[PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Bruno Prémont]

In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
pointer dereference when rsp->msix is NULL:

[    5.622457] NULL pointer dereference at 0000000000000050
[    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457] PGD 0
[    5.622457] Oops: 0000 [#1] SMP
[    5.622457] Modules linked in:
[    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
[    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
[    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
[    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
[    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
[    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
[    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
[    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
[    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
[    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
[    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
[    5.622457] Stack:
[    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
[    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
[    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
[    5.622457] Call Trace:
[    5.622457]  <IRQ>
[    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
[    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
[    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
[    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
[    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
[    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
[    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
[    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
[    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
[    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
[    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
[    5.622457]  <EOI>
[    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
[    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
[    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
[    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
[    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
[    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
[    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457]  RSP <ffff8801afb03de8>
[    5.622457] CR2: 0000000000000050
[    5.622457] ---[ end trace fa2b19c25106d42b ]---
[    5.622457] Kernel panic - not syncing: Fatal exception in interrupt


The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
(qla2xxx: Add irq affinity notification).

Only dereference rsp->msix when it has been set so the machine can boot
fine. Possibly rsp->msix is unset because:
[    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
[    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
[    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
[    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
[    3.890145] scsi host0: qla2xxx
[    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
[    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
[    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).


CC: <stable@vger.kernel.org>
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
---
diff --git a/drivers/scsi/qla2xxx/qla_isr.c
b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
scsi_qla_host *vha, if (!vha->flags.online)
 		return;
 
-	if (rsp->msix->cpuid != smp_processor_id()) {
+	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
 		/* if kernel does not notify qla of IRQ's CPU change,
 		 * then set it here.
 		 */

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Quinn Tran]

Ack.  Looks good. Thanks.

Regards,
Quinn Tran






-----Original Message-----
From: Bruno Prémont <bonbons@linux-vserver.org>
Date: Thursday, June 30, 2016 at 8:00 AM
To: Quinn Tran <quinn.tran@qlogic.com>, Himanshu Madhani <himanshu.madhani@qlogic.com>, Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Dept-Eng QLA2xxx Upstream <qla2xxx-upstream@qlogic.com>, "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi <linux-scsi@vger.kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>
Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

>In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
>pointer dereference when rsp->msix is NULL:
>
>[    5.622457] NULL pointer dereference at 0000000000000050
>[    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
>[    5.622457] PGD 0
>[    5.622457] Oops: 0000 [#1] SMP
>[    5.622457] Modules linked in:
>[    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
>[    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
>[    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
>[    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
>[    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
>[    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
>[    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
>[    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
>[    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
>[    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
>[    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
>[    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>[    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
>[    5.622457] Stack:
>[    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
>[    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
>[    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
>[    5.622457] Call Trace:
>[    5.622457]  <IRQ>
>[    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
>[    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
>[    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
>[    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
>[    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
>[    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
>[    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
>[    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
>[    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
>[    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
>[    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
>[    5.622457]  <EOI>
>[    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
>[    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
>[    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
>[    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
>[    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
>[    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
>[    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
>[    5.622457]  RSP <ffff8801afb03de8>
>[    5.622457] CR2: 0000000000000050
>[    5.622457] ---[ end trace fa2b19c25106d42b ]---
>[    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
>
>
>The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
>(qla2xxx: Add irq affinity notification).
>
>Only dereference rsp->msix when it has been set so the machine can boot
>fine. Possibly rsp->msix is unset because:
>[    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
>[    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
>[    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
>[    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
>[    3.890145] scsi host0: qla2xxx
>[    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
>[    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
>[    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
>
>
>CC: <stable@vger.kernel.org>
>Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
>---
>diff --git a/drivers/scsi/qla2xxx/qla_isr.c
>b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
>--- a/drivers/scsi/qla2xxx/qla_isr.c
>+++ b/drivers/scsi/qla2xxx/qla_isr.c
>@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
>scsi_qla_host *vha, if (!vha->flags.online)
> 		return;
> 
>-	if (rsp->msix->cpuid != smp_processor_id()) {
>+	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
> 		/* if kernel does not notify qla of IRQ's CPU change,
> 		 * then set it here.
> 		 */

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Johannes Thumshirn]

On Thu, Jun 30, 2016 at 05:00:32PM +0200, Bruno Prémont wrote:
> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> pointer dereference when rsp->msix is NULL:
> 
> [    5.622457] NULL pointer dereference at 0000000000000050
> [    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457] PGD 0
> [    5.622457] Oops: 0000 [#1] SMP
> [    5.622457] Modules linked in:
> [    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
> [    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
> [    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
> [    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
> [    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
> [    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
> [    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
> [    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
> [    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
> [    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
> [    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
> [    5.622457] Stack:
> [    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
> [    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
> [    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
> [    5.622457] Call Trace:
> [    5.622457]  <IRQ>
> [    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
> [    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
> [    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
> [    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
> [    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
> [    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
> [    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
> [    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
> [    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
> [    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
> [    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
> [    5.622457]  <EOI>
> [    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
> [    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
> [    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
> [    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
> [    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
> [    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
> [    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457]  RSP <ffff8801afb03de8>
> [    5.622457] CR2: 0000000000000050
> [    5.622457] ---[ end trace fa2b19c25106d42b ]---
> [    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
> 
> 
> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> (qla2xxx: Add irq affinity notification).
> 
> Only dereference rsp->msix when it has been set so the machine can boot
> fine. Possibly rsp->msix is unset because:
> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> [    3.890145] scsi host0: qla2xxx
> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
> 
> 
> CC: <stable@vger.kernel.org>
> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>

Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>

-- 
Johannes Thumshirn                                          Storage
jthumshirn@suse.de                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Thorsten Leemhuis]

Bruno Prémont wrote on 30.06.2016 17:00:
> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> pointer dereference when rsp->msix is NULL:
> […]
> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> (qla2xxx: Add irq affinity notification).
> 
> Only dereference rsp->msix when it has been set so the machine can boot
> fine. Possibly rsp->msix is unset because:
> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> [    3.890145] scsi host0: qla2xxx
> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).

Bruno: Does that mean you actually tested that patch and it fixed the
problem for you? It looks like it, but there is some confusion about it;
that's one of the reasons why this patch didn't get any further yet
afaics, so a quick clarification might help to finally get this fixed
properly in mainline and stable.

Himanshu: While at it: Can you confirm this patch should get merged to
mainline? Seems Quinn is on PTO and his out-of-office reply mentioned
you as one point of contact.

Cheers, your regression tracker for Linux 4.7
 Thorsten

> CC: <stable@vger.kernel.org>
> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
> ---
> diff --git a/drivers/scsi/qla2xxx/qla_isr.c
> b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
> --- a/drivers/scsi/qla2xxx/qla_isr.c
> +++ b/drivers/scsi/qla2xxx/qla_isr.c
> @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
> scsi_qla_host *vha, if (!vha->flags.online)
>  		return;
>  
> -	if (rsp->msix->cpuid != smp_processor_id()) {
> +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
>  		/* if kernel does not notify qla of IRQ's CPU change,
>  		 * then set it here.
>  		 */
> 
> http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 
> http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu
> 

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Himanshu Madhani]

On 7/8/16, 12:27 AM, "Thorsten Leemhuis" <regressions@leemhuis.info> wrote:

>Bruno Prémont wrote on 30.06.2016 17:00:
>> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
>> pointer dereference when rsp->msix is NULL:
>> […]
>> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
>> (qla2xxx: Add irq affinity notification).
>> 
>> Only dereference rsp->msix when it has been set so the machine can boot
>> fine. Possibly rsp->msix is unset because:
>> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
>> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
>> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
>> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
>> [    3.890145] scsi host0: qla2xxx
>> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
>> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
>> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
>
>Bruno: Does that mean you actually tested that patch and it fixed the
>problem for you? It looks like it, but there is some confusion about it;
>that's one of the reasons why this patch didn't get any further yet
>afaics, so a quick clarification might help to finally get this fixed
>properly in mainline and stable.
>
>Himanshu: While at it: Can you confirm this patch should get merged to
>mainline? Seems Quinn is on PTO and his out-of-office reply mentioned
>you as one point of contact.

I see this patch has been queued to “fixes" branch on James’s tree. So it would
get merged into mainline kernel.  Here’s link 

http://git.kernel.org/cgit/linux/kernel/git/jejb/scsi.git/log/?h=fixes

>
>Cheers, your regression tracker for Linux 4.7
> Thorsten
>
>> CC: <stable@vger.kernel.org>
>> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
>> ---
>> diff --git a/drivers/scsi/qla2xxx/qla_isr.c
>> b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
>> --- a/drivers/scsi/qla2xxx/qla_isr.c
>> +++ b/drivers/scsi/qla2xxx/qla_isr.c
>> @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
>> scsi_qla_host *vha, if (!vha->flags.online)
>>  		return;
>>  
>> -	if (rsp->msix->cpuid != smp_processor_id()) {
>> +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
>>  		/* if kernel does not notify qla of IRQ's CPU change,
>>  		 * then set it here.
>>  		 */
>> 
>> http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 
>> http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu
>> 

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Bruno Prémont]

On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:
> Bruno Prémont wrote on 30.06.2016 17:00:
> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> > pointer dereference when rsp->msix is NULL:
> > […]
> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> > (qla2xxx: Add irq affinity notification).
> > 
> > Only dereference rsp->msix when it has been set so the machine can boot
> > fine. Possibly rsp->msix is unset because:
> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> > [    3.890145] scsi host0: qla2xxx
> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).  
> 
> Bruno: Does that mean you actually tested that patch and it fixed the
> problem for you? It looks like it, but there is some confusion about it;
> that's one of the reasons why this patch didn't get any further yet
> afaics, so a quick clarification might help to finally get this fixed
> properly in mainline and stable.

Yes, it does fix the Oops for me.

I did not analyze the reason why rsp->msix is NULL (no idea if
it remains NULL forever on my hardware) - I just extracted messages
from qla driver shown during boot which seem to indicate a possible
reason why msix is NULL.
Further analysis should be done by someone with better knowledge of qla
driver than mine though I would be happy to perform tests.

Bruno


> Himanshu: While at it: Can you confirm this patch should get merged to
> mainline? Seems Quinn is on PTO and his out-of-office reply mentioned
> you as one point of contact.
> 
> Cheers, your regression tracker for Linux 4.7
>  Thorsten
> 
> > CC: <stable@vger.kernel.org>
> > Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
> > ---
> > diff --git a/drivers/scsi/qla2xxx/qla_isr.c
> > b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
> > --- a/drivers/scsi/qla2xxx/qla_isr.c
> > +++ b/drivers/scsi/qla2xxx/qla_isr.c
> > @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
> > scsi_qla_host *vha, if (!vha->flags.online)
> >  		return;
> >  
> > -	if (rsp->msix->cpuid != smp_processor_id()) {
> > +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
> >  		/* if kernel does not notify qla of IRQ's CPU change,
> >  		 * then set it here.
> >  		 */
> > 
> > http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 
> > http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu
> >   

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Thorsten Leemhuis]

Bruno Prémont wrote on 11.07.2016 09:17:
> On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:
>> Bruno Prémont wrote on 30.06.2016 17:00:
>> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
>> > pointer dereference when rsp->msix is NULL:
>> > […]
>> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
>> > (qla2xxx: Add irq affinity notification).
>> > 
>> > Only dereference rsp->msix when it has been set so the machine can boot
>> > fine. Possibly rsp->msix is unset because:
>> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
>> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
>> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
>> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
>> > [    3.890145] scsi host0: qla2xxx
>> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
>> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
>> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).  
>> 
>> Bruno: Does that mean you actually tested that patch and it fixed the
>> problem for you? It looks like it, but there is some confusion about it;
>> that's one of the reasons why this patch didn't get any further yet
>> afaics, so a quick clarification might help to finally get this fixed
>> properly in mainline and stable.
> Yes, it does fix the Oops for me.

Thx for the feedback. The patch hit mainline late last week (it's
included in rc7) and should hopefully make it to the stable trees in a
week or two.

> I did not analyze the reason why rsp->msix is NULL (no idea if
> it remains NULL forever on my hardware) - I just extracted messages
> from qla driver shown during boot which seem to indicate a possible
> reason why msix is NULL.
> Further analysis should be done by someone with better knowledge of qla
> driver than mine though I would be happy to perform tests.

I have no idea about the details, but in case you missed it, this
discussion might have some more relevant details:
http://thread.gmane.org/gmane.linux.kernel/2247804/focus=2250727

Cheers, Thorsten

Re: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt

[Bruno Prémont]

On Mon, 11 Jul 2016 09:30:30 +0200 Thorsten Leemhuis wrote:
> Bruno Prémont wrote on 11.07.2016 09:17:
> > On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:  
> >> Bruno Prémont wrote on 30.06.2016 17:00:  
> >> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> >> > pointer dereference when rsp->msix is NULL:
> >> > […]
> >> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> >> > (qla2xxx: Add irq affinity notification).
> >> > 
> >> > Only dereference rsp->msix when it has been set so the machine can boot
> >> > fine. Possibly rsp->msix is unset because:
> >> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> >> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> >> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> >> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> >> > [    3.890145] scsi host0: qla2xxx
> >> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> >> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> >> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).    
> >> 
> >> Bruno: Does that mean you actually tested that patch and it fixed the
> >> problem for you? It looks like it, but there is some confusion about it;
> >> that's one of the reasons why this patch didn't get any further yet
> >> afaics, so a quick clarification might help to finally get this fixed
> >> properly in mainline and stable.  
> > Yes, it does fix the Oops for me.  
> 
> Thx for the feedback. The patch hit mainline late last week (it's
> included in rc7) and should hopefully make it to the stable trees in a
> week or two.

I got the queued notification from James last week and kept an eye
at the state on patchwork before that.

> > I did not analyze the reason why rsp->msix is NULL (no idea if
> > it remains NULL forever on my hardware) - I just extracted messages
> > from qla driver shown during boot which seem to indicate a possible
> > reason why msix is NULL.
> > Further analysis should be done by someone with better knowledge of qla
> > driver than mine though I would be happy to perform tests.  
> 
> I have no idea about the details, but in case you missed it, this
> discussion might have some more relevant details:
> http://thread.gmane.org/gmane.linux.kernel/2247804/focus=2250727

I didn't see that thread, though it does have some insight.
Thanks for the reference!

Bruno

> Cheers, Thorsten