| Message ID | 20211019191208.6546-1-svens@stackframe.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mpt3sas: add NULL check in _base_fault_reset_work() | expand |
Sven, > My HP C8000 (an PA-RISC based system) crashed with an HPMC. That > triggered the HPMC handler in the kernel, and i got a crash in > _base_fault_reset_work() from mpt3sas. It looks like this function > calls ioc->schedule_dead_ioc_flush_running_cmds() without checking > whether there's actually a function set, so it dereferences a NULL > pointer on that system. The c8000 actually uses the mptspi driver > instead of mpt3sas which doesn't seem to set this handler. I'm not sure how you end up in the mpt3sas driver if your system uses mptspi!? Can you please send us the HPMC and the output of lspci? Thanks!
Hi Martin, "Martin K. Petersen" <martin.petersen@oracle.com> writes: >> My HP C8000 (an PA-RISC based system) crashed with an HPMC. That >> triggered the HPMC handler in the kernel, and i got a crash in >> _base_fault_reset_work() from mpt3sas. It looks like this function >> calls ioc->schedule_dead_ioc_flush_running_cmds() without checking >> whether there's actually a function set, so it dereferences a NULL >> pointer on that system. The c8000 actually uses the mptspi driver >> instead of mpt3sas which doesn't seem to set this handler. > > I'm not sure how you end up in the mpt3sas driver if your system uses > mptspi!? > > Can you please send us the HPMC and the output of lspci? It doesn't end up in mpt3sas, i was just confused because schedule_dead_ioc_flush_running_cmds() exist also there. If you look at the diff, you see that i patched the mptspi driver. So the description is just wrong, sorry. I'll try to see whether i can reproduce it once more, but the question still is whether the if () check is okay, or whether that needs more work (i.e., a handler for that) Regards Sven
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c index 7f7abc9069f7..38f5aa43b457 100644 --- a/drivers/message/fusion/mptbase.c +++ b/drivers/message/fusion/mptbase.c @@ -381,7 +381,8 @@ mpt_fault_reset_work(struct work_struct *work) * since dead ioc will never return any command back from HW. */ hd = shost_priv(ioc->sh); - ioc->schedule_dead_ioc_flush_running_cmds(hd); + if (ioc->schedule_dead_ioc_flush_running_cmds) + ioc->schedule_dead_ioc_flush_running_cmds(hd); /*Remove the Dead Host */ p = kthread_run(mpt_remove_dead_ioc_func, ioc,
My HP C8000 (an PA-RISC based system) crashed with an HPMC. That triggered the HPMC handler in the kernel, and i got a crash in _base_fault_reset_work() from mpt3sas. It looks like this function calls ioc->schedule_dead_ioc_flush_running_cmds() without checking whether there's actually a function set, so it dereferences a NULL pointer on that system. The c8000 actually uses the mptspi driver instead of mpt3sas which doesn't seem to set this handler. Signed-off-by: Sven Schnelle <svens@stackframe.org> --- Disclaimer: I have no idea about the inner workings of the MPT Fusion drivers. So this might be completely wrong. drivers/message/fusion/mptbase.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)