diff mbox

qla2xxx: Fix NULL pointer deref in QLA interrupt

Message ID 20160630170032.6dbaf496@pluto.restena.lu (mailing list archive)
State Accepted, archived
Delegated to: James Bottomley
Headers show

Commit Message

Bruno Prémont June 30, 2016, 3 p.m. UTC 
In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
pointer dereference when rsp->msix is NULL:

[    5.622457] NULL pointer dereference at 0000000000000050
[    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457] PGD 0
[    5.622457] Oops: 0000 [#1] SMP
[    5.622457] Modules linked in:
[    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
[    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
[    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
[    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
[    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
[    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
[    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
[    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
[    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
[    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
[    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
[    5.622457] Stack:
[    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
[    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
[    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
[    5.622457] Call Trace:
[    5.622457]  <IRQ>
[    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
[    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
[    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
[    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
[    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
[    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
[    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
[    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
[    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
[    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
[    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
[    5.622457]  <EOI>
[    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
[    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
[    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
[    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
[    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
[    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
[    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
[    5.622457]  RSP <ffff8801afb03de8>
[    5.622457] CR2: 0000000000000050
[    5.622457] ---[ end trace fa2b19c25106d42b ]---
[    5.622457] Kernel panic - not syncing: Fatal exception in interrupt


The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
(qla2xxx: Add irq affinity notification).

Only dereference rsp->msix when it has been set so the machine can boot
fine. Possibly rsp->msix is unset because:
[    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
[    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
[    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
[    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
[    3.890145] scsi host0: qla2xxx
[    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
[    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
[    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).


CC: <stable@vger.kernel.org>
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Quinn Tran June 30, 2016, 5:20 p.m. UTC | #1 
QWNrLiAgTG9va3MgZ29vZC4gVGhhbmtzLg0KDQpSZWdhcmRzLA0KUXVpbm4gVHJhbg0KDQoNCg0K
DQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEJydW5vIFByw6ltb250IDxi
b25ib25zQGxpbnV4LXZzZXJ2ZXIub3JnPg0KRGF0ZTogVGh1cnNkYXksIEp1bmUgMzAsIDIwMTYg
YXQgODowMCBBTQ0KVG86IFF1aW5uIFRyYW4gPHF1aW5uLnRyYW5AcWxvZ2ljLmNvbT4sIEhpbWFu
c2h1IE1hZGhhbmkgPGhpbWFuc2h1Lm1hZGhhbmlAcWxvZ2ljLmNvbT4sIE5pY2hvbGFzIEJlbGxp
bmdlciA8bmFiQGxpbnV4LWlzY3NpLm9yZz4NCkNjOiBEZXB0LUVuZyBRTEEyeHh4IFVwc3RyZWFt
IDxxbGEyeHh4LXVwc3RyZWFtQHFsb2dpYy5jb20+LCAiSmFtZXMgRS5KLiBCb3R0b21sZXkiIDxq
ZWpiQGxpbnV4LnZuZXQuaWJtLmNvbT4sICJNYXJ0aW4gSy4gUGV0ZXJzZW4iIDxtYXJ0aW4ucGV0
ZXJzZW5Ab3JhY2xlLmNvbT4sIGxpbnV4LXNjc2kgPGxpbnV4LXNjc2lAdmdlci5rZXJuZWwub3Jn
PiwgbGludXgta2VybmVsIDxsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnPg0KU3ViamVjdDog
W1BBVENIXSBxbGEyeHh4OiBGaXggTlVMTCBwb2ludGVyIGRlcmVmIGluIFFMQSBpbnRlcnJ1cHQN
Cg0KPkluIHFsYTI0eHhfcHJvY2Vzc19yZXNwb25zZV9xdWV1ZSgpIHJzcC0+bXNpeC0+Y3B1aWQg
bWF5IHRyaWdnZXIgTlVMTA0KPnBvaW50ZXIgZGVyZWZlcmVuY2Ugd2hlbiByc3AtPm1zaXggaXMg
TlVMTDoNCj4NCj5bICAgIDUuNjIyNDU3XSBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgYXQgMDAw
MDAwMDAwMDAwMDA1MA0KPlsgICAgNS42MjI0NTddIElQOiBbPGZmZmZmZmZmODE1NWU2MTQ+XSBx
bGEyNHh4X3Byb2Nlc3NfcmVzcG9uc2VfcXVldWUrMHg0NC8weDRiMA0KPlsgICAgNS42MjI0NTdd
IFBHRCAwDQo+WyAgICA1LjYyMjQ1N10gT29wczogMDAwMCBbIzFdIFNNUA0KPlsgICAgNS42MjI0
NTddIE1vZHVsZXMgbGlua2VkIGluOg0KPlsgICAgNS42MjI0NTddIENQVTogMiBQSUQ6IDAgQ29t
bTogc3dhcHBlci8yIE5vdCB0YWludGVkIDQuNi4zLXg4Nl82NCAjMQ0KPlsgICAgNS42MjI0NTdd
IEhhcmR3YXJlIG5hbWU6IEhQIFByb0xpYW50IERMMzYwIEc1LCBCSU9TIFA1OCAwNS8wMi8yMDEx
DQo+WyAgICA1LjYyMjQ1N10gdGFzazogZmZmZjg4MDFhODhmMzc0MCB0aTogZmZmZjg4MDFhODk1
NDAwMCB0YXNrLnRpOiBmZmZmODgwMWE4OTU0MDAwDQo+WyAgICA1LjYyMjQ1N10gUklQOiAwMDEw
Ols8ZmZmZmZmZmY4MTU1ZTYxND5dICBbPGZmZmZmZmZmODE1NWU2MTQ+XSBxbGEyNHh4X3Byb2Nl
c3NfcmVzcG9uc2VfcXVldWUrMHg0NC8weDRiMA0KPlsgICAgNS42MjI0NTddIFJTUDogMDAwMDpm
ZmZmODgwMWFmYjAzZGU4ICBFRkxBR1M6IDAwMDEwMDAyDQo+WyAgICA1LjYyMjQ1N10gUkFYOiAw
MDAwMDAwMDAwMDAwMDAwIFJCWDogMDAwMDAwMDAwMDAwMDAzMiBSQ1g6IDAwMDAwMDAwZmZmZmZm
ZmYNCj5bICAgIDUuNjIyNDU3XSBSRFg6IDAwMDAwMDAwMDAwMDAwMDIgUlNJOiBmZmZmODgwMWE3
OWJmOGM4IFJESTogZmZmZjg4MDBjOGY3ZTdjMA0KPlsgICAgNS42MjI0NTddIFJCUDogZmZmZjg4
MDFhZmIwM2U2OCBSMDg6IDAwMDAwMDAwMDAwMDAwMDAgUjA5OiAwMDAwMDAwMDAwMDAwMDAwDQo+
WyAgICA1LjYyMjQ1N10gUjEwOiAwMDAwMDAwMGZmZmY4YzQ3IFIxMTogMDAwMDAwMDAwMDAwMDAw
MiBSMTI6IGZmZmY4ODAxYTc5YmY4YzgNCj5bICAgIDUuNjIyNDU3XSBSMTM6IGZmZmY4ODAwYzhm
N2U3YzAgUjE0OiBmZmZmODgwMGM4ZjYwMDAwIFIxNTogMDAwMDAwMDAwMDAxODAxMw0KPlsgICAg
NS42MjI0NTddIEZTOiAgMDAwMDAwMDAwMDAwMDAwMCgwMDAwKSBHUzpmZmZmODgwMWFmYjAwMDAw
KDAwMDApIGtubEdTOjAwMDAwMDAwMDAwMDAwMDANCj5bICAgIDUuNjIyNDU3XSBDUzogIDAwMTAg
RFM6IDAwMDAgRVM6IDAwMDAgQ1IwOiAwMDAwMDAwMDgwMDUwMDMzDQo+WyAgICA1LjYyMjQ1N10g
Q1IyOiAwMDAwMDAwMDAwMDAwMDUwIENSMzogMDAwMDAwMDAwMWUwNzAwMCBDUjQ6IDAwMDAwMDAw
MDAwMDA2ZTANCj5bICAgIDUuNjIyNDU3XSBTdGFjazoNCj5bICAgIDUuNjIyNDU3XSAgZmZmZjg4
MDFhZmIwM2UzMCBmZmZmZmZmZjgxMGMwZjJkIDAwMDAwMDAwMDAwMDAwODYgMDAwMDAwMDAwMDAw
MDAwMg0KPlsgICAgNS42MjI0NTddICBmZmZmODgwMWFmYjAzZTI4IGZmZmZmZmZmODE2NTcwZTEg
ZmZmZjg4MDBjODk5NDYyOCAwMDAwMDAwMDAwMDAwMDAyDQo+WyAgICA1LjYyMjQ1N10gIGZmZmY4
ODAxYWZiMDNlNjAgZmZmZmZmZmY4MTY3NzJkNCBiNDdjNDcyYWQ2OTU1ZTY4IDAwMDAwMDAwMDAw
MDAwMzINCj5bICAgIDUuNjIyNDU3XSBDYWxsIFRyYWNlOg0KPlsgICAgNS42MjI0NTddICA8SVJR
Pg0KPlsgICAgNS42MjI0NTddICBbPGZmZmZmZmZmODEwYzBmMmQ+XSA/IF9fd2FrZV91cF9jb21t
b24rMHg0ZC8weDgwDQo+WyAgICA1LjYyMjQ1N10gIFs8ZmZmZmZmZmY4MTY1NzBlMT5dID8gdXNi
X2hjZF9yZXN1bWVfcm9vdF9odWIrMHg1MS8weDYwDQo+WyAgICA1LjYyMjQ1N10gIFs8ZmZmZmZm
ZmY4MTY3NzJkND5dID8gdWhjaV9odWJfc3RhdHVzX2RhdGErMHg2NC8weDI0MA0KPlsgICAgNS42
MjI0NTddICBbPGZmZmZmZmZmODE1NjBkMDA+XSBxbGEyNHh4X2ludHJfaGFuZGxlcisweGYwLzB4
MmUwDQo+WyAgICA1LjYyMjQ1N10gIFs8ZmZmZmZmZmY4MTBkNTY5ZT5dID8gZ2V0X25leHRfdGlt
ZXJfaW50ZXJydXB0KzB4Y2UvMHgyMDANCj5bICAgIDUuNjIyNDU3XSAgWzxmZmZmZmZmZjgxMGM4
OWI0Pl0gaGFuZGxlX2lycV9ldmVudF9wZXJjcHUrMHg2NC8weDEwMA0KPlsgICAgNS42MjI0NTdd
ICBbPGZmZmZmZmZmODEwYzhhNzc+XSBoYW5kbGVfaXJxX2V2ZW50KzB4MjcvMHg1MA0KPlsgICAg
NS42MjI0NTddICBbPGZmZmZmZmZmODEwY2I5NjU+XSBoYW5kbGVfZWRnZV9pcnErMHg2NS8weDE0
MA0KPlsgICAgNS42MjI0NTddICBbPGZmZmZmZmZmODEwMWE0OTg+XSBoYW5kbGVfaXJxKzB4MTgv
MHgzMA0KPlsgICAgNS42MjI0NTddICBbPGZmZmZmZmZmODEwMWEyNzY+XSBkb19JUlErMHg0Ni8w
eGQwDQo+WyAgICA1LjYyMjQ1N10gIFs8ZmZmZmZmZmY4MTdmOGZmZj5dIGNvbW1vbl9pbnRlcnJ1
cHQrMHg3Zi8weDdmDQo+WyAgICA1LjYyMjQ1N10gIDxFT0k+DQo+WyAgICA1LjYyMjQ1N10gIFs8
ZmZmZmZmZmY4MTAyMGQzOD5dID8gbXdhaXRfaWRsZSsweDY4LzB4ODANCj5bICAgIDUuNjIyNDU3
XSAgWzxmZmZmZmZmZjgxMDIxMTRhPl0gYXJjaF9jcHVfaWRsZSsweGEvMHgxMA0KPlsgICAgNS42
MjI0NTddICBbPGZmZmZmZmZmODEwYzFiOTc+XSBkZWZhdWx0X2lkbGVfY2FsbCsweDI3LzB4MzAN
Cj5bICAgIDUuNjIyNDU3XSAgWzxmZmZmZmZmZjgxMGMxZDNiPl0gY3B1X3N0YXJ0dXBfZW50cnkr
MHgxOWIvMHgyMzANCj5bICAgIDUuNjIyNDU3XSAgWzxmZmZmZmZmZjgxMDMyNGM2Pl0gc3RhcnRf
c2Vjb25kYXJ5KzB4MTM2LzB4MTQwDQo+WyAgICA1LjYyMjQ1N10gQ29kZTogMDAgMDAgNjUgNDgg
OGIgMDQgMjUgMjggMDAgMDAgMDAgNDggODkgNDUgZDAgMzEgYzAgNDggOGIgNDcgNTggYTggMDIg
MGYgODQgYzUgMDAgMDAgMDAgNDggOGIgNDYgNTAgNDkgODkgZjQgNjUgOGIgMTUgMzQgYmIgYWEg
N2UgPDM5PiA1MCA1MCA3NCAxMSA4OSA1MCA1MCA0OCA4YiA0NiA1MCA4YiA0MCA1MCA0MSA4OSA4
NiA2MCA4YiAwMA0KPlsgICAgNS42MjI0NTddIFJJUCAgWzxmZmZmZmZmZjgxNTVlNjE0Pl0gcWxh
MjR4eF9wcm9jZXNzX3Jlc3BvbnNlX3F1ZXVlKzB4NDQvMHg0YjANCj5bICAgIDUuNjIyNDU3XSAg
UlNQIDxmZmZmODgwMWFmYjAzZGU4Pg0KPlsgICAgNS42MjI0NTddIENSMjogMDAwMDAwMDAwMDAw
MDA1MA0KPlsgICAgNS42MjI0NTddIC0tLVsgZW5kIHRyYWNlIGZhMmIxOWMyNTEwNmQ0MmIgXS0t
LQ0KPlsgICAgNS42MjI0NTddIEtlcm5lbCBwYW5pYyAtIG5vdCBzeW5jaW5nOiBGYXRhbCBleGNl
cHRpb24gaW4gaW50ZXJydXB0DQo+DQo+DQo+VGhlIGFmZmVjdGVkIGNvZGUgd2FzIGludHJvZHVj
ZWQgYnkgY29tbWl0IGNkYjg5OGM1MmQxZGZhZDRiNDgwMGI4M2E1OGIzZmU1ZDM1MmVkZGUNCj4o
cWxhMnh4eDogQWRkIGlycSBhZmZpbml0eSBub3RpZmljYXRpb24pLg0KPg0KPk9ubHkgZGVyZWZl
cmVuY2UgcnNwLT5tc2l4IHdoZW4gaXQgaGFzIGJlZW4gc2V0IHNvIHRoZSBtYWNoaW5lIGNhbiBi
b290DQo+ZmluZS4gUG9zc2libHkgcnNwLT5tc2l4IGlzIHVuc2V0IGJlY2F1c2U6DQo+WyAgICAz
LjQ3OTY3OV0gcWxhMnh4eCBbMDAwMDowMDowMC4wXS0wMDA1OiA6IFFMb2dpYyBGaWJyZSBDaGFu
bmVsIEhCQSBEcml2ZXI6IDguMDcuMDAuMzMtay4NCj5bICAgIDMuNDgxODM5XSBxbGEyeHh4IFsw
MDAwOjEzOjAwLjBdLTAwMWQ6IDogRm91bmQgYW4gSVNQMjQzMiBpcnEgMTcgaW9iYXNlIDB4ZmZm
ZmM5MDAwMDAzODAwMC4NCj5bICAgIDMuNDg0MDgxXSBxbGEyeHh4IFswMDAwOjEzOjAwLjBdLTAw
MzU6MDogTVNJLVg7IFVuc3VwcG9ydGVkIElTUDI0MzIgKDB4MiwgMHgzKS4NCj5bICAgIDMuNDg1
ODA0XSBxbGEyeHh4IFswMDAwOjEzOjAwLjBdLTAwMzc6MDogRmFsbGluZyBiYWNrLXRvIE1TSSBt
b2RlIC0yNTguDQo+WyAgICAzLjg5MDE0NV0gc2NzaSBob3N0MDogcWxhMnh4eA0KPlsgICAgMy44
OTE5NTZdIHFsYTJ4eHggWzAwMDA6MTM6MDAuMF0tMDBmYjowOiBRTG9naWMgUUxFMjQ2MCAtIFBD
SS1FeHByZXNzIFNpbmdsZSBDaGFubmVsIDRHYiBGaWJyZSBDaGFubmVsIEhCQS4NCj5bICAgIDMu
ODk0MjA3XSBxbGEyeHh4IFswMDAwOjEzOjAwLjBdLTAwZmM6MDogSVNQMjQzMjogUENJZSAoMi41
R1QvcyB4NCkgQCAwMDAwOjEzOjAwLjAgaGRtYSsgaG9zdCM9MCBmdz03LjAzLjAwICg5NDk2KS4N
Cj5bICAgIDUuNzE0Nzc0XSBxbGEyeHh4IFswMDAwOjEzOjAwLjBdLTUwMGE6MDogTE9PUCBVUCBk
ZXRlY3RlZCAoNCBHYnBzKS4NCj4NCj4NCj5DQzogPHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmc+DQo+
U2lnbmVkLW9mZi1ieTogQnJ1bm8gUHLDqW1vbnQgPGJvbmJvbnNAbGludXgtdnNlcnZlci5vcmc+
DQo+LS0tDQo+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc2NzaS9xbGEyeHh4L3FsYV9pc3IuYw0KPmIv
ZHJpdmVycy9zY3NpL3FsYTJ4eHgvcWxhX2lzci5jIGluZGV4IDU2NDljMjAuLmE5MmE2MmQgMTAw
NjQ0DQo+LS0tIGEvZHJpdmVycy9zY3NpL3FsYTJ4eHgvcWxhX2lzci5jDQo+KysrIGIvZHJpdmVy
cy9zY3NpL3FsYTJ4eHgvcWxhX2lzci5jDQo+QEAgLTI1NDgsNyArMjU0OCw3IEBAIHZvaWQgcWxh
MjR4eF9wcm9jZXNzX3Jlc3BvbnNlX3F1ZXVlKHN0cnVjdA0KPnNjc2lfcWxhX2hvc3QgKnZoYSwg
aWYgKCF2aGEtPmZsYWdzLm9ubGluZSkNCj4gCQlyZXR1cm47DQo+IA0KPi0JaWYgKHJzcC0+bXNp
eC0+Y3B1aWQgIT0gc21wX3Byb2Nlc3Nvcl9pZCgpKSB7DQo+KwlpZiAocnNwLT5tc2l4ICYmIHJz
cC0+bXNpeC0+Y3B1aWQgIT0gc21wX3Byb2Nlc3Nvcl9pZCgpKSB7DQo+IAkJLyogaWYga2VybmVs
IGRvZXMgbm90IG5vdGlmeSBxbGEgb2YgSVJRJ3MgQ1BVIGNoYW5nZSwNCj4gCQkgKiB0aGVuIHNl
dCBpdCBoZXJlLg0KPiAJCSAqLw0K
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Johannes Thumshirn July 6, 2016, 7:28 a.m. UTC | #2 
On Thu, Jun 30, 2016 at 05:00:32PM +0200, Bruno Prémont wrote:
> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> pointer dereference when rsp->msix is NULL:
> 
> [    5.622457] NULL pointer dereference at 0000000000000050
> [    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457] PGD 0
> [    5.622457] Oops: 0000 [#1] SMP
> [    5.622457] Modules linked in:
> [    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
> [    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
> [    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
> [    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
> [    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
> [    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
> [    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
> [    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
> [    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
> [    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
> [    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
> [    5.622457] Stack:
> [    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
> [    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
> [    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
> [    5.622457] Call Trace:
> [    5.622457]  <IRQ>
> [    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
> [    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
> [    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
> [    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
> [    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
> [    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
> [    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
> [    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
> [    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
> [    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
> [    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
> [    5.622457]  <EOI>
> [    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
> [    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
> [    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
> [    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
> [    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
> [    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
> [    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
> [    5.622457]  RSP <ffff8801afb03de8>
> [    5.622457] CR2: 0000000000000050
> [    5.622457] ---[ end trace fa2b19c25106d42b ]---
> [    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
> 
> 
> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> (qla2xxx: Add irq affinity notification).
> 
> Only dereference rsp->msix when it has been set so the machine can boot
> fine. Possibly rsp->msix is unset because:
> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> [    3.890145] scsi host0: qla2xxx
> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
> 
> 
> CC: <stable@vger.kernel.org>
> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>

Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Thorsten Leemhuis July 8, 2016, 7:27 a.m. UTC | #3 
Bruno Prémont wrote on 30.06.2016 17:00:
> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> pointer dereference when rsp->msix is NULL:
> […]
> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> (qla2xxx: Add irq affinity notification).
> 
> Only dereference rsp->msix when it has been set so the machine can boot
> fine. Possibly rsp->msix is unset because:
> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> [    3.890145] scsi host0: qla2xxx
> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).

Bruno: Does that mean you actually tested that patch and it fixed the
problem for you? It looks like it, but there is some confusion about it;
that's one of the reasons why this patch didn't get any further yet
afaics, so a quick clarification might help to finally get this fixed
properly in mainline and stable.

Himanshu: While at it: Can you confirm this patch should get merged to
mainline? Seems Quinn is on PTO and his out-of-office reply mentioned
you as one point of contact.

Cheers, your regression tracker for Linux 4.7
 Thorsten

> CC: <stable@vger.kernel.org>
> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
> ---
> diff --git a/drivers/scsi/qla2xxx/qla_isr.c
> b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
> --- a/drivers/scsi/qla2xxx/qla_isr.c
> +++ b/drivers/scsi/qla2xxx/qla_isr.c
> @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
> scsi_qla_host *vha, if (!vha->flags.online)
>  		return;
>  
> -	if (rsp->msix->cpuid != smp_processor_id()) {
> +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
>  		/* if kernel does not notify qla of IRQ's CPU change,
>  		 * then set it here.
>  		 */
> 
> http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 
> http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Himanshu Madhani July 8, 2016, 5:23 p.m. UTC | #4 
On 7/8/16, 12:27 AM, "Thorsten Leemhuis" <regressions@leemhuis.info> wrote:

>Bruno Prémont wrote on 30.06.2016 17:00:

>> In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL

>> pointer dereference when rsp->msix is NULL:

>> […]

>> The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde

>> (qla2xxx: Add irq affinity notification).

>> 

>> Only dereference rsp->msix when it has been set so the machine can boot

>> fine. Possibly rsp->msix is unset because:

>> [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.

>> [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.

>> [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).

>> [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.

>> [    3.890145] scsi host0: qla2xxx

>> [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.

>> [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).

>> [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).

>

>Bruno: Does that mean you actually tested that patch and it fixed the

>problem for you? It looks like it, but there is some confusion about it;

>that's one of the reasons why this patch didn't get any further yet

>afaics, so a quick clarification might help to finally get this fixed

>properly in mainline and stable.

>

>Himanshu: While at it: Can you confirm this patch should get merged to

>mainline? Seems Quinn is on PTO and his out-of-office reply mentioned

>you as one point of contact.


I see this patch has been queued to “fixes" branch on James’s tree. So it would
get merged into mainline kernel.  Here’s link 

http://git.kernel.org/cgit/linux/kernel/git/jejb/scsi.git/log/?h=fixes

>

>Cheers, your regression tracker for Linux 4.7

> Thorsten

>

>> CC: <stable@vger.kernel.org>

>> Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>

>> ---

>> diff --git a/drivers/scsi/qla2xxx/qla_isr.c

>> b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644

>> --- a/drivers/scsi/qla2xxx/qla_isr.c

>> +++ b/drivers/scsi/qla2xxx/qla_isr.c

>> @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct

>> scsi_qla_host *vha, if (!vha->flags.online)

>>  		return;

>>  

>> -	if (rsp->msix->cpuid != smp_processor_id()) {

>> +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {

>>  		/* if kernel does not notify qla of IRQ's CPU change,

>>  		 * then set it here.

>>  		 */

>> 

>> http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 

>> http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu

>>
Bruno Prémont July 11, 2016, 7:17 a.m. UTC | #5 
On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:
> Bruno Prémont wrote on 30.06.2016 17:00:
> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> > pointer dereference when rsp->msix is NULL:
> > […]
> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> > (qla2xxx: Add irq affinity notification).
> > 
> > Only dereference rsp->msix when it has been set so the machine can boot
> > fine. Possibly rsp->msix is unset because:
> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> > [    3.890145] scsi host0: qla2xxx
> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).  
> 
> Bruno: Does that mean you actually tested that patch and it fixed the
> problem for you? It looks like it, but there is some confusion about it;
> that's one of the reasons why this patch didn't get any further yet
> afaics, so a quick clarification might help to finally get this fixed
> properly in mainline and stable.

Yes, it does fix the Oops for me.

I did not analyze the reason why rsp->msix is NULL (no idea if
it remains NULL forever on my hardware) - I just extracted messages
from qla driver shown during boot which seem to indicate a possible
reason why msix is NULL.
Further analysis should be done by someone with better knowledge of qla
driver than mine though I would be happy to perform tests.

Bruno


> Himanshu: While at it: Can you confirm this patch should get merged to
> mainline? Seems Quinn is on PTO and his out-of-office reply mentioned
> you as one point of contact.
> 
> Cheers, your regression tracker for Linux 4.7
>  Thorsten
> 
> > CC: <stable@vger.kernel.org>
> > Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
> > ---
> > diff --git a/drivers/scsi/qla2xxx/qla_isr.c
> > b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
> > --- a/drivers/scsi/qla2xxx/qla_isr.c
> > +++ b/drivers/scsi/qla2xxx/qla_isr.c
> > @@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct
> > scsi_qla_host *vha, if (!vha->flags.online)
> >  		return;
> >  
> > -	if (rsp->msix->cpuid != smp_processor_id()) {
> > +	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
> >  		/* if kernel does not notify qla of IRQ's CPU change,
> >  		 * then set it here.
> >  		 */
> > 
> > http://news.gmane.org/find-root.php?message_id=20160630170032.6dbaf496%40pluto.restena.lu 
> > http://mid.gmane.org/20160630170032.6dbaf496%40pluto.restena.lu
> >   
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Thorsten Leemhuis July 11, 2016, 7:30 a.m. UTC | #6 
Bruno Prémont wrote on 11.07.2016 09:17:
> On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:
>> Bruno Prémont wrote on 30.06.2016 17:00:
>> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
>> > pointer dereference when rsp->msix is NULL:
>> > […]
>> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
>> > (qla2xxx: Add irq affinity notification).
>> > 
>> > Only dereference rsp->msix when it has been set so the machine can boot
>> > fine. Possibly rsp->msix is unset because:
>> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
>> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
>> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
>> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
>> > [    3.890145] scsi host0: qla2xxx
>> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
>> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
>> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).  
>> 
>> Bruno: Does that mean you actually tested that patch and it fixed the
>> problem for you? It looks like it, but there is some confusion about it;
>> that's one of the reasons why this patch didn't get any further yet
>> afaics, so a quick clarification might help to finally get this fixed
>> properly in mainline and stable.
> Yes, it does fix the Oops for me.

Thx for the feedback. The patch hit mainline late last week (it's
included in rc7) and should hopefully make it to the stable trees in a
week or two.

> I did not analyze the reason why rsp->msix is NULL (no idea if
> it remains NULL forever on my hardware) - I just extracted messages
> from qla driver shown during boot which seem to indicate a possible
> reason why msix is NULL.
> Further analysis should be done by someone with better knowledge of qla
> driver than mine though I would be happy to perform tests.

I have no idea about the details, but in case you missed it, this
discussion might have some more relevant details:
http://thread.gmane.org/gmane.linux.kernel/2247804/focus=2250727

Cheers, Thorsten
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bruno Prémont July 11, 2016, 8:29 a.m. UTC | #7 
On Mon, 11 Jul 2016 09:30:30 +0200 Thorsten Leemhuis wrote:
> Bruno Prémont wrote on 11.07.2016 09:17:
> > On Fri, 8 Jul 2016 09:27:18 +0200 Thorsten Leemhuis wrote:  
> >> Bruno Prémont wrote on 30.06.2016 17:00:  
> >> > In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
> >> > pointer dereference when rsp->msix is NULL:
> >> > […]
> >> > The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
> >> > (qla2xxx: Add irq affinity notification).
> >> > 
> >> > Only dereference rsp->msix when it has been set so the machine can boot
> >> > fine. Possibly rsp->msix is unset because:
> >> > [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
> >> > [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
> >> > [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
> >> > [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
> >> > [    3.890145] scsi host0: qla2xxx
> >> > [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
> >> > [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
> >> > [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).    
> >> 
> >> Bruno: Does that mean you actually tested that patch and it fixed the
> >> problem for you? It looks like it, but there is some confusion about it;
> >> that's one of the reasons why this patch didn't get any further yet
> >> afaics, so a quick clarification might help to finally get this fixed
> >> properly in mainline and stable.  
> > Yes, it does fix the Oops for me.  
> 
> Thx for the feedback. The patch hit mainline late last week (it's
> included in rc7) and should hopefully make it to the stable trees in a
> week or two.

I got the queued notification from James last week and kept an eye
at the state on patchwork before that.

> > I did not analyze the reason why rsp->msix is NULL (no idea if
> > it remains NULL forever on my hardware) - I just extracted messages
> > from qla driver shown during boot which seem to indicate a possible
> > reason why msix is NULL.
> > Further analysis should be done by someone with better knowledge of qla
> > driver than mine though I would be happy to perform tests.  
> 
> I have no idea about the details, but in case you missed it, this
> discussion might have some more relevant details:
> http://thread.gmane.org/gmane.linux.kernel/2247804/focus=2250727

I didn't see that thread, though it does have some insight.
Thanks for the reference!

Bruno

> Cheers, Thorsten
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/scsi/qla2xxx/qla_isr.c
b/drivers/scsi/qla2xxx/qla_isr.c index 5649c20..a92a62d 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -2548,7 +2548,7 @@  void qla24xx_process_response_queue(struct
scsi_qla_host *vha, if (!vha->flags.online)
 		return;
 
-	if (rsp->msix->cpuid != smp_processor_id()) {
+	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
 		/* if kernel does not notify qla of IRQ's CPU change,
 		 * then set it here.
 		 */