Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3969237img; Mon, 25 Mar 2019 23:47:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqxByP8LsmY7hvNSm1CJfqg+qIRCcKudwaigg6aqwygVOQrx5D6rZcvvWU1OzURrE0IP2nME X-Received: by 2002:a62:b502:: with SMTP id y2mr27914399pfe.212.1553582843892; Mon, 25 Mar 2019 23:47:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553582843; cv=none; d=google.com; s=arc-20160816; b=vMCvrakXj3WJo0piBcF7fEm2JRdxztVLB6qPIhFH86+Lyxbgob7ZRuIT7Yr2R8AwSZ 4sBoeuXKigZuIXQJlqTQPI6aqH0CiUss974drTwcQeCjYluEv+57E1baUiXvLunUGGRX FhTXDO3evq76xaUPMOHueM+yXlkjFVWNnHQIuTNjZVb5N2NUTVs6UjA7o17YdIZJvR27 QwQkzsobyEsbZeZQNCdZbDv6RsJ3P7rIjViTpET/tTa6KiYfF49N/K+NahAvd99MIM9f OpORZU/ktO6GtHNPsoCoHsUw7KQeL+2cbg5yBXo/Zf3qHQFjOPzSUmLB8ojQdOaJyT2L +FJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=34TjulKlt/m8Ttwnj0VY/aowWaDsJAXRNcDv7tDrmcQ=; b=naBIkzC9yPohRbRjA/dvKZ3UOJZk2IsiK8vVJ8A/Si4yoIRto8tJ+Vc1kt8NyopNdx 5pDfyr3l9XJOPxCJH9tm/9gX+7KhVdEM0I446g8Ou+Nfx7geV/hf7GMPYPsDDZjRoHN8 jXGPwkFn3gpTcikGsx+3TmfQtVkl5ywyP3OVvMS8y7xZ7PffsbRZOFW5PXHfgo4xMPvO fOf5xfNAn2GL9S3r629zOrLKiWWVu3Cc4y2p7BZajogMDHA8cMS2R+6oGXAp5yaLPRBX hbCyKMyEwIZ4gittQgn+siuKeX3fw3yEHgFQBPovWHcJ67ZxN6wc0RPJMh4Vr5BbuzeT wppA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eQI20oP4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 193si15377682pga.251.2019.03.25.23.47.09; Mon, 25 Mar 2019 23:47:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eQI20oP4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731552AbfCZGdC (ORCPT + 99 others); Tue, 26 Mar 2019 02:33:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:42528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730935AbfCZGdB (ORCPT ); Tue, 26 Mar 2019 02:33:01 -0400 Received: from localhost (unknown [104.132.152.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 74D6920856; Tue, 26 Mar 2019 06:32:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553581980; bh=3NfzcUYRE7PQW1bNsav4qR5AFpAqpVi3gSPqt3zz1PU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eQI20oP4sE0wKILgWHC28M9nETrSVl9cy9kZ6zPbGwTWavPD3RWBqgN+ukTiytY3O S8dhcmJapioSPXHaW20NzL2t+RBTZ+qWLFBQttvswV1cZL91TxX9udTXNtIPyPeFcn PoVxd2c2yFpThTDd7Gewh3DysqA+/ZrCkkGzWVyU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tyrel Datwyler , "Martin K. Petersen" Subject: [PATCH 4.14 10/41] scsi: ibmvscsi: Fix empty event pool access during host removal Date: Tue, 26 Mar 2019 15:29:47 +0900 Message-Id: <20190326042650.454629037@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190326042649.889479098@linuxfoundation.org> References: <20190326042649.889479098@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tyrel Datwyler commit 7f5203c13ba8a7b7f9f6ecfe5a4d5567188d7835 upstream. The event pool used for queueing commands is destroyed fairly early in the ibmvscsi_remove() code path. Since, this happens prior to the call so scsi_remove_host() it is possible for further calls to queuecommand to be processed which manifest as a panic due to a NULL pointer dereference as seen here: PANIC: "Unable to handle kernel paging request for data at address 0x00000000" Context process backtrace: DSISR: 0000000042000000 ????Syscall Result: 0000000000000000 4 [c000000002cb3820] memcpy_power7 at c000000000064204 [Link Register] [c000000002cb3820] ibmvscsi_send_srp_event at d000000003ed14a4 5 [c000000002cb3920] ibmvscsi_send_srp_event at d000000003ed14a4 [ibmvscsi] ?(unreliable) 6 [c000000002cb39c0] ibmvscsi_queuecommand at d000000003ed2388 [ibmvscsi] 7 [c000000002cb3a70] scsi_dispatch_cmd at d00000000395c2d8 [scsi_mod] 8 [c000000002cb3af0] scsi_request_fn at d00000000395ef88 [scsi_mod] 9 [c000000002cb3be0] __blk_run_queue at c000000000429860 10 [c000000002cb3c10] blk_delay_work at c00000000042a0ec 11 [c000000002cb3c40] process_one_work at c0000000000dac30 12 [c000000002cb3cd0] worker_thread at c0000000000db110 13 [c000000002cb3d80] kthread at c0000000000e3378 14 [c000000002cb3e30] ret_from_kernel_thread at c00000000000982c The kernel buffer log is overfilled with this log: [11261.952732] ibmvscsi: found no event struct in pool! This patch reorders the operations during host teardown. Start by calling the SRP transport and Scsi_Host remove functions to flush any outstanding work and set the host offline. LLDD teardown follows including destruction of the event pool, freeing the Command Response Queue (CRQ), and unmapping any persistent buffers. The event pool destruction is protected by the scsi_host lock, and the pool is purged prior of any requests for which we never received a response. Finally, move the removal of the scsi host from our global list to the end so that the host is easily locatable for debugging purposes during teardown. Cc: # v2.6.12+ Signed-off-by: Tyrel Datwyler Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/ibmvscsi/ibmvscsi.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) --- a/drivers/scsi/ibmvscsi/ibmvscsi.c +++ b/drivers/scsi/ibmvscsi/ibmvscsi.c @@ -2299,17 +2299,27 @@ static int ibmvscsi_probe(struct vio_dev static int ibmvscsi_remove(struct vio_dev *vdev) { struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev); - spin_lock(&ibmvscsi_driver_lock); - list_del(&hostdata->host_list); - spin_unlock(&ibmvscsi_driver_lock); - unmap_persist_bufs(hostdata); + unsigned long flags; + + srp_remove_host(hostdata->host); + scsi_remove_host(hostdata->host); + + purge_requests(hostdata, DID_ERROR); + + spin_lock_irqsave(hostdata->host->host_lock, flags); release_event_pool(&hostdata->pool, hostdata); + spin_unlock_irqrestore(hostdata->host->host_lock, flags); + ibmvscsi_release_crq_queue(&hostdata->queue, hostdata, max_events); kthread_stop(hostdata->work_thread); - srp_remove_host(hostdata->host); - scsi_remove_host(hostdata->host); + unmap_persist_bufs(hostdata); + + spin_lock(&ibmvscsi_driver_lock); + list_del(&hostdata->host_list); + spin_unlock(&ibmvscsi_driver_lock); + scsi_host_put(hostdata->host); return 0;