (cmd == e->cmd)
+                        return e->str;
+        }
+        return sp_str[0].str;
+}
+
+
 /**
  * qla2x00_prep_ms_iocb() - Prepare common MS/CT IOCB fields for SNS CT query.
  * @ha: HA context
@@ -2902,7 +2939,7 @@ int qla24xx_async_gidpn(scsi_qla_host_t *vha, fc_port_t *fcport)
                goto done;
 
        sp->type = SRB_CT_PTHRU_CMD;
-       sp->name = "gidpn";
+       sp->name = sp_to_str(SPCN_GIDPN);
        sp->gen1 = fcport->rscn_gen;
        sp->gen2 = fcport->login_gen;
 
@@ -3062,7 +3099,7 @@ int qla24xx_async_gpsc(scsi_qla_host_t *vha, fc_port_t *fcport)
                goto done;
 
        sp->type = SRB_CT_PTHRU_CMD;
-       sp->name = "gpsc";
+       sp->name = sp_to_str(SPCN_GPSC);
        sp->gen1 = fcport->rscn_gen;
        sp->gen2 = fcport->login_gen;
 
@@ -3265,7 +3302,7 @@ int qla24xx_async_gpnid(scsi_qla_host_t *vha, port_id_t *id)
                goto done;
 
        sp->type = SRB_CT_PTHRU_CMD;
-       sp->name = "gpnid";
+       sp->name = sp_to_str(SPCN_GPNID);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
 
        sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index e9f7033555b513a83532eede2deb9348f387b6e5..c1d66f2f51f7c2445738e37ae519087bb6adda52 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -184,7 +184,7 @@ qla2x00_async_login(struct scsi_qla_host *vha, fc_port_t *fcport,
        fcport->logout_completed = 0;
 
        sp->type = SRB_LOGIN_CMD;
-       sp->name = "login";
+       sp->name = sp_to_str(SPCN_LOGIN);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
 
        lio = &sp->u.iocb_cmd;
@@ -242,7 +242,7 @@ qla2x00_async_logout(struct scsi_qla_host *vha, fc_port_t *fcport)
                goto done;
 
        sp->type = SRB_LOGOUT_CMD;
-       sp->name = "logout";
+       sp->name = sp_to_str(SPCN_LOGOUT);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
 
        lio = &sp->u.iocb_cmd;
@@ -294,7 +294,7 @@ qla2x00_async_adisc(struct scsi_qla_host *vha, fc_port_t *fcport,
                goto done;
 
        sp->type = SRB_ADISC_CMD;
-       sp->name = "adisc";
+       sp->name = sp_to_str(SPCN_ADISC);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
 
        lio = &sp->u.iocb_cmd;
@@ -573,7 +573,7 @@ int qla24xx_async_gnl(struct scsi_qla_host *vha, fc_port_t *fcport)
        if (!sp)
                goto done;
        sp->type = SRB_MB_IOCB;
-       sp->name = "gnlist";
+       sp->name = sp_to_str(SPCN_GNLIST);
        sp->gen1 = fcport->rscn_gen;
        sp->gen2 = fcport->login_gen;
 
@@ -708,7 +708,7 @@ int qla24xx_async_gpdb(struct scsi_qla_host *vha, fc_port_t *fcport, u8 opt)
        memset(pd, 0, max(PORT_DATABASE_SIZE, PORT_DATABASE_24XX_SIZE));
 
        sp->type = SRB_MB_IOCB;
-       sp->name = "gpdb";
+       sp->name = sp_to_str(SPCN_GPDB);
        sp->gen1 = fcport->rscn_gen;
        sp->gen2 = fcport->login_gen;
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
@@ -1175,7 +1175,7 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
 
        tm_iocb = &sp->u.iocb_cmd;
        sp->type = SRB_TM_CMD;
-       sp->name = "tmf";
+       sp->name = sp_to_str(SPCN_TMF);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha));
        tm_iocb->u.tmf.flags = flags;
        tm_iocb->u.tmf.lun = lun;
@@ -1253,7 +1253,7 @@ qla24xx_async_abort_cmd(srb_t *cmd_sp)
 
        abt_iocb = &sp->u.iocb_cmd;
        sp->type = SRB_ABT_CMD;
-       sp->name = "abort";
+       sp->name = sp_to_str(SPCN_ABORT);
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha));
        abt_iocb->u.abt.cmd_hndl = cmd_sp->handle;
        sp->done = qla24xx_abort_sp_done;

diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index e40c4bf9db0837cb8e9804a2295b0a5607723a3e..b6e6d0081f92247552b02d95b0e680055fe79fa6 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -2442,7 +2442,7 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
            fcport->d_id.b.domain, fcport->d_id.b.area, fcport->d_id.b.al_pa);
 
        sp->type = SRB_ELS_DCMD;
-       sp->name = "ELS_DCMD";
+       sp->name = sp_to_str(SPCN_ELS_DCMD);
        sp->fcport = fcport;
        qla2x00_init_timer(sp, ELS_DCMD_TIMEOUT);
        elsio->timeout = qla2x00_els_dcmd_iocb_timeout;

diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index 4590fdc49296264966ee0d96f020c375509d5fe8..02cda8aa08b2c8107075b4f9df3d5ab7805d18cb 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -14,7 +14,8 @@ static struct mb_cmd_name {
         uint16_t cmd;
         const char *str;
 } mb_str[] = {
-        {MBC_GET_PORT_DATABASE,         "GPDB"},
+       {0, "unknown mb"},
+       {MBC_GET_PORT_DATABASE,         "GPDB"},
         {MBC_GET_ID_LIST,               "GIDList"},
         {MBC_GET_LINK_PRIV_STATS,       "Stats"},
 };
@@ -24,12 +25,12 @@ static const char *mb_to_str(uint16_t cmd)
         int i;
         struct mb_cmd_name *e;
 
-        for (i = 0; i < ARRAY_SIZE(mb_str); i++) {
+        for (i = 1; i < ARRAY_SIZE(mb_str); i++) {
                 e = mb_str + i;
                 if (cmd == e->cmd)
                         return e->str;
         }
-        return "unknown";
+        return "mb_str[0].str";
 }
 
 /*

diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
index 975c9cc1d96fe461defef9120a0ab604d1f90294..8e4c0131360cc7a428153259f1dbb89e4b261f24 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_mr.c
+++ b/drivers/scsi/qla2xxx/qla_mr.c
@@ -1921,7 +1921,7 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type)
        }
 
        sp->type = SRB_FXIOCB_DCMD;
-       sp->name = "fxdisc";
+       sp->name = sp_to_str(SPCN_FXDISC);
        qla2x00_init_timer(sp, FXDISC_TIMEOUT);
        fdisc->timeout = qla2x00_fxdisc_iocb_timeout;
        fdisc->u.fxiocb.req_func_type = cpu_to_le16(fx_type);

diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index 7eac68c0df0622d9fddac24f9959f1f2903e8c3b..0b3ea1406c2886583c5699a8e286a7c65123cbc4 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -621,7 +621,7 @@ int qla24xx_async_notify_ack(scsi_qla_host_t *vha, fc_port_t *fcport,
                goto done;
 
        sp->type = type;
-       sp->name = "nack";
+       sp->name = sp_to_str(SPCN_NACK);
 
        qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha)+2);