linux/drivers/scsi/qla2xxx
Roman Bolshakov f2c9ee54a5 scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd
If ABTS cannot be completed in target mode, the driver attempts to free
related management command and crashes:

  NIP [d000000019181ee8] tcm_qla2xxx_free_mcmd+0x40/0x80 [tcm_qla2xxx]
  LR [d00000001dc1e6f8] qlt_response_pkt+0x190/0xa10 [qla2xxx]
  Call Trace:
  [c000003fff27bb50] [c000003fff27bc10] 0xc000003fff27bc10 (unreliable)
  [c000003fff27bb70] [d00000001dc1e6f8] qlt_response_pkt+0x190/0xa10 [qla2xxx]
  [c000003fff27bc10] [d00000001dbc2be0] qla24xx_process_response_queue+0x5d8/0xbd0 [qla2xxx]
  [c000003fff27bd50] [d00000001dbc632c] qla24xx_msix_rsp_q+0x64/0x150 [qla2xxx]
  [c000003fff27bde0] [c000000000187200] __handle_irq_event_percpu+0x90/0x310
  [c000003fff27bea0] [c0000000001874b8] handle_irq_event_percpu+0x38/0x90
  [c000003fff27bee0] [c000000000187574] handle_irq_event+0x64/0xb0
  [c000003fff27bf10] [c00000000018cd38] handle_fasteoi_irq+0xe8/0x280
  [c000003fff27bf40] [c000000000185ccc] generic_handle_irq+0x4c/0x70
  [c000003fff27bf60] [c000000000016cec] __do_irq+0x7c/0x1d0
  [c000003fff27bf90] [c00000000002a530] call_do_irq+0x14/0x24
  [c00000207d2cba90] [c000000000016edc] do_IRQ+0x9c/0x130
  [c00000207d2cbae0] [c000000000008bf4] hardware_interrupt_common+0x114/0x120
  --- interrupt: 501 at arch_local_irq_restore+0x74/0x90
      LR = arch_local_irq_restore+0x74/0x90
  [c00000207d2cbdd0] [c0000000001c64fc] tick_broadcast_oneshot_control+0x4c/0x60 (unreliable)
  [c00000207d2cbdf0] [c0000000007ac840] cpuidle_enter_state+0xf0/0x450
  [c00000207d2cbe50] [c00000000016b81c] call_cpuidle+0x4c/0x90
  [c00000207d2cbe70] [c00000000016bc30] do_idle+0x2b0/0x330
  [c00000207d2cbec0] [c00000000016beec] cpu_startup_entry+0x3c/0x50
  [c00000207d2cbef0] [c00000000004a06c] start_secondary+0x63c/0x670
  [c00000207d2cbf90] [c00000000000aa6c] start_secondary_prolog+0x10/0x14

The crash can be triggered by ACL deletion when there's active I/O.

During ACL deletion, qla2xxx performs implicit LOGO that's invisible for
the initiator. Only the driver and firmware are aware of the logout.
Therefore the initiator continues to send SCSI commands and the target
always responds with SAM STATUS BUSY as it can't find the session.

The command times out after a while and initiator invokes ABORT TASK TMF
for the command. The TMF is mapped to ABTS-LS in FCP. The target can't find
session for S_ID originating ABTS-LS so it never allocates mcmd.  And since
N_Port handle was deleted after LOGO, it is no longer valid and ABTS
Response IOCB is returned from firmware with status 31. Then free_mcmd is
invoked on NULL pointer and the kernel crashes.

[ 7734.578642] qla2xxx [0000:00:0c.0]-e837:6: ABTS_RECV_24XX: instance 0
[ 7734.578644] qla2xxx [0000:00:0c.0]-f811:6: qla_target(0): task abort (s_id=1:2:0, tag=1209504, param=0)
[ 7734.578645] find_sess_by_s_id: 0x010200
[ 7734.578645] Unable to locate s_id: 0x010200
[ 7734.578646] qla2xxx [0000:00:0c.0]-f812:6: qla_target(0): task abort for non-existent session
[ 7734.578648] qla2xxx [0000:00:0c.0]-e806:6: Sending task mgmt ABTS response (ha=c0000000d5819000, atio=c0000000d3fd4700, status=4
[ 7734.578730] qla2xxx [0000:00:0c.0]-e838:6: ABTS_RESP_24XX: compl_status 31
[ 7734.578732] qla2xxx [0000:00:0c.0]-e863:6: qla_target(0): ABTS_RESP_24XX failed 31 (subcode 19:a)
[ 7734.578740] Unable to handle kernel paging request for data at address 0x00000200

Fixes: 6b0431d6fa ("scsi: qla2xxx: Fix out of order Termination and ABTS response")
Cc: Quinn Tran <qutran@marvell.com>
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Thomas Abraham <tabraham@suse.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191125165702.1013-2-r.bolshakov@yadro.com
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Tested-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2019-12-09 18:27:42 -05:00
..
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile
qla_attr.c scsi: qla2xxx: Correctly retrieve and interpret active flash region 2019-12-09 18:03:07 -05:00
qla_bsg.c scsi: qla2xxx: Correctly retrieve and interpret active flash region 2019-12-09 18:03:07 -05:00
qla_bsg.h scsi: qla2xxx: Add 28xx flash primary/secondary status/image mechanism 2019-03-19 12:22:55 -04:00
qla_dbg.c scsi: qla2xxx: Declare the fourth ql_dump_buffer() argument const 2019-08-12 21:34:05 -04:00
qla_dbg.h scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path 2019-03-19 12:22:54 -04:00
qla_def.h scsi: qla2xxx: don't use zero for FC4_PRIORITY_NVME 2019-11-08 21:23:23 -05:00
qla_devtbl.h
qla_dfs.c scsi: qla2xxx: Reduce the number of casts in GID list code 2019-08-12 21:34:05 -04:00
qla_dsd.h scsi: qla2xxx: Include the <asm/unaligned.h> header file from qla_dsd.h 2019-08-12 21:34:04 -04:00
qla_fw.h scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX 2019-12-09 18:03:07 -05:00
qla_gbl.h scsi: qla2xxx: Fix device connect issues in P2P configuration 2019-11-08 21:15:42 -05:00
qla_gs.c scsi: qla2xxx: unregister ports after GPN_FT failure 2019-11-26 21:33:56 -05:00
qla_init.c scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan 2019-11-26 21:33:17 -05:00
qla_inline.h scsi: qla2xxx: don't use zero for FC4_PRIORITY_NVME 2019-11-08 21:23:23 -05:00
qla_iocb.c scsi: qla2xxx: Fix device connect issues in P2P configuration 2019-11-08 21:15:42 -05:00
qla_isr.c scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI 2019-11-26 21:39:03 -05:00
qla_mbx.c SCSI misc on 20191130 2019-12-02 13:37:02 -08:00
qla_mid.c SCSI misc on 20191130 2019-12-02 13:37:02 -08:00
qla_mr.c scsi: qla2xxx: Complain if sp->done() is not called from the completion path 2019-08-12 21:34:09 -04:00
qla_mr.h scsi: qla2xxx: Introduce the dsd32 and dsd64 data structures 2019-04-29 17:24:51 -04:00
qla_nvme.c scsi: qla2xxx: Fix double scsi_done for abort path 2019-11-08 21:15:42 -05:00
qla_nvme.h scsi: qla2xxx: Modify NVMe include directives 2019-08-12 21:34:08 -04:00
qla_nx2.c scsi: qla2xxx: Suppress a Coveritiy complaint about integer overflow 2019-08-12 21:34:07 -04:00
qla_nx2.h
qla_nx.c scsi: qla2xxx: Fix driver reload for ISP82xx 2019-09-07 15:38:55 -04:00
qla_nx.h scsi: qla2xxx: Improve Linux kernel coding style conformance 2019-08-12 21:34:04 -04:00
qla_os.c SCSI misc on 20191130 2019-12-02 13:37:02 -08:00
qla_settings.h
qla_sup.c scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd 2019-12-09 18:03:07 -05:00
qla_target.c Merge branch '5.4/scsi-fixes' into 5.5/scsi-queue 2019-10-09 21:54:04 -04:00
qla_target.h scsi: qla2xxx: Introduce the be_id_t and le_id_t data types for FC src/dst IDs 2019-08-12 21:34:07 -04:00
qla_tmpl.c scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event 2019-10-09 22:26:35 -04:00
qla_tmpl.h scsi: qla2xxx: Correction and improvement to fwdt processing 2019-03-19 12:22:55 -04:00
qla_version.h scsi: qla2xxx: Update driver version to 10.01.00.21-k 2019-11-08 21:15:42 -05:00
tcm_qla2xxx.c scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd 2019-12-09 18:27:42 -05:00
tcm_qla2xxx.h scsi: qla2xxx: deadlock by configfs_depend_item 2018-12-19 21:26:38 -05:00