Re: [PATCH v2 09/11] qla2xxx: fix null pointer access while connections disconnect from subsystem

Himanshu Madhani <himanshu.madhani@xxxxxxxxxx> · Wed, 12 Aug 2020 14:47:11 -0500



> On Aug 6, 2020, at 6:10 AM, Nilesh Javali <njavali@xxxxxxxxxxx> wrote:
> 
> From: Quinn Tran <qutran@xxxxxxxxxxx>
> 
> NVMEAsync command is being submitted to QLA, while the same nvme controller
> is in the middle of reset. The reset path has deleted the association and
> freed aen_op->fcp_req.private. Add a check for this private pointer
> before issuing the command.
> 
> ...
> 6 [ffffb656ca11fce0] page_fault at ffffffff8c00114e
>    [exception RIP: qla_nvme_post_cmd+394]
>    RIP: ffffffffc0d012ba  RSP: ffffb656ca11fd98  RFLAGS: 00010206
>    RAX: ffff8fb039eda228  RBX: ffff8fb039eda200  RCX: 00000000000da161
>    RDX: ffffffffc0d4d0f0  RSI: ffffffffc0d26c9b  RDI: ffff8fb039eda220
>    RBP: 0000000000000013   R8: ffff8fb47ff6aa80   R9: 0000000000000002
>    R10: 0000000000000000  R11: ffffb656ca11fdc8  R12: ffff8fb27d04a3b0
>    R13: ffff8fc46dd98a58  R14: 0000000000000000  R15: ffff8fc4540f0000
>    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
> 7 [ffffb656ca11fe08] nvme_fc_start_fcp_op at ffffffffc0241568 [nvme_fc]
> 8 [ffffb656ca11fe50] nvme_fc_submit_async_event at ffffffffc0241901 [nvme_fc]
> 9 [ffffb656ca11fe68] nvme_async_event_work at ffffffffc014543d [nvme_core]
> 10 [ffffb656ca11fe98] process_one_work at ffffffff8b6cd437
> 11 [ffffb656ca11fed8] worker_thread at ffffffff8b6cdcef
> 12 [ffffb656ca11ff10] kthread at ffffffff8b6d3402
> 13 [ffffb656ca11ff50] ret_from_fork at ffffffff8c000255
> 
> --
> PID: 37824  TASK: ffff8fb033063d80  CPU: 20  COMMAND: "kworker/u97:451"
> 0 [ffffb656ce1abc28] __schedule at ffffffff8be629e3
> 1 [ffffb656ce1abcc8] schedule at ffffffff8be62fe8
> 2 [ffffb656ce1abcd0] schedule_timeout at ffffffff8be671ed
> 3 [ffffb656ce1abd70] wait_for_completion at ffffffff8be639cf
> 4 [ffffb656ce1abdd0] flush_work at ffffffff8b6ce2d5
> 5 [ffffb656ce1abe70] nvme_stop_ctrl at ffffffffc0144900 [nvme_core]
> 6 [ffffb656ce1abe80] nvme_fc_reset_ctrl_work at ffffffffc0243445 [nvme_fc]
> 7 [ffffb656ce1abe98] process_one_work at ffffffff8b6cd437
> 8 [ffffb656ce1abed8] worker_thread at ffffffff8b6cdb50
> 9 [ffffb656ce1abf10] kthread at ffffffff8b6d3402
> 10 [ffffb656ce1abf50] ret_from_fork at ffffffff8c000255
> 
> Signed-off-by: Quinn Tran <qutran@xxxxxxxxxxx>
> Signed-off-by: Nilesh Javali <njavali@xxxxxxxxxxx>
> ---
> drivers/scsi/qla2xxx/qla_nvme.c | 5 +++++
> 1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
> index be1d49f5c622..f451683db75c 100644
> --- a/drivers/scsi/qla2xxx/qla_nvme.c
> +++ b/drivers/scsi/qla2xxx/qla_nvme.c
> @@ -535,6 +535,11 @@ static int qla_nvme_post_cmd(struct nvme_fc_local_port *lport,
> 	struct nvme_private *priv = fd->private;
> 	struct qla_nvme_rport *qla_rport = rport->private;
> 
> +	if (!priv) {
> +		/* nvme association has been torn down */
> +		return rval;
> +	}
> +
> 	fcport = qla_rport->fcport;
> 
> 	if (!qpair || !fcport || (qpair && !qpair->fw_started) ||
> -- 
> 2.19.0.rc0
> 

Reviewed-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx>

--
Himanshu Madhani	 Oracle Linux Engineering