Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1344224ybf; Thu, 27 Feb 2020 09:10:58 -0800 (PST) X-Google-Smtp-Source: APXvYqxYIf3zvM8QiHINgeDTPbGYL162QIwHEAvp/bLtW7+BCgzKC1Q4/kB1xyRpaFlCJcICkYDX X-Received: by 2002:a9d:7842:: with SMTP id c2mr590924otm.252.1582823458522; Thu, 27 Feb 2020 09:10:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582823458; cv=none; d=google.com; s=arc-20160816; b=c6wbp/nzLJkC3y2Y8i66shCK5wa/4F3TdpAriiNPvQ4TaDLgJT/MxQnkkR/pWnS/qa jcqDLvFQV6kjKJvbvd1NosXUDxMTX8qmMpkqtG8HuafDJuFQv6JGAJDNfupW41tJ8GR+ EPaRtBspTIr1iWe5yLfEpQ/3WL/nMS7ofe0BgTk0CG31lcGuQ/wfakOMdQl9qwtaYQla X6834vUutXjotUmuO2b1i3P7AAWYyBa/aJKBNfx/SiF8vkdB/LTwaWyL/rKIITt6ljCh AGwtZM90br+HFnsZ4CVEwYQyy2DwwvmJxJk2pS0jTqRyR0cHlP+vJGrO9ZQdFBgXpG9l FGMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-disposition :content-transfer-encoding:mime-version:in-reply-to:references:cc :user-agent:date:subject:to:from; bh=/roHPM7RjW+LGvK/jv6OjyimgrKn9+Ax7pp3J7fnglw=; b=JT/m8fYdo0YGqCeHKncWLFA6MkHkHdjUei7Ly6Xdj8QzeDp4P/OdWRlfOpaqEwTrLY bF5kwPWSWpij3bfAY1o5ech+D20DVB+V2stshbSPvbhWRSvoNPwETE6uQi2dyHWRAJ47 ZxaMW8UaVqj6eu5RBInUS2twTRFwFk4hvk4+2XP2lPKaDN/kQWiT4Y+1JRgR2gjAHlDW 7WC8t3ujHVvtXtSgeTPUKDog+ejSLntVQRnOAew9N3JGS+7vl0naO4xcXWhfofFtXDb7 YahL5/V5kqViGn/w1XfM/LVpUZz/tSTLPmMpPHXlfQzkQn8RhP6NwdAtJDPIazmgtrHt ZqnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si2074022otk.164.2020.02.27.09.10.45; Thu, 27 Feb 2020 09:10:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729633AbgB0RJO (ORCPT + 99 others); Thu, 27 Feb 2020 12:09:14 -0500 Received: from hosting.gsystem.sk ([212.5.213.30]:58530 "EHLO hosting.gsystem.sk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726460AbgB0RJN (ORCPT ); Thu, 27 Feb 2020 12:09:13 -0500 Received: from [192.168.0.2] (188-167-68-178.dynamic.chello.sk [188.167.68.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by hosting.gsystem.sk (Postfix) with ESMTPSA id 256C87A0123; Thu, 27 Feb 2020 18:09:12 +0100 (CET) From: Ondrej Zary To: Bart Van Assche Subject: Re: NULL pointer dereference in qla24xx_abort_command, kernel 4.19.98 (Debian) Date: Thu, 27 Feb 2020 18:09:07 +0100 User-Agent: KMail/1.9.10 Cc: qla2xxx-upstream@qlogic.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org References: <202002231929.01662.linux@zary.sk> <202002240920.17691.linux@zary.sk> <1fbad673-1b8c-0813-c60e-a4f56330a972@acm.org> In-Reply-To: <1fbad673-1b8c-0813-c60e-a4f56330a972@acm.org> X-KMail-QuotePrefix: > MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <202002271809.07717.linux@zary.sk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday 25 February 2020 04:41:48 Bart Van Assche wrote: > On 2020-02-24 00:20, Ondrej Zary wrote: > > Looks like it's in some inlined function. > > > > /usr/src/linux-source-4.19# gdb /lib/modules/4.19.0-8-amd64/kernel/drivers/scsi/qla2xxx/qla2xxx.ko > > GNU gdb (Debian 8.2.1-2+b3) 8.2.1 > > ... > > Reading symbols from /lib/modules/4.19.0-8-amd64/kernel/drivers/scsi/qla2xxx/qla2xxx.ko...Reading symbols > > from /usr/lib/debug//lib/modules/4.19.0-8-amd64/kernel/drivers/scsi/qla2xxx/qla2xxx.ko...done. > > done. > > > > (gdb) list *(qla24xx_async_abort_cmd+0x1b) > > 0xf88b is in qla24xx_async_abort_cmd (./arch/x86/include/asm/atomic.h:97). > > 92 * > > 93 * Atomically increments @v by 1. > > 94 */ > > 95 static __always_inline void arch_atomic_inc(atomic_t *v) > > 96 { > > 97 asm volatile(LOCK_PREFIX "incl %0" > > 98 : "+m" (v->counter) :: "memory"); > > 99 } > > 100 #define arch_atomic_inc arch_atomic_inc > > > > [ ... ] > > > > (gdb) disassemble qla24xx_async_abort_cmd > > Dump of assembler code for function qla24xx_async_abort_cmd: > > 0x000000000000f870 <+0>: callq 0xf875 > > 0x000000000000f875 <+5>: push %r15 > > 0x000000000000f877 <+7>: push %r14 > > 0x000000000000f879 <+9>: push %r13 > > 0x000000000000f87b <+11>: push %r12 > > 0x000000000000f87d <+13>: push %rbp > > 0x000000000000f87e <+14>: push %rbx > > 0x000000000000f87f <+15>: mov 0x28(%rdi),%r13 > > 0x000000000000f883 <+19>: mov 0x20(%rdi),%r15 > > 0x000000000000f887 <+23>: mov 0x48(%rdi),%r14 > > 0x000000000000f88b <+27>: lock incl 0x4(%r14) > > 0x000000000000f890 <+32>: mfence > > Thanks, this is very helpful. I think the above means that the crash is > triggered by the following code: > > sp = qla2xxx_get_qpair_sp(cmd_sp->qpair, cmd_sp->fcport, > GFP_KERNEL); > > From the start of qla2xxx_get_qpair_sp(): > > QLA_QPAIR_MARK_BUSY(qpair, bail); > > From qla_def.h: > > #define QLA_QPAIR_MARK_BUSY(__qpair, __bail) do { \ > atomic_inc(&__qpair->ref_count); \ > mb(); \ > if (__qpair->delete_in_progress) { \ > atomic_dec(&__qpair->ref_count); \ > __bail = 1; \ > } else { \ > __bail = 0; \ > } \ > } while (0) > > One of the changes between kernel version v4.9.210 and v4.19.98 is the > following: "qla2xxx: Add multiple queue pair functionality". I think the > above information means that the cmd_sp->qpair pointer is NULL. I will > let QLogic recommend a solution. Thank you very much for the analysis. Unfortunately, QLogic does not seem to care... -- Ondrej Zary