From patchwork Fri Mar 15 22:04:19 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Himanshu Madhani <hmadhani@marvell.com>
X-Patchwork-Id: 10855597
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A9BA139A
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Fri, 15 Mar 2019 22:05:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 846B82AC8B
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Fri, 15 Mar 2019 22:05:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 786242ACB9; Fri, 15 Mar 2019 22:05:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB19B2AC8B
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Fri, 15 Mar 2019 22:05:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726932AbfCOWFk (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Fri, 15 Mar 2019 18:05:40 -0400
Received: from mail-eopbgr790075.outbound.protection.outlook.com
 ([40.107.79.75]:46816
        "EHLO NAM03-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726774AbfCOWFk (ORCPT <rfc822;linux-scsi@vger.kernel.org>);
        Fri, 15 Mar 2019 18:05:40 -0400
Received: from DM5PR07CA0067.namprd07.prod.outlook.com (2603:10b6:4:ad::32) by
 BN3PR07MB2529.namprd07.prod.outlook.com (2a01:111:e400:7bbf::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.14; Fri, 15 Mar
 2019 22:05:38 +0000
Received: from BY2NAM05FT058.eop-nam05.prod.protection.outlook.com
 (2a01:111:f400:7e52::208) by DM5PR07CA0067.outlook.office365.com
 (2603:10b6:4:ad::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1709.13 via Frontend
 Transport; Fri, 15 Mar 2019 22:05:37 +0000
Authentication-Results: spf=fail (sender IP is 199.233.58.38)
 smtp.mailfrom=marvell.com; vger.kernel.org; dkim=none (message not signed)
 header.d=none;vger.kernel.org; dmarc=fail action=none
 header.from=marvell.com;
Received-SPF: Fail (protection.outlook.com: domain of marvell.com does not
 designate 199.233.58.38 as permitted sender) receiver=protection.outlook.com;
 client-ip=199.233.58.38; helo=CAEXCH02.caveonetworks.com;
Received: from CAEXCH02.caveonetworks.com (199.233.58.38) by
 BY2NAM05FT058.mail.protection.outlook.com (10.152.100.195) with Microsoft
 SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id
 15.20.1730.2 via Frontend Transport; Fri, 15 Mar 2019 22:05:36 +0000
Received: from dut1171.mv.qlogic.com (10.112.88.18) by
 CAEXCH02.caveonetworks.com (10.67.98.110) with Microsoft SMTP Server (TLS) id
 14.2.347.0; Fri, 15 Mar 2019 15:04:25 -0700
Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1])    by
 dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id x2FM4Qjc014056;
    Fri, 15
 Mar 2019 15:04:26 -0700
Received: (from root@localhost) by dut1171.mv.qlogic.com
 (8.14.7/8.14.7/Submit) id x2FM4QDH014053;
      Fri, 15 Mar 2019 15:04:26 -0700
From: Himanshu Madhani <hmadhani@marvell.com>
To: <James.Bottomley@HansenPartnership.com>,
        <martin.petersen@oracle.com>
CC: <hmadhani@marvell.com>, <linux-scsi@vger.kernel.org>
Subject: [PATCH 2/2] qla2xxx: Fix NULL pointer crash due to stale CPUID
Date: Fri, 15 Mar 2019 15:04:19 -0700
Message-ID: <20190315220419.14010-3-hmadhani@marvell.com>
X-Mailer: git-send-email 2.12.0
In-Reply-To: <20190315220419.14010-1-hmadhani@marvell.com>
References: <20190315220419.14010-1-hmadhani@marvell.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Matching-Connectors: 
 131971611374007329;(abac79dc-c90b-41ba-8033-08d666125e47);(abac79dc-c90b-41ba-8033-08d666125e47)
X-Forefront-Antispam-Report: 
 CIP:199.233.58.38;IPV:CAL;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(10009020)(396003)(376002)(39860400002)(346002)(136003)(2980300002)(1110001)(1109001)(339900001)(189003)(199004)(81166006)(54906003)(110136005)(316002)(81156014)(69596002)(105606002)(4326008)(36756003)(1076003)(51416003)(68736007)(45080400002)(305945005)(50226002)(14444005)(86362001)(6666004)(356004)(26005)(106466001)(336012)(85426001)(53936002)(48376002)(47776003)(76176011)(8676002)(50466002)(486006)(26826003)(8936002)(126002)(97736004)(87636003)(11346002)(2906002)(5660300002)(80596001)(446003)(476003)(498600001)(16586007)(36906005)(42186006)(2616005);DIR:OUT;SFP:1101;SCL:1;SRVR:BN3PR07MB2529;H:CAEXCH02.caveonetworks.com;FPR:;SPF:Fail;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 819090af-8f35-4f76-9643-08d6a9925ac4
X-Microsoft-Antispam: 
 BCL:0;PCL:0;RULEID:(2390118)(7020095)(5600127)(711020)(4605104)(2017052603328);SRVR:BN3PR07MB2529;
X-MS-TrafficTypeDiagnostic: BN3PR07MB2529:
X-Microsoft-Antispam-PRVS: 
 <BN3PR07MB2529DDDF25B97C5B29C1681ED6440@BN3PR07MB2529.namprd07.prod.outlook.com>
X-Forefront-PRVS: 09778E995A
X-Microsoft-Antispam-Message-Info: 
 XDp6jyOIAJQlU8Y62peX7MxsQPh5OIbgmaW5cnQ5ToFnTLfFjFe/3KZl5lSnc0thM0uM1HZzCzTcpP7twR24Z4ktyHrHJALOf3CGINU2Nuvqp7jxfZ9zNzluNGbUj2b8ln4PsZ+eXVNwPBpmCv+41PwKH1/2rS0U5rbVD/qdWWXkGmyXc7qkiklOd7mgKBBRYOa58C20M/gQ5MY4IxL6XCFnodUkRDKnRBiBFlenEruf+FUj9bhpZiL5KeAEkmUbX8K5WzDarb51hdiepf/VLcR6fxAuVKxcZfa8ap2uv2ueYfFwoqiAPxSygr4cMBzKRJkQN7IFL0Y8+NoKG+liukmcuw3kq02uN08H22ynexmfA+1MnaTaL8uU6j6eO8Z7vGEMyP+KS+zAi21M7ietL471uz80JtCo6757/wnuOZw=
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Mar 2019 22:05:36.9873
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 819090af-8f35-4f76-9643-08d6a9925ac4
X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;Ip=[199.233.58.38];Helo=[CAEXCH02.caveonetworks.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR07MB2529
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This patch fixes crash due to NULL pointer derefrence because
CPU pointer is not set and used by driver.  Instead, driver is
passes CPU as tag via ha->isp_ops->{lun_reset|target_reset}

[   30.160780] qla2xxx [0000:a0:00.1]-8038:9: Cable is unplugged...
[   69.984045] qla2xxx [0000:a0:00.0]-8009:8: DEVICE RESET ISSUED nexus=8:0:0 cmd=00000000b0d62f46.
[   69.992849] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[   70.000680] PGD 0 P4D 0
[   70.003232] Oops: 0000 [#1] SMP PTI
[   70.006727] CPU: 2 PID: 6714 Comm: sg_reset Kdump: loaded Not tainted 4.18.0-67.el8.x86_64 #1
[   70.015258] Hardware name: NEC Express5800/T110j [N8100-2758Y]/MX32-PH0-NJ, BIOS F11 02/13/2019
[   70.024016] RIP: 0010:blk_mq_rq_cpu+0x9/0x10
[   70.028315] Code: 01 58 01 00 00 48 83 c0 28 48 3d 80 02 00 00 75 ab c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48
 8b 47 08 <8b> 40 40 c3 0f 1f 00 0f 1f 44 00 00 48 83 ec 10 48 c7 c6 20 6e 7c
[   70.047087] RSP: 0018:ffff99a481487d58 EFLAGS: 00010246
[   70.052322] RAX: 0000000000000000 RBX: ffffffffc041b08b RCX: 0000000000000000
[   70.059466] RDX: 0000000000000000 RSI: ffff8d10b6b16898 RDI: ffff8d10b341e400
[   70.066615] RBP: ffffffffc03a6bd0 R08: 0000000000000415 R09: 0000000000aaaaaa
[   70.073765] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8d10b341e528
[   70.080914] R13: ffff8d10aadefc00 R14: ffff8d0f64efa998 R15: ffff8d0f64efa000
[   70.088083] FS:  00007f90a201e540(0000) GS:ffff8d10b6b00000(0000) knlGS:0000000000000000
[   70.096188] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.101959] CR2: 0000000000000040 CR3: 0000000268886005 CR4: 00000000003606e0
[   70.109127] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.116277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.123425] Call Trace:
[   70.125896]  __qla2xxx_eh_generic_reset+0xb1/0x220 [qla2xxx]
[   70.131572]  scsi_ioctl_reset+0x1f5/0x2a0
[   70.135600]  scsi_ioctl+0x18e/0x397
[   70.139099]  ? sd_ioctl+0x7c/0x100 [sd_mod]
[   70.143287]  blkdev_ioctl+0x32b/0x9f0
[   70.146954]  ? __check_object_size+0xa3/0x181
[   70.151323]  block_ioctl+0x39/0x40
[   70.154735]  do_vfs_ioctl+0xa4/0x630
[   70.158322]  ? syscall_trace_enter+0x1d3/0x2c0
[   70.162769]  ksys_ioctl+0x60/0x90
[   70.166104]  __x64_sys_ioctl+0x16/0x20
[   70.169859]  do_syscall_64+0x5b/0x1b0
[   70.173532]  entry_SYSCALL_64_after_hwframe+0x65/0xca
[   70.178587] RIP: 0033:0x7f90a1b3445b
[   70.182183] Code: 0f 1e fa 48 8b 05 2d aa 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00
 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fd a9 2c 00 f7 d8 64 89 01 48
[   70.200956] RSP: 002b:00007fffdca88b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   70.208535] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f90a1b3445b
[   70.215684] RDX: 00007fffdca88b84 RSI: 0000000000002284 RDI: 0000000000000003
[   70.222833] RBP: 00007fffdca88ca8 R08: 00007fffdca88b84 R09: 0000000000000000
[   70.229981] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdca88b84
[   70.237131] R13: 0000000000000000 R14: 000055ab09b0bd28 R15: 0000000000000000
[   70.244284] Modules linked in: nft_chain_route_ipv4 xt_CHECKSUM nft_chain_nat_ipv4 ipt_MASQUERADE nf_nat_ipv4 nf_nat nf_conntrack_ipv4
 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c ipt_REJECT nf_reject_ipv4 nft_counter nft_compat tun bridge stp llc nf_tables nfnetli
nk devlink sunrpc vfat fat intel_rapl intel_pmc_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm wmi_bmof iTCO_wdt iTCO_
vendor_support irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif intel_cstate intel_uncore intel_rapl_perf ipmi_si jo
ydev pcspkr ipmi_devintf sg wmi ipmi_msghandler video acpi_power_meter acpi_pad mei_me i2c_i801 mei ip_tables ext4 mbcache jbd2 sr_mod cd
rom sd_mod qla2xxx ast i2c_algo_bit drm_kms_helper nvme_fc syscopyarea sysfillrect uas sysimgblt fb_sys_fops nvme_fabrics ttm
[   70.314805]  usb_storage nvme_core crc32c_intel scsi_transport_fc ahci drm libahci tg3 libata megaraid_sas pinctrl_cannonlake pinctrl_
intel
[   70.327335] CR2: 0000000000000040

Fixes: 9cf2bab630765 ("block: kill request ->cpu member")
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
---
 drivers/scsi/qla2xxx/qla_os.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 677f82fdf56f..91f576d743fe 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1517,7 +1517,7 @@ __qla2xxx_eh_generic_reset(char *name, enum nexus_wait_type type,
 		goto eh_reset_failed;
 	}
 	err = 2;
-	if (do_reset(fcport, cmd->device->lun, blk_mq_rq_cpu(cmd->request) + 1)
+	if (do_reset(fcport, cmd->device->lun, 1)
 		!= QLA_SUCCESS) {
 		ql_log(ql_log_warn, vha, 0x800c,
 		    "do_reset failed for cmd=%p.\n", cmd);