scsi: qla2xxx: Fix response queue handler reading stale packets

On some platforms, the current logic of relying on finding new packet
solely based on signature pattern can lead to driver reading stale
packets. Though this is a bug in those platforms, reduce such exposures by
limiting reading packets until the IN pointer.

Link: https://lore.kernel.org/r/20220826102559.17474-3-njavali@marvell.com
Cc: stable@vger.kernel.org
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index ede76357ccb6f006a5ba844228ff6c2581f90e14..e19fde304e5c6891b44db73496f9fefe69643398 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -3763,7 +3763,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
        struct qla_hw_data *ha = vha->hw;
        struct purex_entry_24xx *purex_entry;
        struct purex_item *pure_item;
-       u16 cur_ring_index;
+       u16 rsp_in = 0, cur_ring_index;
+       int is_shadow_hba;
 
        if (!ha->flags.fw_started)
                return;
@@ -3773,7 +3774,18 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
                qla_cpu_update(rsp->qpair, smp_processor_id());
        }
 
-       while (rsp->ring_ptr->signature != RESPONSE_PROCESSED) {
+#define __update_rsp_in(_is_shadow_hba, _rsp, _rsp_in)                 \
+       do {                                                            \
+               _rsp_in = _is_shadow_hba ? *(_rsp)->in_ptr :            \
+                               rd_reg_dword_relaxed((_rsp)->rsp_q_in); \
+       } while (0)
+
+       is_shadow_hba = IS_SHADOW_REG_CAPABLE(ha);
+
+       __update_rsp_in(is_shadow_hba, rsp, rsp_in);
+
+       while (rsp->ring_index != rsp_in &&
+                      rsp->ring_ptr->signature != RESPONSE_PROCESSED) {
                pkt = (struct sts_entry_24xx *)rsp->ring_ptr;
                cur_ring_index = rsp->ring_index;
 
@@ -3887,6 +3899,7 @@ process_err:
                                }
                                pure_item = qla27xx_copy_fpin_pkt(vha,
                                                          (void **)&pkt, &rsp);
+                               __update_rsp_in(is_shadow_hba, rsp, rsp_in);
                                if (!pure_item)
                                        break;
                                qla24xx_queue_purex_item(vha, pure_item,