Panic: qla2xxx will panic the systems when sending sg_write_same -T --lba=1 to a device that has no protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello

A customer discovered this on a RHEL 8.8 kernel but the issue also
exists upstream with the current code in 6.4 for example.

[  177.143279]  ? qla2xxx_dif_start_scsi_mq+0xcd8/0xce0 [qla2xxx]
[  177.149165]  ? internal_add_timer+0x42/0x70
[  177.153372]  qla2xxx_mqueuecommand+0x207/0x2b0 [qla2xxx]
[  177.158730]  scsi_queue_rq+0x2b7/0xc00
[  177.162501]  blk_mq_dispatch_rq_list+0x3ea/0x7e0

Simple reproducer to a LUN with no protection
sg_write_same -T --lba=1 /dev/sdxx  (or mpath)

With the device having no protection we land up with 
SCSI_PROT_NORMAL being used so fall through to the BUG()

switch (scsi_get_prot_op(GET_CMD_SP(sp))) {
        case SCSI_PROT_READ_INSERT:
        case SCSI_PROT_WRITE_STRIP:
                total_bytes = data_bytes;
                data_bytes += dif_bytes;              
                break;

        case SCSI_PROT_READ_STRIP:
        case SCSI_PROT_WRITE_INSERT:                                  
        case SCSI_PROT_READ_PASS:
        case SCSI_PROT_WRITE_PASS:
                total_bytes = data_bytes + dif_bytes;  
                break;
        default:
                BUG();
        }


I also had David Jeffery look at this and his comment was

In this particular case, it looks like the issue is just with qla2xxx,
regardless of the hardware. The scsi_disk being sent the command had no
dif protection enabled and there was no dix data.

crash> struct scsi_disk.protection_type 0xff34947432176800
  protection_type = 0 '\000',

crash> px ((struct scsi_cmnd *)0xff3494740b759138)->prot_sdb[0]
$7 = {
  table = {
    sgl = 0xff3494740b7595a8,
    nents = 0x0,
    orig_nents = 0x0
  },
  length = 0x0,
  resid = 0x0
}

So a WRITE_SAME_32 prot_op was always going to be SCSI_PROT_NORMAL in
prot_op. qla2xxx should not crash when passed such a command and state.


KDUMP   
Linux
segstorage3
6.4.0+

[  176.960932] ------------[ cut here ]------------
[  176.965582] kernel BUG at drivers/scsi/qla2xxx/qla_iocb.c:1459!
[  176.971540] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[  176.976795] CPU: 10 PID: 16058 Comm: sg_write_same Kdump: loaded
Tainted: G S                 6.4.0+ #1
[  176.986240] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380
Gen10, BIOS U30 05/17/2022
[  176.994812] RIP: 0010:qla2xxx_dif_start_scsi_mq+0xcd8/0xce0
[qla2xxx]
[  177.001337] Code: ff ff 48 8b 7c 24 40 0f b7 bf 4c 01 00 00 e9 73 f6
ff ff 83 3d 68 a0 de ff 01 0f 8e 7b fd ff ff e9 6f fd ff ff e8 b8 7f 07
ce <0f> 0b 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[  177.020217] RSP: 0018:ffffa1c44f86b9e0 EFLAGS: 00010046
[  177.025470] RAX: 0000000000000008 RBX: ffff961087e29000 RCX:
0000000000000000
[  177.032644] RDX: 0000000000000000 RSI: ffff9617c9e09460 RDI:
0000000000000200
[  177.039818] RBP: ffff9617c9e09588 R08: ffff9617c9e09460 R09:
0000000000000200
[  177.046992] R10: ffff96107800e880 R11: 0000000000000000 R12:
00000000000010c0
[  177.054165] R13: ffff96107800e880 R14: ffff961064c52180 R15:
ffff961066f8de00
[  177.061337] FS:  00007f41eef7e740(0000) GS:ffff961f4d800000(0000)
knlGS:0000000000000000
[  177.069471] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  177.075246] CR2: 000055e1e2591bd8 CR3: 00000008823b2005 CR4:
00000000007706e0
[  177.082420] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  177.089594] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[  177.096768] PKRU: 55555554
[  177.099487] Call Trace:
[  177.101944]  <TASK>
[  177.104052]  ? __die_body+0x1e/0x60
[  177.107560]  ? die+0x3c/0x60
[  177.110454]  ? do_trap+0xe6/0x110
[  177.113786]  ? qla2xxx_dif_start_scsi_mq+0xcd8/0xce0 [qla2xxx]
[  177.119674]  ? do_error_trap+0x65/0x80
[  177.123442]  ? qla2xxx_dif_start_scsi_mq+0xcd8/0xce0 [qla2xxx]
[  177.129328]  ? exc_invalid_op+0x50/0x70
[  177.133184]  ? qla2xxx_dif_start_scsi_mq+0xcd8/0xce0 [qla2xxx]
[  177.139071]  ? asm_exc_invalid_op+0x1a/0x20
[  177.143279]  ? qla2xxx_dif_start_scsi_mq+0xcd8/0xce0 [qla2xxx]
[  177.149165]  ? internal_add_timer+0x42/0x70
[  177.153372]  qla2xxx_mqueuecommand+0x207/0x2b0 [qla2xxx]
[  177.158730]  scsi_queue_rq+0x2b7/0xc00
[  177.162501]  blk_mq_dispatch_rq_list+0x3ea/0x7e0
[  177.167143]  __blk_mq_sched_dispatch_requests+0xac/0x670
[  177.172485]  ? blk_rq_map_user_iov+0x2ae/0x690
[  177.176952]  ? blk_mq_request_bypass_insert+0x74/0xa0
[  177.182031]  blk_mq_sched_dispatch_requests+0x37/0x70
[  177.187110]  blk_mq_run_hw_queue+0x183/0x1b0
[  177.191402]  blk_execute_rq+0x103/0x230
[  177.195257]  sg_io+0x17f/0x360
[  177.198327]  scsi_ioctl_sg_io+0x69/0x90
[  177.202182]  scsi_ioctl+0x4c6/0x890
[  177.205688]  ? scsi_block_when_processing_errors+0x26/0xd0
[  177.211204]  ? multipath_prepare_ioctl+0x50/0x130 [dm_multipath]
[  177.217247]  dm_blk_ioctl+0x72/0x120 [dm_mod]
[  177.221637]  blkdev_ioctl+0x1c2/0x280
[  177.225320]  __x64_sys_ioctl+0x90/0xd0
[  177.229089]  do_syscall_64+0x3b/0x90
[  177.232683]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[  177.237762] RIP: 0033:0x7f41ee4397cb
[  177.241355] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83
c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48
[  177.260234] RSP: 002b:00007ffe44cf3578 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[  177.267846] RAX: ffffffffffffffda RBX: 000055e1e25909a0 RCX:
00007f41ee4397cb
[  177.275018] RDX: 00007ffe44cf3580 RSI: 0000000000002285 RDI:
0000000000000003
[  177.282191] RBP: 0000000000000003 R08: 0000000000000040 R09:
000055e1e2590a50
[  177.289363] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[  177.296535] R13: 00007ffe44cf3638 R14: 000055e1e25909a0 R15:
00007ffe44cf3890





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux