On Thu, Mar 08, 2018 at 11:55:12AM -0300, Mauricio Faria de Oliveira wrote:
> commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream.
>
> This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so
> not to access pointers/resources potentially freed in the PCI shutdown/module
> unload path. The error handlers may be invoked after shutdown/unload,
> depending on other components.
>
> This problem was observed with kexec on a system with a mpt3sas based adapter
> and an infiniband adapter which takes long enough to shutdown:
>
> The mpt3sas driver finished shutting down / disabled interrupt handling, thus
> some commands have not finished and timed out.
>
> Since the system was still running (waiting for the infiniband adapter to
> shutdown), the scsi error handler for task abort of mpt3sas was invoked, and
> hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL
> without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or
> later up in scsih_host_reset() (with or without that commit), because it
> eventually called mpt3sas_base_get_iocstate().
>
> After the above commit, the oops in scsih_abort() does not occur anymore
> (_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is
> too big and out of the scope of linux-stable, where this patch might help, so
> still go for the changes.
>
> Also, this might help to prevent similar errors in the future, in case code
> changes and possibly tries to access freed stuff.
>
> Note the fix in scsih_host_reset() is still important anyway.
>
> Signed-off-by: Mauricio Faria de Oliveira <mauricfo@xxxxxxxxxxxxxxxxxx>
> Acked-by: Sreekanth Reddy <Sreekanth.Reddy@xxxxxxxxxxxx>
> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
> ---
> drivers/scsi/mpt3sas/mpt3sas_scsih.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
Does not apply to the 4.14.y tree :(
Please provide a working backport if you want me to apply it there.
thanks,
greg k-h