Hi James,
If I unload the FC driver at the target side then the lpfc driver at the
initiator side triggers a KASAN complaint. Can you have a look at this?
Thanks,
Bart.
==================================================================
BUG: KASAN: use-after-free in lpfc_sli_def_mbox_cmpl+0x285/0x530 [lpfc]
Read of size 4 at addr ffff8880cc1116a0 by task lpfc_worker_1/188
CPU: 1 PID: 188 Comm: lpfc_worker_1 Tainted: G W O 5.0.0-rc6-dbg+ #3
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x86/0xca
print_address_description+0x71/0x239
kasan_report.cold.3+0x1b/0x3b
__asan_load4+0x78/0x80
lpfc_sli_def_mbox_cmpl+0x285/0x530 [lpfc]
lpfc_sli_handle_mb_event+0x455/0x8b0 [lpfc]
lpfc_do_work+0x15a7/0x2630 [lpfc]
kthread+0x1d2/0x1f0
ret_from_fork+0x3a/0x50
Allocated by task 188:
save_stack+0x43/0xd0
__kasan_kmalloc.constprop.6+0xcb/0xd0
kasan_kmalloc+0x9/0x10
__kmalloc+0x135/0x310
mempool_kmalloc+0x15/0x20
mempool_alloc+0xf9/0x270
lpfc_nlp_init+0x62/0x460 [lpfc]
lpfc_els_unsol_buffer+0x15ca/0x4ba0 [lpfc]
lpfc_els_unsol_event+0x184/0x350 [lpfc]
lpfc_complete_unsol_iocb+0x101/0x150 [lpfc]
lpfc_sli4_handle_received_buffer+0x10ad/0x1900 [lpfc]
lpfc_sli_handle_slow_ring_event_s4+0x27d/0x3b0 [lpfc]
lpfc_sli_handle_slow_ring_event+0x32/0x40 [lpfc]
lpfc_do_work+0x1472/0x2630 [lpfc]
kthread+0x1d2/0x1f0
ret_from_fork+0x3a/0x50
Freed by task 5931:
save_stack+0x43/0xd0
__kasan_slab_free+0x139/0x190
kasan_slab_free+0xe/0x10
kfree+0xe5/0x2c0
mempool_kfree+0xe/0x10
mempool_free+0x65/0x160
lpfc_nlp_put.part.17+0x97a/0x10d0 [lpfc]
lpfc_nlp_put+0x13/0x20 [lpfc]
lpfc_disc_state_machine+0x167/0x360 [lpfc]
lpfc_cleanup+0x173/0x390 [lpfc]
lpfc_pci_remove_one+0x4f5/0xc70 [lpfc]
pci_device_remove+0xd9/0x1e0
device_release_driver_internal+0x28b/0x3a0
driver_detach+0x9a/0xfa
bus_remove_driver+0xca/0x14a
driver_unregister+0x43/0x60
pci_unregister_driver+0x29/0x110
lpfc_exit+0x1c/0xf0a [lpfc]
__x64_sys_delete_module+0x215/0x2e0
do_syscall_64+0x77/0x220
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880cc111680
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 32 bytes inside of
512-byte region [ffff8880cc111680, ffff8880cc111880)
The buggy address belongs to the page:
page:ffffea0003304400 count:1 mapcount:0 mapping:ffff88811ff46c00 index:0xffff8880cc113980 compound_mapcount: 0
flags: 0x1000000000010200(slab|head)
raw: 1000000000010200 ffffea00028cf308 ffffea0000d05c08 ffff88811ff46c00
raw: ffff8880cc113980 0000000000190010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880cc111580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880cc111600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880cc111680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880cc111700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880cc111780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
(gdb) list *(lpfc_sli_def_mbox_cmpl+0x285)
0x2e25 is in lpfc_sli_def_mbox_cmpl (drivers/scsi/lpfc/lpfc_sli.c:2505).
2500 if (pmb->u.mb.mbxCommand == MBX_UNREG_LOGIN) {
2501 ndlp = (struct lpfc_nodelist *)pmb->ctx_ndlp;
2502
2503 /* Check to see if there are any deferred events to process */
2504 if (ndlp) {
2505 lpfc_printf_vlog(
2506 vport,
2507 KERN_INFO, LOG_MBOX | LOG_DISCOVERY,
2508 "1438 UNREG cmpl deferred mbox x%x "
2509 "on NPort x%x Data: x%x x%x %p\n",
