OpenCloudOS-Kernel

History

himanshu.madhani@cavium.com 1514839b36 scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS This patch fixes NULL pointer crash due to active timer running for abort IOCB. From crash dump analysis it was discoverd that get_next_timer_interrupt() encountered a corrupted entry on the timer list. #9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8 [exception RIP: get_next_timer_interrupt+440] RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013 RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600 RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6 RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001 R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6 R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 Looking at the assembly of get_next_timer_interrupt(), address came from %r8 (ffff95e1f6451188) which is pointing to list_head with single entry at ffff95e5ff621178. 0xffffffff90ea307a <get_next_timer_interrupt+426>: mov (%r8),%rdx 0xffffffff90ea307d <get_next_timer_interrupt+429>: cmp %r8,%rdx 0xffffffff90ea3080 <get_next_timer_interrupt+432>: je 0xffffffff90ea30a7 <get_next_timer_interrupt+471> 0xffffffff90ea3082 <get_next_timer_interrupt+434>: nopw 0x0(%rax,%rax,1) 0xffffffff90ea3088 <get_next_timer_interrupt+440>: testb $0x1,0x18(%rdx) crash> rd ffff95e1f6451188 10 ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b..... ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E..... ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E..... ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...\|.......\|.... ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E..... crash> rd ffff95e5ff621178 10 ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y.... ffff95e5ff621188: 0000000000000000 00000000ffffffff ................ ffff95e5ff621198: 00000000000000a0 0000000000000010 ................ ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b............. ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q.... ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080. CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k SLAB MEMORY NODE TOTAL ALLOCATED FREE ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13 FREE / [ALLOCATED] ffff95e5ff621080 (cpu 6 cache) Examining the contents of that memory reveals a pointer to a constant string in the driver, "abort\0", which is set by qla24xx_async_abort_cmd(). crash> rd ffffffffc059277c 20 ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt. ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip.. ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-ma crash> struct -ox srb_iocb struct srb_iocb { union { struct {...} logio; struct {...} els_logo; struct {...} tmf; struct {...} fxiocb; struct {...} abt; struct ct_arg ctarg; struct {...} mbx; struct {...} nack; [0x0 ] } u; [0xb8] struct timer_list timer; [0x108] void (timeout)(void ); } SIZE: 0x110 crash> ! bc ibase=16 obase=10 B8+40 F8 The object is a srb_t, and at offset 0xf8 within that structure (i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list. Cc: <stable@vger.kernel.org> #4.4+ Fixes: `4440e46d5d` ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.") Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>		2018-03-01 20:16:33 -05:00
..
Kconfig	scsi: qla2xxx: avoid unused-function warning	2017-07-01 17:14:58 -04:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
qla_attr.c	scsi: qla2xxx: Use zeroing allocator rather than allocator/memset	2018-01-04 01:09:26 -05:00
qla_bsg.c	scsi: qla2xxx: Use zeroing allocator rather than allocator/memset	2018-01-04 01:09:26 -05:00
qla_bsg.h	qla2xxx: Add bsg interface to support statistics counter reset.	2016-07-15 15:35:37 -04:00
qla_dbg.c	scsi: qla2xxx: Remove potential macro parameter side-effect in ql_dump_regs()	2017-08-24 22:29:28 -04:00
qla_dbg.h	scsi: qla2xxx: Include Exchange offload/Extended Login into FW dump	2017-06-27 21:21:41 -04:00
qla_def.h	scsi: qla2xxx: Fix queue ID for async abort with Multiqueue	2018-01-22 20:03:26 -05:00
qla_devtbl.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
qla_dfs.c	scsi: qla2xxx: Add XCB counters to debugfs	2018-01-22 20:03:54 -05:00
qla_fw.h	scsi: qla2xxx: Fix session cleanup for N2N	2018-01-03 23:41:06 -05:00
qla_gbl.h	scsi: qla2xxx: Serialize session deletion by using work_lock	2018-01-03 23:41:08 -05:00
qla_gs.c	scsi: qla2xxx: remove redundant assignment of d	2018-01-10 23:25:10 -05:00
qla_init.c	scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS	2018-03-01 20:16:33 -05:00
qla_inline.h	scsi: qla2xxx: Use IOCB path to submit Control VP MBX command	2018-01-03 23:41:04 -05:00
qla_iocb.c	scsi: qla2xxx: Fix incorrect handle for abort IOCB	2018-02-13 21:35:39 -05:00
qla_isr.c	scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion()	2018-01-30 21:33:10 -05:00
qla_mbx.c	scsi: qla2xxx: Serialize session deletion by using work_lock	2018-01-03 23:41:08 -05:00
qla_mid.c	scsi: qla2xxx: Reduce trace noise for Async Events	2018-01-03 23:41:06 -05:00
qla_mr.c	scsi: qla2xxx: don't break the bsg-lib abstractions	2017-10-16 23:46:21 -04:00
qla_mr.h	…
qla_nvme.c	qla2xxx: remove use of FC-specific error codes	2017-09-25 08:56:05 -06:00
qla_nvme.h	scsi: qla2xxx: Move function prototype to correct header	2017-08-07 14:04:02 -04:00
qla_nx.c	scsi: qla2xxx: fix a bunch of typos and spelling mistakes	2017-07-01 17:12:31 -04:00
qla_nx.h	scsi: qla2xxx: remove writeq/readq function definitions	2017-06-12 20:48:08 -04:00
qla_nx2.c	scsi: qla2xxx: remove duplicate includes	2017-12-11 21:52:38 -05:00
qla_nx2.h	qla2xxx: Move two arrays from header files to .c files	2017-01-17 11:26:41 -08:00
qla_os.c	scsi: qla2xxx: Fix memory corruption during hba reset test	2018-01-30 21:14:30 -05:00
qla_settings.h	…
qla_sup.c	scsi: qla2xxx: Suppress gcc 7 fall-through warnings	2017-12-11 21:50:29 -05:00
qla_target.c	scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els()	2018-02-06 18:11:58 -05:00
qla_target.h	scsi: qla2xxx: Migrate switch registration commands away from mailbox interface	2018-01-03 23:41:07 -05:00
qla_tmpl.c	scsi: qla2xxx: Fix Firmware dump size for Extended login and Exchange Offload	2018-01-03 23:41:05 -05:00
qla_tmpl.h	qla2xxx: ISP27xx fwdump template error print simplification.	2014-09-25 14:25:02 +02:00
qla_version.h	scsi: qla2xxx: Update driver version to 10.00.00.05-k	2018-01-22 20:03:55 -05:00
tcm_qla2xxx.c	scsi: qla2xxx: Use zeroing allocator rather than allocator/memset	2018-01-04 01:09:26 -05:00
tcm_qla2xxx.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00