From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=XNML=R3=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9C46FC43381
	for <stable@archiver.kernel.org>; Sun, 24 Mar 2019 20:16:23 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 691872082F
	for <stable@archiver.kernel.org>; Sun, 24 Mar 2019 20:16:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1553458583;
	bh=LcECLoN9HbGwg1f52REpbYfSDD+XrLhZmf+UUlY4b8c=;
	h=Subject:To:Cc:From:Date:List-ID:From;
	b=J/XY2F4bomlcDQpTI9GPpwTbitee4DpSDitsfGl7tt8/usgDcLR+r1fqEfkGmv3tq
	 jRrOZOAJX+Upk8ccE2bKIBQyToOSqIAkg9NV6EiuyTWbvZWSIfPgovDOosILhvx+IL
	 ePPY2nHtVVdDcCYbOqOQ808MKoeO2LUPzNKCg5gk=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728072AbfCXUQX (ORCPT <rfc822;stable@archiver.kernel.org>);
        Sun, 24 Mar 2019 16:16:23 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:59525 "EHLO
        out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726317AbfCXUQW (ORCPT
        <rfc822;stable@vger.kernel.org>); Sun, 24 Mar 2019 16:16:22 -0400
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
        by mailout.nyi.internal (Postfix) with ESMTP id F011E21286;
        Sun, 24 Mar 2019 16:16:21 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute6.internal (MEProxy); Sun, 24 Mar 2019 16:16:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:content-transfer-encoding:content-type
        :date:from:message-id:mime-version:subject:to:x-me-proxy
        :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=y2FL01
        aHW0Sw88vitRnmkJLc+HCUGPSRj8nX2w45PF8=; b=1qakDyRIdM3H8IGeRp7QSB
        HgIXHU1YEZrcDrkDtQseQSwNUdlT3jYl4ZNCLWHkN11UjEyetQ4O6N3epSp61rVa
        GFLUoAiextXfgQ4W2/XbYqHdbMec+0lj1xrEgP6h+BOtC/xmJt4nDOOB7PNmoRjh
        8q1GPLn9OwgqfLrMKL3C3PpqwWftDhKp8FlA1AbLkkDGrA0pZgMDoXwERNfo+zuP
        +Ac8NFQLVXaf27rXF33UO/I9F1TII7U1jyjH+NNGZeU24DiG1wJqKzT26STvfbuk
        MA0lktmi2MepNPDNl2/EoJxDweZFM4t6ecIvHhbqNffCaLz3nDZkQ0VYzCot9CPQ
        ==
X-ME-Sender: <xms:leWXXPLdYJyCyv4yH13Wxg4q94PGrz_J-o_R34I956ImCazldDzNfA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrjeeigddufeehucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefuvffhfffkgggtgfesthekredttd
    dtlfenucfhrhhomhepoehgrhgvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhr
    gheqnecukfhppeekkedruddvkedrkedtrddukeelnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpehgrhgvgheskhhrohgrhhdrtghomhenucevlhhushhtvghrufhiiigvpeeg
X-ME-Proxy: <xmx:leWXXDsSr2Ncbhbb4BGlwW7tAnlAZh6snFL2XkL2DoLqATHPK98wtQ>
    <xmx:leWXXAn08QyRoKJu23FH6_Jy9DUrYClkTtQe4MOBHyRJRPPy8181Vw>
    <xmx:leWXXClK29IlrLHw3-S9QpbDeW64npQUHit1SBuNVhzdIUXYT-nVRg>
    <xmx:leWXXDld93pYLicnKNWZcObqkthgEQ9mdc830x3Y40BbgAcO4ojpUQ>
Received: from localhost (unknown [88.128.80.189])
        by mail.messagingengine.com (Postfix) with ESMTPA id C122CE465F;
        Sun, 24 Mar 2019 16:16:19 -0400 (EDT)
Subject: FAILED: patch "[PATCH] scsi: ibmvscsi: Fix empty event pool access during host" failed to apply to 4.9-stable tree
To:     tyreld@linux.vnet.ibm.com, martin.petersen@oracle.com,
        stable@vger.kernel.org
Cc:     <stable@vger.kernel.org>
From:   <gregkh@linuxfoundation.org>
Date:   Sun, 24 Mar 2019 21:12:35 +0100
Message-ID: <155345835513065@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org


The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From 7f5203c13ba8a7b7f9f6ecfe5a4d5567188d7835 Mon Sep 17 00:00:00 2001
From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Date: Wed, 20 Mar 2019 13:41:51 -0500
Subject: [PATCH] scsi: ibmvscsi: Fix empty event pool access during host
 removal

The event pool used for queueing commands is destroyed fairly early in the
ibmvscsi_remove() code path. Since, this happens prior to the call so
scsi_remove_host() it is possible for further calls to queuecommand to be
processed which manifest as a panic due to a NULL pointer dereference as
seen here:

PANIC: "Unable to handle kernel paging request for data at address
0x00000000"

Context process backtrace:

DSISR: 0000000042000000 ????Syscall Result: 0000000000000000
4 [c000000002cb3820] memcpy_power7 at c000000000064204
[Link Register] [c000000002cb3820] ibmvscsi_send_srp_event at d000000003ed14a4
5 [c000000002cb3920] ibmvscsi_send_srp_event at d000000003ed14a4 [ibmvscsi] ?(unreliable)
6 [c000000002cb39c0] ibmvscsi_queuecommand at d000000003ed2388 [ibmvscsi]
7 [c000000002cb3a70] scsi_dispatch_cmd at d00000000395c2d8 [scsi_mod]
8 [c000000002cb3af0] scsi_request_fn at d00000000395ef88 [scsi_mod]
9 [c000000002cb3be0] __blk_run_queue at c000000000429860
10 [c000000002cb3c10] blk_delay_work at c00000000042a0ec
11 [c000000002cb3c40] process_one_work at c0000000000dac30
12 [c000000002cb3cd0] worker_thread at c0000000000db110
13 [c000000002cb3d80] kthread at c0000000000e3378
14 [c000000002cb3e30] ret_from_kernel_thread at c00000000000982c

The kernel buffer log is overfilled with this log:

[11261.952732] ibmvscsi: found no event struct in pool!

This patch reorders the operations during host teardown. Start by calling
the SRP transport and Scsi_Host remove functions to flush any outstanding
work and set the host offline. LLDD teardown follows including destruction
of the event pool, freeing the Command Response Queue (CRQ), and unmapping
any persistent buffers. The event pool destruction is protected by the
scsi_host lock, and the pool is purged prior of any requests for which we
never received a response. Finally, move the removal of the scsi host from
our global list to the end so that the host is easily locatable for
debugging purposes during teardown.

Cc: <stable@vger.kernel.org> # v2.6.12+
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c
index 2b22969f3f63..8cec5230fe31 100644
--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
@@ -2295,17 +2295,27 @@ static int ibmvscsi_probe(struct vio_dev *vdev, const struct vio_device_id *id)
 static int ibmvscsi_remove(struct vio_dev *vdev)
 {
 	struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
-	spin_lock(&ibmvscsi_driver_lock);
-	list_del(&hostdata->host_list);
-	spin_unlock(&ibmvscsi_driver_lock);
-	unmap_persist_bufs(hostdata);
+	unsigned long flags;
+
+	srp_remove_host(hostdata->host);
+	scsi_remove_host(hostdata->host);
+
+	purge_requests(hostdata, DID_ERROR);
+
+	spin_lock_irqsave(hostdata->host->host_lock, flags);
 	release_event_pool(&hostdata->pool, hostdata);
+	spin_unlock_irqrestore(hostdata->host->host_lock, flags);
+
 	ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
 					max_events);
 
 	kthread_stop(hostdata->work_thread);
-	srp_remove_host(hostdata->host);
-	scsi_remove_host(hostdata->host);
+	unmap_persist_bufs(hostdata);
+
+	spin_lock(&ibmvscsi_driver_lock);
+	list_del(&hostdata->host_list);
+	spin_unlock(&ibmvscsi_driver_lock);
+
 	scsi_host_put(hostdata->host);
 
 	return 0;