From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Himanshu Madhani <hmadhani@marvell.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 32/67] scsi: qla2xxx: Fix NULL pointer crash due to stale CPUID
Date: Fri, 29 Mar 2019 20:50:12 -0400 [thread overview]
Message-ID: <20190330005047.25998-32-sashal@kernel.org> (raw)
In-Reply-To: <20190330005047.25998-1-sashal@kernel.org>
From: Himanshu Madhani <hmadhani@marvell.com>
[ Upstream commit ac444b4f0ace05d7c4c99f6b1e5b0cae0852f025 ]
This patch fixes crash due to NULL pointer derefrence because CPU pointer
is not set and used by driver. Instead, driver is passes CPU as tag via
ha->isp_ops->{lun_reset|target_reset}
[ 30.160780] qla2xxx [0000:a0:00.1]-8038:9: Cable is unplugged...
[ 69.984045] qla2xxx [0000:a0:00.0]-8009:8: DEVICE RESET ISSUED nexus=8:0:0 cmd=00000000b0d62f46.
[ 69.992849] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[ 70.000680] PGD 0 P4D 0
[ 70.003232] Oops: 0000 [#1] SMP PTI
[ 70.006727] CPU: 2 PID: 6714 Comm: sg_reset Kdump: loaded Not tainted 4.18.0-67.el8.x86_64 #1
[ 70.015258] Hardware name: NEC Express5800/T110j [N8100-2758Y]/MX32-PH0-NJ, BIOS F11 02/13/2019
[ 70.024016] RIP: 0010:blk_mq_rq_cpu+0x9/0x10
[ 70.028315] Code: 01 58 01 00 00 48 83 c0 28 48 3d 80 02 00 00 75 ab c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48
8b 47 08 <8b> 40 40 c3 0f 1f 00 0f 1f 44 00 00 48 83 ec 10 48 c7 c6 20 6e 7c
[ 70.047087] RSP: 0018:ffff99a481487d58 EFLAGS: 00010246
[ 70.052322] RAX: 0000000000000000 RBX: ffffffffc041b08b RCX: 0000000000000000
[ 70.059466] RDX: 0000000000000000 RSI: ffff8d10b6b16898 RDI: ffff8d10b341e400
[ 70.066615] RBP: ffffffffc03a6bd0 R08: 0000000000000415 R09: 0000000000aaaaaa
[ 70.073765] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8d10b341e528
[ 70.080914] R13: ffff8d10aadefc00 R14: ffff8d0f64efa998 R15: ffff8d0f64efa000
[ 70.088083] FS: 00007f90a201e540(0000) GS:ffff8d10b6b00000(0000) knlGS:0000000000000000
[ 70.096188] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 70.101959] CR2: 0000000000000040 CR3: 0000000268886005 CR4: 00000000003606e0
[ 70.109127] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 70.116277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 70.123425] Call Trace:
[ 70.125896] __qla2xxx_eh_generic_reset+0xb1/0x220 [qla2xxx]
[ 70.131572] scsi_ioctl_reset+0x1f5/0x2a0
[ 70.135600] scsi_ioctl+0x18e/0x397
[ 70.139099] ? sd_ioctl+0x7c/0x100 [sd_mod]
[ 70.143287] blkdev_ioctl+0x32b/0x9f0
[ 70.146954] ? __check_object_size+0xa3/0x181
[ 70.151323] block_ioctl+0x39/0x40
[ 70.154735] do_vfs_ioctl+0xa4/0x630
[ 70.158322] ? syscall_trace_enter+0x1d3/0x2c0
[ 70.162769] ksys_ioctl+0x60/0x90
[ 70.166104] __x64_sys_ioctl+0x16/0x20
[ 70.169859] do_syscall_64+0x5b/0x1b0
[ 70.173532] entry_SYSCALL_64_after_hwframe+0x65/0xca
[ 70.178587] RIP: 0033:0x7f90a1b3445b
[ 70.182183] Code: 0f 1e fa 48 8b 05 2d aa 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fd a9 2c 00 f7 d8 64 89 01 48
[ 70.200956] RSP: 002b:00007fffdca88b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 70.208535] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f90a1b3445b
[ 70.215684] RDX: 00007fffdca88b84 RSI: 0000000000002284 RDI: 0000000000000003
[ 70.222833] RBP: 00007fffdca88ca8 R08: 00007fffdca88b84 R09: 0000000000000000
[ 70.229981] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdca88b84
[ 70.237131] R13: 0000000000000000 R14: 000055ab09b0bd28 R15: 0000000000000000
[ 70.244284] Modules linked in: nft_chain_route_ipv4 xt_CHECKSUM nft_chain_nat_ipv4 ipt_MASQUERADE nf_nat_ipv4 nf_nat nf_conntrack_ipv4
nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c ipt_REJECT nf_reject_ipv4 nft_counter nft_compat tun bridge stp llc nf_tables nfnetli
nk devlink sunrpc vfat fat intel_rapl intel_pmc_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm wmi_bmof iTCO_wdt iTCO_
vendor_support irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif intel_cstate intel_uncore intel_rapl_perf ipmi_si jo
ydev pcspkr ipmi_devintf sg wmi ipmi_msghandler video acpi_power_meter acpi_pad mei_me i2c_i801 mei ip_tables ext4 mbcache jbd2 sr_mod cd
rom sd_mod qla2xxx ast i2c_algo_bit drm_kms_helper nvme_fc syscopyarea sysfillrect uas sysimgblt fb_sys_fops nvme_fabrics ttm
[ 70.314805] usb_storage nvme_core crc32c_intel scsi_transport_fc ahci drm libahci tg3 libata megaraid_sas pinctrl_cannonlake pinctrl_
intel
[ 70.327335] CR2: 0000000000000040
Fixes: 9cf2bab630765 ("block: kill request ->cpu member")
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_os.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 7e35ce2162d0..503fda4e7e8e 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1459,7 +1459,7 @@ __qla2xxx_eh_generic_reset(char *name, enum nexus_wait_type type,
goto eh_reset_failed;
}
err = 2;
- if (do_reset(fcport, cmd->device->lun, blk_mq_rq_cpu(cmd->request) + 1)
+ if (do_reset(fcport, cmd->device->lun, 1)
!= QLA_SUCCESS) {
ql_log(ql_log_warn, vha, 0x800c,
"do_reset failed for cmd=%p.\n", cmd);
--
2.19.1
next prev parent reply other threads:[~2019-03-30 1:10 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 0:49 [PATCH AUTOSEL 5.0 01/67] ARC: u-boot args: check that magic number is correct Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 02/67] arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 03/67] inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch() Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 04/67] perf/core: Restore mmap record type correctly Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 05/67] perf data: Don't store auxtrace index for directory data file Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 06/67] mips: bcm47xx: Enable USB power on Netgear WNDR3400v2 Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 07/67] ext4: avoid panic during forced reboot Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 08/67] ext4: add missing brelse() in add_new_gdb_meta_bg() Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 09/67] ext4: report real fs size after failed resize Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 10/67] ALSA: echoaudio: add a check for ioremap_nocache Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 11/67] ALSA: sb8: add a check for request_region Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 12/67] auxdisplay: hd44780: Fix memory leak on ->remove() Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 13/67] drm/udl: use drm_gem_object_put_unlocked Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 14/67] IB/mlx4: Fix race condition between catas error reset and aliasguid flows Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 15/67] i40iw: Avoid panic when handling the inetdev event Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 16/67] mmc: davinci: remove extraneous __init annotation Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 17/67] ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 18/67] paride/pf: cleanup queues when detection fails Sasha Levin
2019-03-30 0:49 ` [PATCH AUTOSEL 5.0 19/67] paride/pcd: " Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 20/67] thermal/intel_powerclamp: fix __percpu declaration of worker_data Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 21/67] thermal: samsung: Fix incorrect check after code merge Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 22/67] thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 23/67] thermal/int340x_thermal: Add additional UUIDs Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 24/67] thermal/int340x_thermal: fix mode setting Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 25/67] thermal/intel_powerclamp: fix truncated kthread name Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 26/67] scsi: iscsi: flush running unbind operations when removing a session Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 27/67] sched/cpufreq: Fix 32-bit math overflow Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 28/67] sched/core: Fix buffer overflow in cgroup2 property cpu.max Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 29/67] x86/mm: Don't leak kernel addresses Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 30/67] tools/power turbostat: return the exit status of a command Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 31/67] scsi: core: Also call destroy_rcu_head() for passthrough requests Sasha Levin
2019-03-30 0:50 ` Sasha Levin [this message]
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 33/67] perf stat: Fix --no-scale Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 34/67] perf list: Don't forget to drop the reference to the allocated thread_map Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 35/67] perf tools: Fix errors under optimization level '-Og' Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 36/67] perf config: Fix an error in the config template documentation Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 37/67] perf config: Fix a memory leak in collect_config() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 38/67] perf build-id: Fix memory leak in print_sdt_events() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 39/67] perf top: Delete the evlist before perf_session, fixing heap-use-after-free issue Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 40/67] perf top: Fix error handling in cmd_top() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 41/67] perf hist: Add missing map__put() in error case Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 42/67] perf map: Remove map from 'names' tree in __maps__remove() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 43/67] perf maps: Purge all maps from the 'names' tree Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 44/67] perf top: Fix global-buffer-overflow issue Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 45/67] perf evsel: Free evsel->counts in perf_evsel__exit() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 46/67] perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 47/67] perf tests: Fix memory leak by expr__find_other() in test__expr() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 48/67] perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 49/67] ACPI / utils: Drop reference in test for device presence Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 50/67] PM / Domains: Avoid a potential deadlock Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 51/67] blk-iolatency: #include "blk.h" Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 52/67] drm/exynos/mixer: fix MIXER shadow registry synchronisation code Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 53/67] irqchip/stm32: Don't clear rising/falling config registers at init Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 54/67] irqchip/stm32: Don't set rising configuration " Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 55/67] irqchip/mbigen: Don't clear eventid when freeing an MSI Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 56/67] x86/hpet: Prevent potential NULL pointer dereference Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 57/67] x86/hyperv: " Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 58/67] x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 59/67] drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 60/67] iommu/vt-d: Check capability before disabling protected memory Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 61/67] iommu/vt-d: Save the right domain ID used by hardware Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 62/67] x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 63/67] cifs: fix that return -EINVAL when do dedupe operation Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 64/67] fix incorrect error code mapping for OBJECTID_NOT_FOUND Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 65/67] cifs: Fix slab-out-of-bounds when tracing SMB tcon Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 66/67] x86/gart: Exclude GART aperture from kcore Sasha Levin
2019-03-30 0:50 ` [PATCH AUTOSEL 5.0 67/67] ext4: prohibit fstrim in norecovery mode Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330005047.25998-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hmadhani@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).