Received: by 10.223.185.111 with SMTP id b44csp902102wrg;
        Fri, 9 Mar 2018 16:25:15 -0800 (PST)
X-Google-Smtp-Source: AG47ELvpWn4mPOzvGgGwzLQ7aYpNXfga0ZQwMXh+2/lFSfSqrigq2YemUQKzOYvtja8VnS9FLe/d
X-Received: by 2002:a17:902:7686:: with SMTP id m6-v6mr324860pll.199.1520641515833;
        Fri, 09 Mar 2018 16:25:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520641515; cv=none;
        d=google.com; s=arc-20160816;
        b=X05yKDOZMXSEy8NDdRBZ3xLpYnpsJGIQctP4zPvM9QW/RxEdpTPIm6drKy43+XRneJ
         ZEKVbmthlb26rK3+xt6FvqFVvlFYB5IA7YAtIL9hcO0EhMVISc6NiuYBFFxviXdEnhNS
         S6fBNWs8ALs3x7MAdQhFhR0pnhuVzxaUPg1xfTLcT3MLEtIVtAHTsVB6euFsD/HLDwra
         ZhH9qq6JH0essOlkg7ISGKUpG6oLzYGf6wBsDPKNSUWIF4YA56uKsTXGDzX3EjyuOoo9
         PAdXdWD4DWgIKOgAU5Q0YuKm2eEQ8eHxttG/qmXU+pkJGDU9Rlu49kKt8d1MnorHEFxu
         l9SA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=PFto53GB4BUIGHAt60OC9C4x7Zb9NmujsjzoJKmigH4=;
        b=Lswlcdmrj4t7V49mvGL9hOMEcuKN4egd24vC05mYlY0L0Q32h+zD6aJsx6BSG+xhPa
         OgzdaweC9YhfSVED3vpk5ItTy0by32V5H3mpjldeVyccQ4CADn3amVdbpcRV/F9XejV8
         3nI74nnSZTScfsTa1aq/4tDGbBzADuP60d6QpP5fzcZ5pPJgCULOVTPmifrb2igw+3A2
         SFNT6Fn2bq/sbjll/eQZuojQmB5ZXQMvPC6a+N+gD+oLK7tbpcSA1NDGZZMhXnZO7rvD
         4PwY0bQ77ZLg2v65Yw9VLG8MSEHvtYNXXf+wDqgn0Fdi3Cr9Z47s4Prp0vz70fWb6U5A
         bzxw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 13-v6si1749835ple.157.2018.03.09.16.25.00;
        Fri, 09 Mar 2018 16:25:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934215AbeCJAX6 (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 9 Mar 2018 19:23:58 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:41264 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933762AbeCJAX4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Mar 2018 19:23:56 -0500
Received: from localhost (unknown [185.236.200.248])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 07BC3FC9;
        Sat, 10 Mar 2018 00:23:55 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>,
        Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.15 09/11] scsi: mpt3sas: fix oops in error handlers after shutdown/unload
Date:   Fri,  9 Mar 2018 16:19:23 -0800
Message-Id: <20180310001835.061798273@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180310001834.560857664@linuxfoundation.org>
References: <20180310001834.560857664@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>

commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream.

This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so
not to access pointers/resources potentially freed in the PCI shutdown/module
unload path.  The error handlers may be invoked after shutdown/unload,
depending on other components.

This problem was observed with kexec on a system with a mpt3sas based adapter
and an infiniband adapter which takes long enough to shutdown:

The mpt3sas driver finished shutting down / disabled interrupt handling, thus
some commands have not finished and timed out.

Since the system was still running (waiting for the infiniband adapter to
shutdown), the scsi error handler for task abort of mpt3sas was invoked, and
hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL
without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or
later up in scsih_host_reset() (with or without that commit), because it
eventually called mpt3sas_base_get_iocstate().

After the above commit, the oops in scsih_abort() does not occur anymore
(_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is
too big and out of the scope of linux-stable, where this patch might help, so
still go for the changes.

Also, this might help to prevent similar errors in the future, in case code
changes and possibly tries to access freed stuff.

Note the fix in scsih_host_reset() is still important anyway.

Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -2998,7 +2998,8 @@ scsih_abort(struct scsi_cmnd *scmd)
 	_scsih_tm_display_info(ioc, scmd);
 
 	sas_device_priv_data = scmd->device->hostdata;
-	if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
+	if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
+	    ioc->remove_host) {
 		sdev_printk(KERN_INFO, scmd->device,
 			"device been deleted! scmd(%p)\n", scmd);
 		scmd->result = DID_NO_CONNECT << 16;
@@ -3060,7 +3061,8 @@ scsih_dev_reset(struct scsi_cmnd *scmd)
 	_scsih_tm_display_info(ioc, scmd);
 
 	sas_device_priv_data = scmd->device->hostdata;
-	if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
+	if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
+	    ioc->remove_host) {
 		sdev_printk(KERN_INFO, scmd->device,
 			"device been deleted! scmd(%p)\n", scmd);
 		scmd->result = DID_NO_CONNECT << 16;
@@ -3122,7 +3124,8 @@ scsih_target_reset(struct scsi_cmnd *scm
 	_scsih_tm_display_info(ioc, scmd);
 
 	sas_device_priv_data = scmd->device->hostdata;
-	if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
+	if (!sas_device_priv_data || !sas_device_priv_data->sas_target ||
+	    ioc->remove_host) {
 		starget_printk(KERN_INFO, starget, "target been deleted! scmd(%p)\n",
 			scmd);
 		scmd->result = DID_NO_CONNECT << 16;
@@ -3179,7 +3182,7 @@ scsih_host_reset(struct scsi_cmnd *scmd)
 	    ioc->name, scmd);
 	scsi_print_command(scmd);
 
-	if (ioc->is_driver_loading) {
+	if (ioc->is_driver_loading || ioc->remove_host) {
 		pr_info(MPT3SAS_FMT "Blocking the host reset\n",
 		    ioc->name);
 		r = FAILED;