All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] qla2xxx: Fix oops in qla2x00_probe_one error path
@ 2017-10-20 13:17 Douglas Miller
  2017-10-20 13:17 ` [PATCH 1/1] " Douglas Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Douglas Miller @ 2017-10-20 13:17 UTC (permalink / raw)
  To: linux-scsi; +Cc: qla2xxx-upstream

See [PATCH 1/1] qla2xxx: Fix oops in qla2x00_probe_one error path

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/1] qla2xxx: Fix oops in qla2x00_probe_one error path
  2017-10-20 13:17 [PATCH 0/1] qla2xxx: Fix oops in qla2x00_probe_one error path Douglas Miller
@ 2017-10-20 13:17 ` Douglas Miller
  2017-10-23  8:22   ` Martin K. Petersen
                     ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Douglas Miller @ 2017-10-20 13:17 UTC (permalink / raw)
  To: linux-scsi; +Cc: qla2xxx-upstream

On error, kthread_create() returns an errno-encoded pointer, not NULL.
The routine qla2x00_probe_one() detects the error case and jumps
to probe_failed, but has already assigned the return value from
kthread_create() to ha->dpc_thread.  Then probe_failed checks to see
if ha->dpc_thread is not NULL before doing cleanup on it. Since in the
error case this is also not NULL, it ends up trying to access an invalid
task pointer.

Solution is to assign NULL to ha->dpc_thread in the error path to avoid
kthread cleanup in that case.

Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
---
 drivers/scsi/qla2xxx/qla_os.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 9372098..bd39bf2 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3212,6 +3212,7 @@ static void qla2x00_iocb_work_fn(struct work_struct *work)
 		ql_log(ql_log_fatal, base_vha, 0x00ed,
 		    "Failed to start DPC thread.\n");
 		ret = PTR_ERR(ha->dpc_thread);
+		ha->dpc_thread = NULL;
 		goto probe_failed;
 	}
 	ql_dbg(ql_dbg_init, base_vha, 0x00ee,
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] qla2xxx: Fix oops in qla2x00_probe_one error path
  2017-10-20 13:17 ` [PATCH 1/1] " Douglas Miller
@ 2017-10-23  8:22   ` Martin K. Petersen
  2017-10-25 15:58   ` Madhani, Himanshu
  2017-10-31 12:07   ` Martin K. Petersen
  2 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2017-10-23  8:22 UTC (permalink / raw)
  To: Douglas Miller; +Cc: linux-scsi, qla2xxx-upstream


Douglas,

> On error, kthread_create() returns an errno-encoded pointer, not NULL.
> The routine qla2x00_probe_one() detects the error case and jumps
> to probe_failed, but has already assigned the return value from
> kthread_create() to ha->dpc_thread.  Then probe_failed checks to see
> if ha->dpc_thread is not NULL before doing cleanup on it. Since in the
> error case this is also not NULL, it ends up trying to access an invalid
> task pointer.
>
> Solution is to assign NULL to ha->dpc_thread in the error path to avoid
> kthread cleanup in that case.

QLogic folks: Please review!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] qla2xxx: Fix oops in qla2x00_probe_one error path
  2017-10-20 13:17 ` [PATCH 1/1] " Douglas Miller
  2017-10-23  8:22   ` Martin K. Petersen
@ 2017-10-25 15:58   ` Madhani, Himanshu
  2017-10-31 12:07   ` Martin K. Petersen
  2 siblings, 0 replies; 5+ messages in thread
From: Madhani, Himanshu @ 2017-10-25 15:58 UTC (permalink / raw)
  To: Douglas Miller; +Cc: linux-scsi, Dept-Eng QLA2xxx Upstream


> On Oct 20, 2017, at 6:17 AM, Douglas Miller <dougmill@linux.vnet.ibm.com> wrote:
> 
> On error, kthread_create() returns an errno-encoded pointer, not NULL.
> The routine qla2x00_probe_one() detects the error case and jumps
> to probe_failed, but has already assigned the return value from
> kthread_create() to ha->dpc_thread.  Then probe_failed checks to see
> if ha->dpc_thread is not NULL before doing cleanup on it. Since in the
> error case this is also not NULL, it ends up trying to access an invalid
> task pointer.
> 
> Solution is to assign NULL to ha->dpc_thread in the error path to avoid
> kthread cleanup in that case.
> 
> Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
> ---
> drivers/scsi/qla2xxx/qla_os.c |    1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
> index 9372098..bd39bf2 100644
> --- a/drivers/scsi/qla2xxx/qla_os.c
> +++ b/drivers/scsi/qla2xxx/qla_os.c
> @@ -3212,6 +3212,7 @@ static void qla2x00_iocb_work_fn(struct work_struct *work)
> 		ql_log(ql_log_fatal, base_vha, 0x00ed,
> 		    "Failed to start DPC thread.\n");
> 		ret = PTR_ERR(ha->dpc_thread);
> +		ha->dpc_thread = NULL;
> 		goto probe_failed;
> 	}
> 	ql_dbg(ql_dbg_init, base_vha, 0x00ee,
> -- 
> 1.7.1
> 

Looks good. 

Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>

Thanks,
- Himanshu

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] qla2xxx: Fix oops in qla2x00_probe_one error path
  2017-10-20 13:17 ` [PATCH 1/1] " Douglas Miller
  2017-10-23  8:22   ` Martin K. Petersen
  2017-10-25 15:58   ` Madhani, Himanshu
@ 2017-10-31 12:07   ` Martin K. Petersen
  2 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2017-10-31 12:07 UTC (permalink / raw)
  To: Douglas Miller; +Cc: linux-scsi, qla2xxx-upstream


Douglas,

> On error, kthread_create() returns an errno-encoded pointer, not NULL.
> The routine qla2x00_probe_one() detects the error case and jumps
> to probe_failed, but has already assigned the return value from
> kthread_create() to ha->dpc_thread.  Then probe_failed checks to see
> if ha->dpc_thread is not NULL before doing cleanup on it. Since in the
> error case this is also not NULL, it ends up trying to access an invalid
> task pointer.
>
> Solution is to assign NULL to ha->dpc_thread in the error path to avoid
> kthread cleanup in that case.

Applied to 4.14/scsi-fixes. Thank you!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-31 12:07 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-20 13:17 [PATCH 0/1] qla2xxx: Fix oops in qla2x00_probe_one error path Douglas Miller
2017-10-20 13:17 ` [PATCH 1/1] " Douglas Miller
2017-10-23  8:22   ` Martin K. Petersen
2017-10-25 15:58   ` Madhani, Himanshu
2017-10-31 12:07   ` Martin K. Petersen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.