Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2018-10-12 12:14:58 +0200
committerHannes Reinecke <hare@suse.de>2018-10-12 12:40:42 +0200
commit253059723812689a3587c55bb17493a688b0a54b (patch)
treecac41222cf7a9c4ebf8b4fc2e8756bf3b9273ea3
parent2832917e890eb903aa77147901a49d0db06390dd (diff)
scsi: qla2xxx: Fix for double free of SRB structure
(bsc#1108870).
-rw-r--r--patches.fixes/scsi-qla2xxx-Fix-for-double-free-of-SRB-structure.patch105
-rw-r--r--series.conf1
2 files changed, 106 insertions, 0 deletions
diff --git a/patches.fixes/scsi-qla2xxx-Fix-for-double-free-of-SRB-structure.patch b/patches.fixes/scsi-qla2xxx-Fix-for-double-free-of-SRB-structure.patch
new file mode 100644
index 0000000000..ba8574d15e
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-Fix-for-double-free-of-SRB-structure.patch
@@ -0,0 +1,105 @@
+From: Giridhar Malavali <giridhar.malavali@cavium.com>
+Date: Wed, 26 Sep 2018 22:05:17 -0700
+Subject: [PATCH] scsi: qla2xxx: Fix for double free of SRB structure
+Git-commit: bcc71cc3cde1468958a3ea859276d8d1a1a68265
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git
+Patch-mainline: Queued in subsystem maintainer repository
+References: bsc#1108870
+
+This patch fixes issue during switch command query where driver was freeing
+SRB resources multiple times
+
+Following stack trace will be seen
+[ 853.436234] BUG: unable to handle kernel NULL pointer dereference at
+0000000000000001
+[ 853.436348] IP: [<ffffffff811df514>] kmem_cache_alloc+0x74/0x1e0
+[ 853.436476] PGD 0
+[ 853.436601] Oops: 0000 [#1] SMP
+
+[ 853.454700] [<ffffffff81099f6a>] ? mod_timer+0x14a/0x220
+[ 853.455543] [<ffffffff81185465>] mempool_alloc_slab+0x15/0x20
+[ 853.456395] [<ffffffff811855a9>] mempool_alloc+0x69/0x170
+[ 853.457257] [<ffffffff81098af2>] ? internal_add_timer+0x32/0x70
+[ 853.458136] [<ffffffffc0092d2b>] qla2xxx_queuecommand+0x29b/0x3f0 [qla2xxx]
+[ 853.459024] [<ffffffff8146535a>] scsi_dispatch_cmd+0xaa/0x230
+[ 853.459923] [<ffffffff8146e11f>] scsi_request_fn+0x4df/0x680
+[ 853.460829] [<ffffffff81029557>] ? __switch_to+0xd7/0x510
+[ 853.461747] [<ffffffff812f7113>] __blk_run_queue+0x33/0x40
+[ 853.462670] [<ffffffff812f7735>] blk_delay_work+0x25/0x40
+[ 853.463603] [<ffffffff810a882a>] process_one_work+0x17a/0x440
+[ 853.464546] [<ffffffff810a94f6>] worker_thread+0x126/0x3c0
+[ 853.465501] [<ffffffff810a93d0>] ? manage_workers.isra.24+0x2a0/0x2a0
+[ 853.466447] [<ffffffff810b099f>] kthread+0xcf/0xe0
+[ 853.467379] [<ffffffff810b08d0>] ? insert_kthread_work+0x40/0x40
+[ 853.470172] Code: db e2 7e 49 8b 50 08 4d 8b 20 49 8b 40 10 4d 85 e4 0f 84 20
+01 00 00 48 85 c0 0f 84 17 01 00 00 49 63 46 20 48 8d 4a 01 4d 8b 06 <49> 8b 1c
+04 4c 89 e0 65 49 0f c7 08 0f 94 c0 84 c0 74 ba 49 63
+[ 853.472072] RIP [<ffffffff811df514>] kmem_cache_alloc+0x74/0x1e0
+[ 853.472971] RSP <ffff88103726fc50>
+
+Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Giridhar Malavali <giridhar.malavali@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 3 +++
+ drivers/scsi/qla2xxx/qla_init.c | 15 +++++++++++++--
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
+index 4291e6324f8c..f4e8e9db7d2d 100644
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -3027,6 +3027,9 @@ static void qla24xx_async_gpsc_sp_done(void *s, int res)
+ "Async done-%s res %x, WWPN %8phC \n",
+ sp->name, res, fcport->port_name);
+
++ if (res == QLA_FUNCTION_TIMEOUT)
++ return;
++
+ if (res == (DID_ERROR << 16)) {
+ /* entry status error */
+ goto done;
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index ae28586c8ef2..c898deeae4af 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -52,12 +52,14 @@ qla2x00_sp_timeout(struct timer_list *t)
+ struct srb_iocb *iocb;
+ struct req_que *req;
+ unsigned long flags;
++ struct qla_hw_data *ha = sp->vha->hw;
+
+- spin_lock_irqsave(sp->qpair->qp_lock_ptr, flags);
++ WARN_ON(irqs_disabled());
++ spin_lock_irqsave(&ha->hardware_lock, flags);
+ req = sp->qpair->req;
+ req->outstanding_cmds[sp->handle] = NULL;
+ iocb = &sp->u.iocb_cmd;
+- spin_unlock_irqrestore(sp->qpair->qp_lock_ptr, flags);
++ spin_unlock_irqrestore(&ha->hardware_lock, flags);
+ iocb->timeout(sp);
+ }
+
+@@ -970,6 +972,15 @@ void qla24xx_async_gpdb_sp_done(void *s, int res)
+
+ fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE);
+
++ if (res == QLA_FUNCTION_TIMEOUT)
++ return;
++
++ if (res == QLA_FUNCTION_TIMEOUT) {
++ dma_pool_free(sp->vha->hw->s_dma_pool, sp->u.iocb_cmd.u.mbx.in,
++ sp->u.iocb_cmd.u.mbx.in_dma);
++ return;
++ }
++
+ memset(&ea, 0, sizeof(ea));
+ ea.event = FCME_GPDB_DONE;
+ ea.fcport = fcport;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index b3af08363a..227baac3a4 100644
--- a/series.conf
+++ b/series.conf
@@ -17927,6 +17927,7 @@
patches.fixes/scsi-qla2xxx-Fix-re-using-LoopID-when-handle-is-in-u.patch
patches.fixes/scsi-qla2xxx-Fix-driver-hang-when-FC-NVMe-LUNs-are-c.patch
patches.fixes/scsi-qla2xxx-Fix-recursive-mailbox-timeout.patch
+ patches.fixes/scsi-qla2xxx-Fix-for-double-free-of-SRB-structure.patch
# git://git.infradead.org/nvme.git nvme-4.20
patches.fixes/nvme_fc-add-nvme_discovery-sysfs-attribute-to-fc-tra.patch