forked from Minki/linux
dc6311dd2a
bnx2fc_queuecommand(): when allocating a new io_req, the tgt_lock spinlock must be locked before calling bnx2fc_cmd_alloc(). The spinlock should also be kept locked until bnx2fc_post_io_req() has been completed. If not, a kernel thread may call bnx2fc_process_cq_compl() that extracts the newly allocated io_req from hba->cmd_mgr->cmds and destroys it while it is still being used by bnx2fc_post_io_req(). BUG: unable to handle kernel NULL pointer dereference at 000000000000004c IP: [<ffffffffa03130da>] bnx2fc_init_task+0x6a/0x230 [bnx2fc] PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:02.0/0000:04:00.3/net/eth3/type CPU 33 Modules linked in: autofs4 target_core_iblock target_core_file target_core_pscsi target_core_mod configfs bnx2fc cnic uio fcoe libfcoe libfc scsi_transport_fc 8021q garp scsi_tgt stp llc cpufreq_ondemand freq_table pcc_cpufreq ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 power_meter microcode iTCO_wdt iTCO_vendor_support hpilo hpwdt sg bnx2x libcrc32c mdio serio_raw lpc_ich mfd_core shpchp ext4 jbd2 mbcache sd_mod crc_t10dif hpsa video output dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Pid: 7355, comm: bnx2fc_thread/3 Not tainted 2.6.32-431.el6.x86_64 #1 HP ProLiant BL460c Gen8 RIP: 0010:[<ffffffffa03130da>] [<ffffffffa03130da>] bnx2fc_init_task+0x6a/0x230 [bnx2fc] RSP: 0018:ffff8820b0da3b68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff882003801080 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff882003801100 RBP: ffff8820b0da3bc8 R08: ffffffff8160d4e8 R09: 0000000000000040 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88400e600e00 R13: ffff8840108fbe40 R14: ffff88200ffe5400 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8820b0da0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 000000000000004c CR3: 0000002010b67000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process bnx2fc_thread/3 (pid: 7355, threadinfo ffff88401f940000, task ffff884012f5f540) Stack: ffff8820b0da3bc8 ffffffff81527303 ffff884000000020 ffff8820b0da3bd8 <d> ffff8820b0da3b98 000000028138931a ffff88400f506078 ffff88400e600e00 <d> ffff88200ffe5400 ffff88200ffe5590 0000000000000021 0000000000000002 Call Trace: <IRQ> [<ffffffff81527303>] ? printk+0x41/0x46 [<ffffffffa03169bc>] bnx2fc_post_io_req+0x11c/0x440 [bnx2fc] [<ffffffff812825b9>] ? cpumask_next_and+0x29/0x50 [<ffffffff8137ffd0>] ? scsi_done+0x0/0x60 [<ffffffffa0316df7>] bnx2fc_queuecommand+0x117/0x140 [bnx2fc] [<ffffffff81380245>] scsi_dispatch_cmd+0xe5/0x310 [<ffffffff81388b9e>] scsi_request_fn+0x5ee/0x7a0 [<ffffffff812658f1>] __blk_run_queue+0x31/0x40 [<ffffffff81265a40>] blk_run_queue+0x30/0x50 [<ffffffff81387da6>] scsi_run_queue+0xc6/0x270 [<ffffffff81260f92>] ? elv_requeue_request+0x52/0xa0 [<ffffffff813897a0>] scsi_requeue_command+0x90/0xb0 [<ffffffff81389b84>] scsi_io_completion+0x154/0x6c0 [<ffffffff8137ff62>] scsi_finish_command+0xc2/0x130 [<ffffffff8138a255>] scsi_softirq_done+0x145/0x170 [<ffffffff8126e865>] blk_done_softirq+0x85/0xa0 [<ffffffff8107a8e1>] __do_softirq+0xc1/0x1e0 [<ffffffff8100c30c>] ? call_softirq+0x1c/0x30 [<ffffffff8100c30c>] call_softirq+0x1c/0x30 <EOI> [<ffffffff8100fa75>] ? do_softirq+0x65/0xa0 [<ffffffff8107a40a>] local_bh_enable_ip+0x9a/0xb0 [<ffffffff8152a4eb>] _spin_unlock_bh+0x1b/0x20 [<ffffffffa0313937>] bnx2fc_process_cq_compl+0x257/0x2b0 [bnx2fc] [<ffffffffa03114ea>] bnx2fc_percpu_io_thread+0xea/0x160 [bnx2fc] [<ffffffffa0311400>] ? bnx2fc_percpu_io_thread+0x0/0x160 [bnx2fc] [<ffffffff8109aef6>] kthread+0x96/0xa0 [<ffffffff8100c20a>] child_rip+0xa/0x20 [<ffffffff8109ae60>] ? kthread+0x0/0xa0 [<ffffffff8100c200>] ? child_rip+0x0/0x20 Code: 89 df 45 8b 7e 30 0f 85 75 01 00 00 89 d1 31 c0 c1 e9 03 83 e2 04 89 c9 f3 48 ab 74 06 c7 07 00 00 00 00 49 89 9c 24 88 01 00 00 <83> 7e 4c 01 b8 01 00 00 00 0f 84 e7 00 00 00 89 c2 0a 53 38 41 RIP [<ffffffffa03130da>] bnx2fc_init_task+0x6a/0x230 [bnx2fc] RSP <ffff8820b0da3b68> CR2: 000000000000004c Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Acked-by: Chad Dupuis <chad.dupuis@qlogic.com> Signed-off-by: Christoph Hellwig <hch@lst.de> |
||
---|---|---|
.. | ||
aacraid | ||
aic7xxx | ||
aic94xx | ||
arcmsr | ||
arm | ||
be2iscsi | ||
bfa | ||
bnx2fc | ||
bnx2i | ||
csiostor | ||
cxgbi | ||
device_handler | ||
dpt | ||
esas2r | ||
fcoe | ||
fnic | ||
ibmvscsi | ||
isci | ||
libfc | ||
libsas | ||
lpfc | ||
megaraid | ||
mpt2sas | ||
mpt3sas | ||
mvsas | ||
osd | ||
pcmcia | ||
pm8001 | ||
qla2xxx | ||
qla4xxx | ||
sym53c8xx_2 | ||
ufs | ||
.gitignore | ||
3w-9xxx.c | ||
3w-9xxx.h | ||
3w-sas.c | ||
3w-sas.h | ||
3w-xxxx.c | ||
3w-xxxx.h | ||
53c700_d.h_shipped | ||
53c700.c | ||
53c700.h | ||
53c700.scr | ||
a100u2w.c | ||
a100u2w.h | ||
a2091.c | ||
a2091.h | ||
a3000.c | ||
a3000.h | ||
a4000t.c | ||
advansys.c | ||
aha152x.c | ||
aha152x.h | ||
aha1542.c | ||
aha1542.h | ||
aha1740.c | ||
aha1740.h | ||
atari_NCR5380.c | ||
atari_scsi.c | ||
atari_scsi.h | ||
atp870u.c | ||
atp870u.h | ||
BusLogic.c | ||
BusLogic.h | ||
bvme6000_scsi.c | ||
ch.c | ||
constants.c | ||
dc395x.c | ||
dc395x.h | ||
dmx3191d.c | ||
dpt_i2o.c | ||
dpti.h | ||
dtc.c | ||
dtc.h | ||
eata_generic.h | ||
eata_pio.c | ||
eata_pio.h | ||
eata.c | ||
esp_scsi.c | ||
esp_scsi.h | ||
fdomain.c | ||
fdomain.h | ||
FlashPoint.c | ||
g_NCR5380_mmio.c | ||
g_NCR5380.c | ||
g_NCR5380.h | ||
gdth_ioctl.h | ||
gdth_proc.c | ||
gdth_proc.h | ||
gdth.c | ||
gdth.h | ||
gvp11.c | ||
gvp11.h | ||
hosts.c | ||
hpsa_cmd.h | ||
hpsa.c | ||
hpsa.h | ||
hptiop.c | ||
hptiop.h | ||
imm.c | ||
imm.h | ||
in2000.c | ||
in2000.h | ||
initio.c | ||
initio.h | ||
ipr.c | ||
ipr.h | ||
ips.c | ||
ips.h | ||
iscsi_boot_sysfs.c | ||
iscsi_tcp.c | ||
iscsi_tcp.h | ||
jazz_esp.c | ||
Kconfig | ||
lasi700.c | ||
libiscsi_tcp.c | ||
libiscsi.c | ||
mac53c94.c | ||
mac53c94.h | ||
mac_esp.c | ||
mac_scsi.c | ||
mac_scsi.h | ||
Makefile | ||
megaraid.c | ||
megaraid.h | ||
mesh.c | ||
mesh.h | ||
mvme16x_scsi.c | ||
mvme147.c | ||
mvme147.h | ||
mvumi.c | ||
mvumi.h | ||
ncr53c8xx.c | ||
ncr53c8xx.h | ||
NCR53c406a.c | ||
NCR5380.c | ||
NCR5380.h | ||
NCR_D700.c | ||
NCR_D700.h | ||
NCR_Q720.c | ||
NCR_Q720.h | ||
nsp32_debug.c | ||
nsp32_io.h | ||
nsp32.c | ||
nsp32.h | ||
osst_detect.h | ||
osst_options.h | ||
osst.c | ||
osst.h | ||
pas16.c | ||
pas16.h | ||
pmcraid.c | ||
pmcraid.h | ||
ppa.c | ||
ppa.h | ||
ps3rom.c | ||
qla1280.c | ||
qla1280.h | ||
qlogicfas408.c | ||
qlogicfas408.h | ||
qlogicfas.c | ||
qlogicpti.c | ||
qlogicpti.h | ||
raid_class.c | ||
script_asm.pl | ||
scsi_debug.c | ||
scsi_devinfo.c | ||
scsi_error.c | ||
scsi_ioctl.c | ||
scsi_lib_dma.c | ||
scsi_lib.c | ||
scsi_logging.h | ||
scsi_module.c | ||
scsi_netlink.c | ||
scsi_pm.c | ||
scsi_priv.h | ||
scsi_proc.c | ||
scsi_sas_internal.h | ||
scsi_scan.c | ||
scsi_sysctl.c | ||
scsi_sysfs.c | ||
scsi_trace.c | ||
scsi_transport_api.h | ||
scsi_transport_fc.c | ||
scsi_transport_iscsi.c | ||
scsi_transport_sas.c | ||
scsi_transport_spi.c | ||
scsi_transport_srp.c | ||
scsi_typedefs.h | ||
scsi.c | ||
scsi.h | ||
scsicam.c | ||
sd_dif.c | ||
sd.c | ||
sd.h | ||
ses.c | ||
sg.c | ||
sgiwd93.c | ||
sim710.c | ||
sni_53c710.c | ||
sr_ioctl.c | ||
sr_vendor.c | ||
sr.c | ||
sr.h | ||
st_options.h | ||
st.c | ||
st.h | ||
stex.c | ||
storvsc_drv.c | ||
sun3_NCR5380.c | ||
sun3_scsi_vme.c | ||
sun3_scsi.c | ||
sun3_scsi.h | ||
sun3x_esp.c | ||
sun_esp.c | ||
sym53c416.c | ||
sym53c416.h | ||
t128.c | ||
t128.h | ||
tmscsim.c | ||
tmscsim.h | ||
u14-34f.c | ||
ultrastor.c | ||
ultrastor.h | ||
virtio_scsi.c | ||
vmw_pvscsi.c | ||
vmw_pvscsi.h | ||
wd33c93.c | ||
wd33c93.h | ||
wd7000.c | ||
xen-scsifront.c | ||
zalon.c | ||
zorro7xx.c |