* [Bug 84091] New: Unloading qla2xxx kernel module triggers segmentation fault
@ 2014-09-08 15:03 bugzilla-daemon
2014-09-08 15:08 ` [Bug 84091] " bugzilla-daemon
2014-09-08 16:21 ` bugzilla-daemon
0 siblings, 2 replies; 3+ messages in thread
From: bugzilla-daemon @ 2014-09-08 15:03 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=84091
Bug ID: 84091
Summary: Unloading qla2xxx kernel module triggers segmentation
fault
Product: SCSI Drivers
Version: 2.5
Kernel Version: 3.16.1
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: QLOGIC QLA2XXX
Assignee: scsi_drivers-qla2xxx@kernel-bugs.osdl.org
Reporter: bvanassche@acm.org
Regression: No
After having upgraded the firmware of a QLE2562 adapter to version 07.03.00,
trying to unload (rmmod) the QLogic initiator driver kernel module triggers a
segmentation fault. This occurs at least with kernel versions 3.15.8 and 3.16.1
if memory poisoning has been enabled (CONFIG_SLUB_DEBUG_ON=y). From the system
log:
general protection fault: 0000 [#1] PREEMPT SMP
Modules linked in: qla2xxx(-) scsi_transport_fc fuse ip6table_filter ip6_tables
iptable_filter ip_tables ebtable_nat ebtables x_tables 8021q garp bridge stp
llc rdma_ucm rdma_cm iw_cm af_packet ib_ipoib ib_cm ib_uverbs ib_umad mlx4_en
mlx4_ib ib_sa ib_mad ib_core ib_addr snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic x86_pkg_temp_thermal kvm_intel kvm crc32c_intel microcode
pcspkr sr_mod cdrom snd_hda_intel snd_hda_controller lpc_ich snd_hda_codec
snd_hwdep i2c_i801 mfd_core snd_pcm snd_seq mlx4_core snd_seq_device snd_timer
e1000e snd ptp soundcore pps_core wmi acpi_cpufreq button sg dm_mod autofs4
ext4 crc16 mbcache jbd2 xor lzo_compress raid6_pq sd_mod crc_t10dif
crct10dif_common hid_generic usbhid hid radeon i2c_algo_bit drm_kms_helper ahci
ttm libahci libata drm xhci_hcd ehci_pci agpgart ehci_hcd i2c_core usbcore
usb_common processor thermal_sys hwmon scsi_dh_alua scsi_dh scsi_mod
CPU: 4 PID: 4447 Comm: rmmod Not tainted 3.16.1-debug+ #1
Hardware name: MSI MS-7737/Big Bang-XPower II (MS-7737), BIOS V1.5 10/16/2012
task: ffff88082f900000 ti: ffff8807fbe80000 task.ti: ffff8807fbe80000
RIP: 0010:[<ffffffffa0831bcf>] [<ffffffffa0831bcf>]
qla2x00_remove_one+0x11f/0x220 [qla2xxx]
RSP: 0018:ffff8807fbe83e00 EFLAGS: 00010282
RAX: ffff88082f900001 RBX: 6b6b6b6b6b6b6b6b RCX: 0000000000000001
RDX: 0000000000000006 RSI: ffff88082f900828 RDI: ffff88082f900000
RBP: ffff8807fbe83e18 R08: ffff8807fd416930 R09: 0000000100180011
R10: 0000000000000000 R11: 0000000000000002 R12: ffff8807fe190000
R13: ffff880838c6a290 R14: ffffffffa08ac0e0 R15: 0000000000eaf010
FS: 00007fc26c717700(0000) GS:ffff88085fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002002470 CR3: 00000007fe218000 CR4: 00000000000407e0
Stack:
ffff880838c6a328 ffff880838c6a290 ffff880838c6a388 ffff8807fbe83e38
ffffffff8129f79d ffff880838c6a328 ffffffffa08ac068 ffff8807fbe83e58
ffffffff8133ab09 ffff880838c6a328 ffffffffa08ac068 ffff8807fbe83e80
Call Trace:
[<ffffffff8129f79d>] pci_device_remove+0x2d/0x60
[<ffffffff8133ab09>] __device_release_driver+0x69/0xd0
[<ffffffff8133b4d0>] driver_detach+0xc0/0xd0
[<ffffffff8133a7e8>] bus_remove_driver+0x58/0xd0
[<ffffffff8133b8dc>] driver_unregister+0x2c/0x50
[<ffffffff8129f6ca>] pci_unregister_driver+0x2a/0x80
[<ffffffffa0892b96>] qla2x00_module_exit+0x2c/0x9c [qla2xxx]
[<ffffffff810d2452>] SyS_delete_module+0x142/0x1d0
[<ffffffff814c3c43>] ? tracesys+0x71/0xd5
[<ffffffff814c3ca2>] tracesys+0xd0/0xd5
Code: 00 48 8b 7b 68 e8 a2 3c fe ff 48 8b 7b 68 e8 29 12 7d ff 48 89 df e8 11
f1 ff ff 48 8b 7b 68 e8 38 16 7d ff 48 8b 9b d8 01 00 00 <8b> 83 58 01 00 00 a9
00 00 04 00 0f 85 cc 00 00 00 f6 c4 40 75
RIP [<ffffffffa0831bcf>] qla2x00_remove_one+0x11f/0x220 [qla2xxx]
RSP <ffff8807fbe83e00>
---[ end trace f16db7305109991a ]---
gdb translates the crash address into the following:
(gdb) list *(qla2x00_remove_one+0x11f)
0x5bcf is in qla2x00_remove_one (drivers/scsi/qla2xxx/qla_os.c:3118).
3113 static void
3114 qla2x00_clear_drv_active(scsi_qla_host_t *vha)
3115 {
3116 struct qla_hw_data *ha = vha->hw;
3117
3118 if (IS_QLA8044(ha)) {
3119 qla8044_idc_lock(ha);
3120 qla8044_clear_drv_active(ha);
3121 qla8044_idc_unlock(ha);
3122 } else if (IS_QLA82XX(ha)) {
>From the gdb "disassemble /m qla2x00_remove_one" output (0x11f = 287):
0x0000000000005bc8 <+280>: mov 0x1d8(%rbx),%rbx
0x0000000000005bcf <+287>: mov 0x158(%rbx),%eax
0x0000000000005bd5 <+293>: test $0x40000,%eax
So it seems like qla2x00_clear_drv_active() is called with vha =
0x6b6b6b6b6b6b6b6b. I think this indicates a use-after-free.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 84091] Unloading qla2xxx kernel module triggers segmentation fault
2014-09-08 15:03 [Bug 84091] New: Unloading qla2xxx kernel module triggers segmentation fault bugzilla-daemon
@ 2014-09-08 15:08 ` bugzilla-daemon
2014-09-08 16:21 ` bugzilla-daemon
1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2014-09-08 15:08 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=84091
Joe Lawrence <joe.lawrence@stratus.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joe.lawrence@stratus.com
--- Comment #1 from Joe Lawrence <joe.lawrence@stratus.com> ---
Hi Bart,
Does the following patch queued up in Christoph's tree fix the use-after-free?
cf6dc619eb7c qla2xxx: Fix shost use-after-free on device removal
http://git.infradead.org/users/hch/scsi-queue.git/commit/cf6dc619eb7cfadd9e44d384fb06672a157024ab
Regards,
-- Joe
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 84091] Unloading qla2xxx kernel module triggers segmentation fault
2014-09-08 15:03 [Bug 84091] New: Unloading qla2xxx kernel module triggers segmentation fault bugzilla-daemon
2014-09-08 15:08 ` [Bug 84091] " bugzilla-daemon
@ 2014-09-08 16:21 ` bugzilla-daemon
1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2014-09-08 16:21 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=84091
--- Comment #2 from Bart Van Assche <bvanassche@acm.org> ---
This issue doesn't occur anymore with that patch applied. Thanks !
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-08 16:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-08 15:03 [Bug 84091] New: Unloading qla2xxx kernel module triggers segmentation fault bugzilla-daemon
2014-09-08 15:08 ` [Bug 84091] " bugzilla-daemon
2014-09-08 16:21 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.