Re: [PATCH v2 06/11] qla2xxx: complete command early within lock

[Himanshu Madhani <himanshu.madhani@oracle.com>]

On 7/10/24 10:10 AM, Nilesh Javali wrote:
> From: Shreyas Deodhar <sdeodhar@marvell.com>
> 
> A crash was observed while performing NPIV and FW reset,
> 
>   BUG: kernel NULL pointer dereference, address: 000000000000001c
>   #PF: supervisor read access in kernel mode
>   #PF: error_code(0x0000) - not-present page
>   PGD 0 P4D 0
>   Oops: 0000 1 PREEMPT_RT SMP NOPTI
>   RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0
>   RSP: 0018:ffffc90026f47b88 EFLAGS: 00010246
>   RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000002
>   RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8881041130d0
>   RBP: ffff8881041130d0 R08: 0000000000000000 R09: 0000000000000034
>   R10: ffffc90026f47c48 R11: 0000000000000031 R12: 0000000000000000
>   R13: 0000000000000000 R14: ffff8881565e4a20 R15: 0000000000000000
>   FS: 00007f4c69ed3d00(0000) GS:ffff889faac80000(0000) knlGS:0000000000000000
>   CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 000000000000001c CR3: 0000000288a50002 CR4: 00000000007706e0
>   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>   PKRU: 55555554
>   Call Trace:
>   <TASK>
>   ? __die_body+0x1a/0x60
>   ? page_fault_oops+0x16f/0x4a0
>   ? do_user_addr_fault+0x174/0x7f0
>   ? exc_page_fault+0x69/0x1a0
>   ? asm_exc_page_fault+0x22/0x30
>   ? dma_direct_unmap_sg+0x51/0x1e0
>   ? preempt_count_sub+0x96/0xe0
>   qla2xxx_qpair_sp_free_dma+0x29f/0x3b0 [qla2xxx]
>   qla2xxx_qpair_sp_compl+0x60/0x80 [qla2xxx]
>   __qla2x00_abort_all_cmds+0xa2/0x450 [qla2xxx]
> 
> The command completion was done early while aborting the
> commands in driver unload path but outside lock to
> avoid the WARN_ON condition of performing dma_free_attr
> within the lock. However this caused race condition
> while command completion via multiple paths causing system
> crash.
> 
> Hence complete the command early in unload path
> but within the lock to avoid race condition.
> 
> Fixes: 0367076b0817 ("scsi: qla2xxx: Perform lockless command completion in abort path")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
> Signed-off-by: Nilesh Javali <njavali@marvell.com>
> ---
>   drivers/scsi/qla2xxx/qla_os.c | 5 -----
>   1 file changed, 5 deletions(-)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
> index 70f43eab3f01..e4056cddb727 100644
> --- a/drivers/scsi/qla2xxx/qla_os.c
> +++ b/drivers/scsi/qla2xxx/qla_os.c
> @@ -1875,14 +1875,9 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
>   	for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
>   		sp = req->outstanding_cmds[cnt];
>   		if (sp) {
> -			/*
> -			 * perform lockless completion during driver unload
> -			 */
>   			if (qla2x00_chip_is_down(vha)) {
>   				req->outstanding_cmds[cnt] = NULL;
> -				spin_unlock_irqrestore(qp->qp_lock_ptr, flags);
>   				sp->done(sp, res);
> -				spin_lock_irqsave(qp->qp_lock_ptr, flags);
>   				continue;
>   			}
>   

Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>

-- 
Himanshu Madhani                                Oracle Linux Engineering