From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roman Bolshakov Date: Wed, 20 Nov 2019 22:27:09 +0000 Subject: [PATCH v2 01/15] scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd Message-Id: <20191120222723.27779-2-r.bolshakov@yadro.com> List-Id: References: <20191120222723.27779-1-r.bolshakov@yadro.com> In-Reply-To: <20191120222723.27779-1-r.bolshakov@yadro.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ibm852" Content-Transfer-Encoding: base64 To: linux-scsi@vger.kernel.org, target-devel@vger.kernel.org Cc: linux@yadro.com, Roman Bolshakov , Quinn Tran , Bart Van Assche , Thomas Abraham , stable@vger.kernel.org, Himanshu Madhani SWYgQUJUUyBjYW5ub3QgYmUgY29tcGxldGVkIGluIHRhcmdldCBtb2RlLCB0aGUgZHJpdmVyIGF0 dGVtcHRzIHRvIGZyZWUKcmVsYXRlZCBtYW5hZ2VtZW50IGNvbW1hbmQgYW5kIGNyYXNoZXM6Cgog IE5JUCBbZDAwMDAwMDAxOTE4MWVlOF0gdGNtX3FsYTJ4eHhfZnJlZV9tY21kKzB4NDAvMHg4MCBb dGNtX3FsYTJ4eHhdCiAgTFIgW2QwMDAwMDAwMWRjMWU2ZjhdIHFsdF9yZXNwb25zZV9wa3QrMHgx OTAvMHhhMTAgW3FsYTJ4eHhdCiAgQ2FsbCBUcmFjZToKICBbYzAwMDAwM2ZmZjI3YmI1MF0gW2Mw MDAwMDNmZmYyN2JjMTBdIDB4YzAwMDAwM2ZmZjI3YmMxMCAodW5yZWxpYWJsZSkKICBbYzAwMDAw M2ZmZjI3YmI3MF0gW2QwMDAwMDAwMWRjMWU2ZjhdIHFsdF9yZXNwb25zZV9wa3QrMHgxOTAvMHhh MTAgW3FsYTJ4eHhdCiAgW2MwMDAwMDNmZmYyN2JjMTBdIFtkMDAwMDAwMDFkYmMyYmUwXSBxbGEy NHh4X3Byb2Nlc3NfcmVzcG9uc2VfcXVldWUrMHg1ZDgvMHhiZDAgW3FsYTJ4eHhdCiAgW2MwMDAw MDNmZmYyN2JkNTBdIFtkMDAwMDAwMDFkYmM2MzJjXSBxbGEyNHh4X21zaXhfcnNwX3ErMHg2NC8w eDE1MCBbcWxhMnh4eF0KICBbYzAwMDAwM2ZmZjI3YmRlMF0gW2MwMDAwMDAwMDAxODcyMDBdIF9f aGFuZGxlX2lycV9ldmVudF9wZXJjcHUrMHg5MC8weDMxMAogIFtjMDAwMDAzZmZmMjdiZWEwXSBb YzAwMDAwMDAwMDE4NzRiOF0gaGFuZGxlX2lycV9ldmVudF9wZXJjcHUrMHgzOC8weDkwCiAgW2Mw MDAwMDNmZmYyN2JlZTBdIFtjMDAwMDAwMDAwMTg3NTc0XSBoYW5kbGVfaXJxX2V2ZW50KzB4NjQv MHhiMAogIFtjMDAwMDAzZmZmMjdiZjEwXSBbYzAwMDAwMDAwMDE4Y2QzOF0gaGFuZGxlX2Zhc3Rl b2lfaXJxKzB4ZTgvMHgyODAKICBbYzAwMDAwM2ZmZjI3YmY0MF0gW2MwMDAwMDAwMDAxODVjY2Nd IGdlbmVyaWNfaGFuZGxlX2lycSsweDRjLzB4NzAKICBbYzAwMDAwM2ZmZjI3YmY2MF0gW2MwMDAw MDAwMDAwMTZjZWNdIF9fZG9faXJxKzB4N2MvMHgxZDAKICBbYzAwMDAwM2ZmZjI3YmY5MF0gW2Mw MDAwMDAwMDAwMmE1MzBdIGNhbGxfZG9faXJxKzB4MTQvMHgyNAogIFtjMDAwMDAyMDdkMmNiYTkw XSBbYzAwMDAwMDAwMDAxNmVkY10gZG9fSVJRKzB4OWMvMHgxMzAKICBbYzAwMDAwMjA3ZDJjYmFl MF0gW2MwMDAwMDAwMDAwMDhiZjRdIGhhcmR3YXJlX2ludGVycnVwdF9jb21tb24rMHgxMTQvMHgx MjAKICAtLS0gaW50ZXJydXB0OiA1MDEgYXQgYXJjaF9sb2NhbF9pcnFfcmVzdG9yZSsweDc0LzB4 OTAKICAgICAgTFIgPSBhcmNoX2xvY2FsX2lycV9yZXN0b3JlKzB4NzQvMHg5MAogIFtjMDAwMDAy MDdkMmNiZGQwXSBbYzAwMDAwMDAwMDFjNjRmY10gdGlja19icm9hZGNhc3Rfb25lc2hvdF9jb250 cm9sKzB4NGMvMHg2MCAodW5yZWxpYWJsZSkKICBbYzAwMDAwMjA3ZDJjYmRmMF0gW2MwMDAwMDAw MDA3YWM4NDBdIGNwdWlkbGVfZW50ZXJfc3RhdGUrMHhmMC8weDQ1MAogIFtjMDAwMDAyMDdkMmNi ZTUwXSBbYzAwMDAwMDAwMDE2YjgxY10gY2FsbF9jcHVpZGxlKzB4NGMvMHg5MAogIFtjMDAwMDAy MDdkMmNiZTcwXSBbYzAwMDAwMDAwMDE2YmMzMF0gZG9faWRsZSsweDJiMC8weDMzMAogIFtjMDAw MDAyMDdkMmNiZWMwXSBbYzAwMDAwMDAwMDE2YmVlY10gY3B1X3N0YXJ0dXBfZW50cnkrMHgzYy8w eDUwCiAgW2MwMDAwMDIwN2QyY2JlZjBdIFtjMDAwMDAwMDAwMDRhMDZjXSBzdGFydF9zZWNvbmRh cnkrMHg2M2MvMHg2NzAKICBbYzAwMDAwMjA3ZDJjYmY5MF0gW2MwMDAwMDAwMDAwMGFhNmNdIHN0 YXJ0X3NlY29uZGFyeV9wcm9sb2crMHgxMC8weDE0CgpUaGUgY3Jhc2ggY2FuIGJlIHRyaWdnZXJl ZCBieSBBQ0wgZGVsZXRpb24gd2hlbiB0aGVyZSdzIGFjdGl2ZSBJL08uCgpEdXJpbmcgQUNMIGRl bGV0aW9uLCBxbGEyeHh4IHBlcmZvcm1zIGltcGxpY2l0IExPR08gdGhhdCdzIGludmlzaWJsZSBm b3IKdGhlIGluaXRpYXRvci4gT25seSB0aGUgZHJpdmVyIGFuZCBmaXJtd2FyZSBhcmUgYXdhcmUg b2YgdGhlIGxvZ291dC4KVGhlcmVmb3JlIHRoZSBpbml0aWF0b3IgY29udGludWVzIHRvIHNlbmQg U0NTSSBjb21tYW5kcyBhbmQgdGhlIHRhcmdldAphbHdheXMgcmVzcG9uZHMgd2l0aCBTQU0gU1RB VFVTIEJVU1kgYXMgaXQgY2FuJ3QgZmluZCB0aGUgc2Vzc2lvbi4KClRoZSBjb21tYW5kIHRpbWVz IG91dCBhZnRlciBhIHdoaWxlIGFuZCBpbml0aWF0b3IgaW52b2tlcyBBQk9SVCBUQVNLIFRNRgpm b3IgdGhlIGNvbW1hbmQuIFRoZSBUTUYgaXMgbWFwcGVkIHRvIEFCVFMtTFMgaW4gRkNQLiBUaGUg dGFyZ2V0IGNhbid0CmZpbmQgc2Vzc2lvbiBmb3IgU19JRCBvcmlnaW5hdGluZyBBQlRTLUxTIHNv IGl0IG5ldmVyIGFsbG9jYXRlcyBtY21kLgpBbmQgc2luY2UgTl9Qb3J0IGhhbmRsZSB3YXMgZGVs ZXRlZCBhZnRlciBMT0dPLCBpdCBpcyBubyBsb25nZXIgdmFsaWQKYW5kIEFCVFMgUmVzcG9uc2Ug SU9DQiBpcyByZXR1cm5lZCBmcm9tIGZpcm13YXJlIHdpdGggc3RhdHVzIDMxLiBUaGVuCmZyZWVf bWNtZCBpcyBpbnZva2VkIG9uIE5VTEwgcG9pbnRlciBhbmQgdGhlIGtlcm5lbCBjcmFzaGVzLgoK WyA3NzM0LjU3ODY0Ml0gcWxhMnh4eCBbMDAwMDowMDowYy4wXS1lODM3OjY6IEFCVFNfUkVDVl8y NFhYOiBpbnN0YW5jZSAwClsgNzczNC41Nzg2NDRdIHFsYTJ4eHggWzAwMDA6MDA6MGMuMF0tZjgx MTo2OiBxbGFfdGFyZ2V0KDApOiB0YXNrIGFib3J0IChzX2lkPTE6MjowLCB0YWcSMDk1MDQsIHBh cmFtPTApClsgNzczNC41Nzg2NDVdIGZpbmRfc2Vzc19ieV9zX2lkOiAweDAxMDIwMApbIDc3MzQu NTc4NjQ1XSBVbmFibGUgdG8gbG9jYXRlIHNfaWQ6IDB4MDEwMjAwClsgNzczNC41Nzg2NDZdIHFs YTJ4eHggWzAwMDA6MDA6MGMuMF0tZjgxMjo2OiBxbGFfdGFyZ2V0KDApOiB0YXNrIGFib3J0IGZv ciBub24tZXhpc3RlbnQgc2Vzc2lvbgpbIDc3MzQuNTc4NjQ4XSBxbGEyeHh4IFswMDAwOjAwOjBj LjBdLWU4MDY6NjogU2VuZGluZyB0YXNrIG1nbXQgQUJUUyByZXNwb25zZSAoaGHAMDAwMDAwZDU4 MTkwMDAsIGF0aW/AMDAwMDAwZDNmZDQ3MDAsIHN0YXR1cz00ClsgNzczNC41Nzg3MzBdIHFsYTJ4 eHggWzAwMDA6MDA6MGMuMF0tZTgzODo2OiBBQlRTX1JFU1BfMjRYWDogY29tcGxfc3RhdHVzIDMx ClsgNzczNC41Nzg3MzJdIHFsYTJ4eHggWzAwMDA6MDA6MGMuMF0tZTg2Mzo2OiBxbGFfdGFyZ2V0 KDApOiBBQlRTX1JFU1BfMjRYWCBmYWlsZWQgMzEgKHN1YmNvZGUgMTk6YSkKWyA3NzM0LjU3ODc0 MF0gVW5hYmxlIHRvIGhhbmRsZSBrZXJuZWwgcGFnaW5nIHJlcXVlc3QgZm9yIGRhdGEgYXQgYWRk cmVzcyAweDAwMDAwMjAwCgpGaXhlczogNmIwNDMxZDZmYTIwYiAoInNjc2k6IHFsYTJ4eHg6IEZp eCBvdXQgb2Ygb3JkZXIgVGVybWluYXRpb24gYW5kIEFCVFMgcmVzcG9uc2UiKQpDYzogUXVpbm4g VHJhbiA8cXV0cmFuQG1hcnZlbGwuY29tPgpDYzogQmFydCBWYW4gQXNzY2hlIDxidmFuYXNzY2hl QGFjbS5vcmc+CkNjOiBUaG9tYXMgQWJyYWhhbSA8dGFicmFoYW1Ac3VzZS5jb20+CkNjOiBzdGFi bGVAdmdlci5rZXJuZWwub3JnClNpZ25lZC1vZmYtYnk6IFJvbWFuIEJvbHNoYWtvdiA8ci5ib2xz aGFrb3ZAeWFkcm8uY29tPgpBY2tlZC1ieTogSGltYW5zaHUgTWFkaGFuaSA8aG1hZGhhbmlAbWFy dmVsbC5jb20+Ci0tLQogZHJpdmVycy9zY3NpL3FsYTJ4eHgvdGNtX3FsYTJ4eHguYyB8IDIgKysK IDEgZmlsZSBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKykKCmRpZmYgLS1naXQgYS9kcml2ZXJzL3Nj c2kvcWxhMnh4eC90Y21fcWxhMnh4eC5jIGIvZHJpdmVycy9zY3NpL3FsYTJ4eHgvdGNtX3FsYTJ4 eHguYwppbmRleCAwNDJhMjQzMTRlZGMuLmJhYjIwNzNjMWY3MiAxMDA2NDQKLS0tIGEvZHJpdmVy cy9zY3NpL3FsYTJ4eHgvdGNtX3FsYTJ4eHguYworKysgYi9kcml2ZXJzL3Njc2kvcWxhMnh4eC90 Y21fcWxhMnh4eC5jCkBAIC0yNDYsNiArMjQ2LDggQEAgc3RhdGljIHZvaWQgdGNtX3FsYTJ4eHhf Y29tcGxldGVfbWNtZChzdHJ1Y3Qgd29ya19zdHJ1Y3QgKndvcmspCiAgKi8KIHN0YXRpYyB2b2lk IHRjbV9xbGEyeHh4X2ZyZWVfbWNtZChzdHJ1Y3QgcWxhX3RndF9tZ210X2NtZCAqbWNtZCkKIHsK KwlpZiAoIW1jbWQpCisJCXJldHVybjsKIAlJTklUX1dPUksoJm1jbWQtPmZyZWVfd29yaywgdGNt X3FsYTJ4eHhfY29tcGxldGVfbWNtZCk7CiAJcXVldWVfd29yayh0Y21fcWxhMnh4eF9mcmVlX3dx LCAmbWNtZC0+ZnJlZV93b3JrKTsKIH0KLS0gCjIuMjQuMAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7A0FC432C0 for ; Wed, 20 Nov 2019 22:27:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B024920857 for ; Wed, 20 Nov 2019 22:27:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=yadro.com header.i=@yadro.com header.b="K1NQ/5Wr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726293AbfKTW1h (ORCPT ); Wed, 20 Nov 2019 17:27:37 -0500 Received: from mta-02.yadro.com ([89.207.88.252]:51224 "EHLO mta-01.yadro.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725819AbfKTW1h (ORCPT ); Wed, 20 Nov 2019 17:27:37 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-01.yadro.com (Postfix) with ESMTP id 13218437F6; Wed, 20 Nov 2019 22:27:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yadro.com; h= content-type:content-type:content-transfer-encoding:mime-version :references:in-reply-to:x-mailer:message-id:date:date:subject :subject:from:from:received:received:received; s=mta-01; t= 1574288852; x=1576103253; bh=9fNV4bbeGM8GwuUw0Ic03IOWWS6vLEJ0/fd 1qigtzgg=; b=K1NQ/5WrSuISYF4UYqMZxLLhKmUGabjJ0IsQCOfderBq/Oh6JGn dP2wIfF/6fK44HJCOBsvXQ1JzmOILFF00psAR3oIPBAN1/d8mDifDKSgfqKhe+e4 0iw9ieOkHJEUJRjHcy/gFX0nGBzPYj38Q7MZvFeVlKy0oodV//OK12tE= X-Virus-Scanned: amavisd-new at yadro.com Received: from mta-01.yadro.com ([127.0.0.1]) by localhost (mta-01.yadro.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31vxLfNzJBaI; Thu, 21 Nov 2019 01:27:32 +0300 (MSK) Received: from T-EXCH-02.corp.yadro.com (t-exch-02.corp.yadro.com [172.17.10.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mta-01.yadro.com (Postfix) with ESMTPS id EFAD342F10; Thu, 21 Nov 2019 01:27:31 +0300 (MSK) Received: from localhost (172.17.128.60) by T-EXCH-02.corp.yadro.com (172.17.10.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Thu, 21 Nov 2019 01:27:31 +0300 From: Roman Bolshakov To: , CC: , Roman Bolshakov , Quinn Tran , Bart Van Assche , Thomas Abraham , , Himanshu Madhani Subject: [PATCH v2 01/15] scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd Date: Thu, 21 Nov 2019 01:27:09 +0300 Message-ID: <20191120222723.27779-2-r.bolshakov@yadro.com> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191120222723.27779-1-r.bolshakov@yadro.com> References: <20191120222723.27779-1-r.bolshakov@yadro.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.17.128.60] X-ClientProxiedBy: T-EXCH-01.corp.yadro.com (172.17.10.101) To T-EXCH-02.corp.yadro.com (172.17.10.102) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org If ABTS cannot be completed in target mode, the driver attempts to free related management command and crashes: NIP [d000000019181ee8] tcm_qla2xxx_free_mcmd+0x40/0x80 [tcm_qla2xxx] LR [d00000001dc1e6f8] qlt_response_pkt+0x190/0xa10 [qla2xxx] Call Trace: [c000003fff27bb50] [c000003fff27bc10] 0xc000003fff27bc10 (unreliable) [c000003fff27bb70] [d00000001dc1e6f8] qlt_response_pkt+0x190/0xa10 [qla2xxx] [c000003fff27bc10] [d00000001dbc2be0] qla24xx_process_response_queue+0x5d8/0xbd0 [qla2xxx] [c000003fff27bd50] [d00000001dbc632c] qla24xx_msix_rsp_q+0x64/0x150 [qla2xxx] [c000003fff27bde0] [c000000000187200] __handle_irq_event_percpu+0x90/0x310 [c000003fff27bea0] [c0000000001874b8] handle_irq_event_percpu+0x38/0x90 [c000003fff27bee0] [c000000000187574] handle_irq_event+0x64/0xb0 [c000003fff27bf10] [c00000000018cd38] handle_fasteoi_irq+0xe8/0x280 [c000003fff27bf40] [c000000000185ccc] generic_handle_irq+0x4c/0x70 [c000003fff27bf60] [c000000000016cec] __do_irq+0x7c/0x1d0 [c000003fff27bf90] [c00000000002a530] call_do_irq+0x14/0x24 [c00000207d2cba90] [c000000000016edc] do_IRQ+0x9c/0x130 [c00000207d2cbae0] [c000000000008bf4] hardware_interrupt_common+0x114/0x120 --- interrupt: 501 at arch_local_irq_restore+0x74/0x90 LR = arch_local_irq_restore+0x74/0x90 [c00000207d2cbdd0] [c0000000001c64fc] tick_broadcast_oneshot_control+0x4c/0x60 (unreliable) [c00000207d2cbdf0] [c0000000007ac840] cpuidle_enter_state+0xf0/0x450 [c00000207d2cbe50] [c00000000016b81c] call_cpuidle+0x4c/0x90 [c00000207d2cbe70] [c00000000016bc30] do_idle+0x2b0/0x330 [c00000207d2cbec0] [c00000000016beec] cpu_startup_entry+0x3c/0x50 [c00000207d2cbef0] [c00000000004a06c] start_secondary+0x63c/0x670 [c00000207d2cbf90] [c00000000000aa6c] start_secondary_prolog+0x10/0x14 The crash can be triggered by ACL deletion when there's active I/O. During ACL deletion, qla2xxx performs implicit LOGO that's invisible for the initiator. Only the driver and firmware are aware of the logout. Therefore the initiator continues to send SCSI commands and the target always responds with SAM STATUS BUSY as it can't find the session. The command times out after a while and initiator invokes ABORT TASK TMF for the command. The TMF is mapped to ABTS-LS in FCP. The target can't find session for S_ID originating ABTS-LS so it never allocates mcmd. And since N_Port handle was deleted after LOGO, it is no longer valid and ABTS Response IOCB is returned from firmware with status 31. Then free_mcmd is invoked on NULL pointer and the kernel crashes. [ 7734.578642] qla2xxx [0000:00:0c.0]-e837:6: ABTS_RECV_24XX: instance 0 [ 7734.578644] qla2xxx [0000:00:0c.0]-f811:6: qla_target(0): task abort (s_id=1:2:0, tag=1209504, param=0) [ 7734.578645] find_sess_by_s_id: 0x010200 [ 7734.578645] Unable to locate s_id: 0x010200 [ 7734.578646] qla2xxx [0000:00:0c.0]-f812:6: qla_target(0): task abort for non-existent session [ 7734.578648] qla2xxx [0000:00:0c.0]-e806:6: Sending task mgmt ABTS response (ha=c0000000d5819000, atio=c0000000d3fd4700, status=4 [ 7734.578730] qla2xxx [0000:00:0c.0]-e838:6: ABTS_RESP_24XX: compl_status 31 [ 7734.578732] qla2xxx [0000:00:0c.0]-e863:6: qla_target(0): ABTS_RESP_24XX failed 31 (subcode 19:a) [ 7734.578740] Unable to handle kernel paging request for data at address 0x00000200 Fixes: 6b0431d6fa20b ("scsi: qla2xxx: Fix out of order Termination and ABTS response") Cc: Quinn Tran Cc: Bart Van Assche Cc: Thomas Abraham Cc: stable@vger.kernel.org Signed-off-by: Roman Bolshakov Acked-by: Himanshu Madhani --- drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c index 042a24314edc..bab2073c1f72 100644 --- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c +++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c @@ -246,6 +246,8 @@ static void tcm_qla2xxx_complete_mcmd(struct work_struct *work) */ static void tcm_qla2xxx_free_mcmd(struct qla_tgt_mgmt_cmd *mcmd) { + if (!mcmd) + return; INIT_WORK(&mcmd->free_work, tcm_qla2xxx_complete_mcmd); queue_work(tcm_qla2xxx_free_wq, &mcmd->free_work); } -- 2.24.0