[PATCH 4.17 03/63] scsi: qla2xxx: Fix kernel crash due to late workqueue allocation

From: Greg Kroah-Hartman
Date: Mon Jul 23 2018 - 08:26:07 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.17 04/63] scsi: qla2xxx: Fix NULL pointer dereference for fcport search"
Previous message: Greg Kroah-Hartman: "[PATCH 4.17 02/63] scsi: qla2xxx: Fix inconsistent DMA mem alloc/free"
In reply to: Greg Kroah-Hartman: "[PATCH 4.17 02/63] scsi: qla2xxx: Fix inconsistent DMA mem alloc/free"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.17 04/63] scsi: qla2xxx: Fix NULL pointer dereference for fcport search"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.17-stable review patch. If anyone has any objections, please let me know.

------------------

From: himanshu.madhani@xxxxxxxxxx <himanshu.madhani@xxxxxxxxxx>

commit d48cc67cd4406d589fdbfa8c7d51c86532f86feb upstream.

This patch fixes crash for FCoE adapter. Once driver initialization is
complete, firmware will start posting Asynchronous Event, However driver
has not yet allocated workqueue to process and queue up work. This delay
of allocating workqueue results into NULL pointer access.

The following stack trace is seen:

[ 24.577259] BUG: unable to handle kernel NULL pointer dereference at 0000000000000102
[ 24.623133] PGD 0 P4D 0
[ 24.636760] Oops: 0000 [#1] SMP NOPTI
[ 24.656942] Modules linked in: i2c_algo_bit drm_kms_helper sr_mod(+) syscopyarea sysfillrect sysimgblt cdrom fb_sys_fops ata_generic ttm pata_acpi sd_mod ahci pata_atiixp sfc(+) qla2xxx(+) libahci drm qla4xxx(+) nvme_fc hpsa mdio libiscsi qlcnic(+) nvme_fabrics scsi_transport_sas serio_raw mtd crc32c_intel libata nvme_core i2c_core scsi_transport_iscsi tg3 scsi_transport_fc bnx2 iscsi_boot_sysfs dm_multipath dm_mirror dm_region_hash dm_log dm_mod
[ 24.887449] CPU: 0 PID: 177 Comm: kworker/0:3 Not tainted 4.17.0-rc6 #1
[ 24.925119] Hardware name: HP ProLiant DL385 G7, BIOS A18 08/15/2012
[ 24.962106] Workqueue: events work_for_cpu_fn
[ 24.987098] RIP: 0010:__queue_work+0x1f/0x3a0
[ 25.011672] RSP: 0018:ffff992642ceba10 EFLAGS: 00010082
[ 25.042116] RAX: 0000000000000082 RBX: 0000000000000082 RCX: 0000000000000000
[ 25.083293] RDX: ffff8cf9abc6d7d0 RSI: 0000000000000000 RDI: 0000000000002000
[ 25.123094] RBP: 0000000000000000 R08: 0000000000025a40 R09: ffff8cf9aade2880
[ 25.164087] R10: 0000000000000000 R11: ffff992642ceb6f0 R12: ffff8cf9abc6d7d0
[ 25.202280] R13: 0000000000002000 R14: ffff8cf9abc6d7b8 R15: 0000000000002000
[ 25.242050] FS: 0000000000000000(0000) f9b5c00000(0000) knlGS:0000000000000000
[ 25.977565] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.010457] CR2: 0000000000000102 CR3: 000000030760a000 CR4: 00000000000406f0
[ 26.051048] Call Trace:
[ 26.063572] ? __switch_to_asm+0x34/0x70
[ 26.086079] queue_work_on+0x24/0x40
[ 26.107090] qla2x00_post_work+0x81/0xb0 [qla2xxx]
[ 26.133356] qla2x00_async_event+0x1ad/0x1a20 [qla2xxx]
[ 26.164075] ? lock_timer_base+0x67/0x80
[ 26.186420] ? try_to_del_timer_sync+0x4d/0x80
[ 26.212284] ? del_timer_sync+0x35/0x40
[ 26.234080] ? schedule_timeout+0x165/0x2f0
[ 26.259575] qla82xx_poll+0x13e/0x180 [qla2xxx]
[ 26.285740] qla2x00_mailbox_command+0x74b/0xf50 [qla2xxx]
[ 26.319040] qla82xx_set_driver_version+0x13b/0x1c0 [qla2xxx]
[ 26.352108] ? qla2x00_init_rings+0x206/0x3f0 [qla2xxx]
[ 26.381733] qla2x00_initialize_adapter+0x35c/0x7f0 [qla2xxx]
[ 26.413240] qla2x00_probe_one+0x1479/0x2390 [qla2xxx]
[ 26.442055] local_pci_probe+0x3f/0xa0
[ 26.463108] work_for_cpu_fn+0x10/0x20
[ 26.483295] process_one_work+0x152/0x350
[ 26.505730] worker_thread+0x1cf/0x3e0
[ 26.527090] kthread+0xf5/0x130
[ 26.545085] ? max_active_store+0x80/0x80
[ 26.568085] ? kthread_bind+0x10/0x10
[ 26.589533] ret_from_fork+0x22/0x40
[ 26.610192] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 89 ff 41 56 41 55 41 89 fd 41 54 49 89 d4 55 48 89 f5 53 48 83 ec 0 86 02 01 00 00 01 0f 85 80 02 00 00 49 c7 c6 c0 ec 01 00 41
[ 27.308540] RIP: __queue_work+0x1f/0x3a0 RSP: ffff992642ceba10
[ 27.341591] CR2: 0000000000000102
[ 27.360208] ---[ end trace 01b7b7ae2c005cf3 ]---

Cc: <stable@xxxxxxxxxxxxxxx> # v4.17+
Fixes: 9b3e0f4d4147 ("scsi: qla2xxx: Move work element processing out of DPC thread"
Reported-by: Li Wang <liwang@xxxxxxxxxx>
Tested-by: Li Wang <liwang@xxxxxxxxxx>
Signed-off-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/scsi/qla2xxx/qla_os.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3180,6 +3180,8 @@ qla2x00_probe_one(struct pci_dev *pdev,
"req->req_q_in=%p req->req_q_out=%p rsp->rsp_q_in=%p rsp->rsp_q_out=%p.\n",
req->req_q_in, req->req_q_out, rsp->rsp_q_in, rsp->rsp_q_out);

+ ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0);
+
if (ha->isp_ops->initialize_adapter(base_vha)) {
ql_log(ql_log_fatal, base_vha, 0x00d6,
"Failed to initialize adapter - Adapter flags %x.\n",
@@ -3216,8 +3218,6 @@ qla2x00_probe_one(struct pci_dev *pdev,
host->can_queue, base_vha->req,
base_vha->mgmt_svr_loop_id, host->sg_tablesize);

- ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0);
-
if (ha->mqenable) {
bool mq = false;
bool startit = false;

Next message: Greg Kroah-Hartman: "[PATCH 4.17 04/63] scsi: qla2xxx: Fix NULL pointer dereference for fcport search"
Previous message: Greg Kroah-Hartman: "[PATCH 4.17 02/63] scsi: qla2xxx: Fix inconsistent DMA mem alloc/free"
In reply to: Greg Kroah-Hartman: "[PATCH 4.17 02/63] scsi: qla2xxx: Fix inconsistent DMA mem alloc/free"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.17 04/63] scsi: qla2xxx: Fix NULL pointer dereference for fcport search"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]