Received: by 10.223.185.111 with SMTP id b44csp902102wrg; Fri, 9 Mar 2018 16:25:15 -0800 (PST) X-Google-Smtp-Source: AG47ELvpWn4mPOzvGgGwzLQ7aYpNXfga0ZQwMXh+2/lFSfSqrigq2YemUQKzOYvtja8VnS9FLe/d X-Received: by 2002:a17:902:7686:: with SMTP id m6-v6mr324860pll.199.1520641515833; Fri, 09 Mar 2018 16:25:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520641515; cv=none; d=google.com; s=arc-20160816; b=X05yKDOZMXSEy8NDdRBZ3xLpYnpsJGIQctP4zPvM9QW/RxEdpTPIm6drKy43+XRneJ ZEKVbmthlb26rK3+xt6FvqFVvlFYB5IA7YAtIL9hcO0EhMVISc6NiuYBFFxviXdEnhNS S6fBNWs8ALs3x7MAdQhFhR0pnhuVzxaUPg1xfTLcT3MLEtIVtAHTsVB6euFsD/HLDwra ZhH9qq6JH0essOlkg7ISGKUpG6oLzYGf6wBsDPKNSUWIF4YA56uKsTXGDzX3EjyuOoo9 PAdXdWD4DWgIKOgAU5Q0YuKm2eEQ8eHxttG/qmXU+pkJGDU9Rlu49kKt8d1MnorHEFxu l9SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=PFto53GB4BUIGHAt60OC9C4x7Zb9NmujsjzoJKmigH4=; b=Lswlcdmrj4t7V49mvGL9hOMEcuKN4egd24vC05mYlY0L0Q32h+zD6aJsx6BSG+xhPa OgzdaweC9YhfSVED3vpk5ItTy0by32V5H3mpjldeVyccQ4CADn3amVdbpcRV/F9XejV8 3nI74nnSZTScfsTa1aq/4tDGbBzADuP60d6QpP5fzcZ5pPJgCULOVTPmifrb2igw+3A2 SFNT6Fn2bq/sbjll/eQZuojQmB5ZXQMvPC6a+N+gD+oLK7tbpcSA1NDGZZMhXnZO7rvD 4PwY0bQ77ZLg2v65Yw9VLG8MSEHvtYNXXf+wDqgn0Fdi3Cr9Z47s4Prp0vz70fWb6U5A bzxw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 13-v6si1749835ple.157.2018.03.09.16.25.00; Fri, 09 Mar 2018 16:25:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934215AbeCJAX6 (ORCPT + 99 others); Fri, 9 Mar 2018 19:23:58 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:41264 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933762AbeCJAX4 (ORCPT ); Fri, 9 Mar 2018 19:23:56 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 07BC3FC9; Sat, 10 Mar 2018 00:23:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mauricio Faria de Oliveira , Sreekanth Reddy , "Martin K. Petersen" Subject: [PATCH 4.15 09/11] scsi: mpt3sas: fix oops in error handlers after shutdown/unload Date: Fri, 9 Mar 2018 16:19:23 -0800 Message-Id: <20180310001835.061798273@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180310001834.560857664@linuxfoundation.org> References: <20180310001834.560857664@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mauricio Faria de Oliveira commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream. This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so not to access pointers/resources potentially freed in the PCI shutdown/module unload path. The error handlers may be invoked after shutdown/unload, depending on other components. This problem was observed with kexec on a system with a mpt3sas based adapter and an infiniband adapter which takes long enough to shutdown: The mpt3sas driver finished shutting down / disabled interrupt handling, thus some commands have not finished and timed out. Since the system was still running (waiting for the infiniband adapter to shutdown), the scsi error handler for task abort of mpt3sas was invoked, and hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or later up in scsih_host_reset() (with or without that commit), because it eventually called mpt3sas_base_get_iocstate(). After the above commit, the oops in scsih_abort() does not occur anymore (_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is too big and out of the scope of linux-stable, where this patch might help, so still go for the changes. Also, this might help to prevent similar errors in the future, in case code changes and possibly tries to access freed stuff. Note the fix in scsih_host_reset() is still important anyway. Signed-off-by: Mauricio Faria de Oliveira Acked-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -2998,7 +2998,8 @@ scsih_abort(struct scsi_cmnd *scmd) _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3060,7 +3061,8 @@ scsih_dev_reset(struct scsi_cmnd *scmd) _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3122,7 +3124,8 @@ scsih_target_reset(struct scsi_cmnd *scm _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { starget_printk(KERN_INFO, starget, "target been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3179,7 +3182,7 @@ scsih_host_reset(struct scsi_cmnd *scmd) ioc->name, scmd); scsi_print_command(scmd); - if (ioc->is_driver_loading) { + if (ioc->is_driver_loading || ioc->remove_host) { pr_info(MPT3SAS_FMT "Blocking the host reset\n", ioc->name); r = FAILED;