TYPE_TGT_TMCMD are not being skipped now, but tgt_ops are dereferenced
in qlt_free_ul_cmd() without checking if target mode is enabled. However,
it is possible that commands requiring target mode to be enabled are
received while target mode is disabled as it is seen in TYPE_TGT_CMD case.

To fix the issue check if target mode is enabled in TYPE_TGT_TMCMD
case as well.

Fixes: d46c69a087aa ("scsi: qla2xxx: Clear cmds after chip reset")
Cc: stable@vger.kernel.org
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
 drivers/scsi/qla2xxx/qla_os.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 72b1c28e4dae..e81ef3629aaa 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1890,6 +1890,13 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
 				}
 				break;
 			case TYPE_TGT_TMCMD:
+				if (!vha->hw->tgt.tgt_ops || !tgt ||
+				    qla_ini_mode_enabled(vha)) {
+					ql_dbg(ql_dbg_tgt_mgt, vha, 0xf004,
+					    "HOST-ABORT-HNDLR: dpc_flags=%lx. Target mode disabled\n",
+					    vha->dpc_flags);
+					continue;
+				}
 				/*
 				 * Currently, only ABTS response gets on the
 				 * outstanding_cmds[]
-- 
2.34.1

On Thu, Mar 26, 2026 at 12:42:49PM +0300, Daniil Dulov wrote:
> 
> TYPE_TGT_TMCMD are not being skipped now, but tgt_ops are dereferenced
> in qlt_free_ul_cmd() without checking if target mode is enabled. However,
> it is possible that commands requiring target mode to be enabled are

Is is really possible? TYPE_TGT_TMCMD is allocated using tgt_ops
pointer. So at creation time tgt_ops was a valid.

> received while target mode is disabled as it is seen in TYPE_TGT_CMD case.

That condition in TYPE_TGT_CMD is also some legacy leftover.

Race condition when tgt_ops might be get nulled during HBA reset was fixed in
https://lore.kernel.org/all/20210415203554.27890-1-d.bogdanov@yadro.com/

> To fix the issue check if target mode is enabled in TYPE_TGT_TMCMD
> case as well.
> 
> Fixes: d46c69a087aa ("scsi: qla2xxx: Clear cmds after chip reset")
> Cc: stable@vger.kernel.org
> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
> ---
>  drivers/scsi/qla2xxx/qla_os.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
> index 72b1c28e4dae..e81ef3629aaa 100644
> --- a/drivers/scsi/qla2xxx/qla_os.c
> +++ b/drivers/scsi/qla2xxx/qla_os.c
> @@ -1890,6 +1890,13 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
>                                 }
>                                 break;
>                         case TYPE_TGT_TMCMD:
> +                               if (!vha->hw->tgt.tgt_ops || !tgt ||
> +                                   qla_ini_mode_enabled(vha)) {
> +                                       ql_dbg(ql_dbg_tgt_mgt, vha, 0xf004,
> +                                           "HOST-ABORT-HNDLR: dpc_flags=%lx. Target mode disabled\n",
> +                                           vha->dpc_flags);
> +                                       continue;
> +                               }
>                                 /*
>                                  * Currently, only ABTS response gets on the
>                                  * outstanding_cmds[]
> --
> 2.34.1
>