[PATCH 4.17 04/63] scsi: qla2xxx: Fix NULL pointer dereference for fcport search

From: Greg Kroah-Hartman
Date: Mon Jul 23 2018 - 08:26:10 EST


4.17-stable review patch. If anyone has any objections, please let me know.

------------------

From: Chuck Anderson <chuck.anderson@xxxxxxxxxx>

commit 36eb8ff672faee83ccce60c191f0fef07c6adce6 upstream.

Crash dump shows following instructions

crash> bt
PID: 0 TASK: ffffffffbe412480 CPU: 0 COMMAND: "swapper/0"
#0 [ffff891ee0003868] machine_kexec at ffffffffbd063ef1
#1 [ffff891ee00038c8] __crash_kexec at ffffffffbd12b6f2
#2 [ffff891ee0003998] crash_kexec at ffffffffbd12c84c
#3 [ffff891ee00039b8] oops_end at ffffffffbd030f0a
#4 [ffff891ee00039e0] no_context at ffffffffbd074643
#5 [ffff891ee0003a40] __bad_area_nosemaphore at ffffffffbd07496e
#6 [ffff891ee0003a90] bad_area_nosemaphore at ffffffffbd074a64
#7 [ffff891ee0003aa0] __do_page_fault at ffffffffbd074b0a
#8 [ffff891ee0003b18] do_page_fault at ffffffffbd074fc8
#9 [ffff891ee0003b50] page_fault at ffffffffbda01925
[exception RIP: qlt_schedule_sess_for_deletion+15]
RIP: ffffffffc02e526f RSP: ffff891ee0003c08 RFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0307847
RDX: 00000000000020e6 RSI: ffff891edbc377c8 RDI: 0000000000000000
RBP: ffff891ee0003c18 R8: ffffffffc02f0b20 R9: 0000000000000250
R10: 0000000000000258 R11: 000000000000b780 R12: ffff891ed9b43000
R13: 00000000000000f0 R14: 0000000000000006 R15: ffff891edbc377c8
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#10 [ffff891ee0003c20] qla2x00_fcport_event_handler at ffffffffc02853d3 [qla2xxx]
#11 [ffff891ee0003cf0] __dta_qla24xx_async_gnl_sp_done_333 at ffffffffc0285a1d [qla2xxx]
#12 [ffff891ee0003de8] qla24xx_process_response_queue at ffffffffc02a2eb5 [qla2xxx]
#13 [ffff891ee0003e88] qla24xx_msix_rsp_q at ffffffffc02a5403 [qla2xxx]
#14 [ffff891ee0003ec0] __handle_irq_event_percpu at ffffffffbd0f4c59
#15 [ffff891ee0003f10] handle_irq_event_percpu at ffffffffbd0f4e02
#16 [ffff891ee0003f40] handle_irq_event at ffffffffbd0f4e90
#17 [ffff891ee0003f68] handle_edge_irq at ffffffffbd0f8984
#18 [ffff891ee0003f88] handle_irq at ffffffffbd0305d5
#19 [ffff891ee0003fb8] do_IRQ at ffffffffbda02a18
--- <IRQ stack> ---
#20 [ffffffffbe403d30] ret_from_intr at ffffffffbda0094e
[exception RIP: unknown or invalid address]
RIP: 000000000000001f RSP: 0000000000000000 RFLAGS: fff3b8c2091ebb3f
RAX: ffffbba5a0000200 RBX: 0000be8cdfa8f9fa RCX: 0000000000000018
RDX: 0000000000000101 RSI: 000000000000015d RDI: 0000000000000193
RBP: 0000000000000083 R8: ffffffffbe403e38 R9: 0000000000000002
R10: 0000000000000000 R11: ffffffffbe56b820 R12: ffff891ee001cf00
R13: ffffffffbd11c0a4 R14: ffffffffbe403d60 R15: 0000000000000001
ORIG_RAX: ffff891ee0022ac0 CS: 0000 SS: ffffffffffffffb9
bt: WARNING: possibly bogus exception frame
#21 [ffffffffbe403dd8] cpuidle_enter_state at ffffffffbd67c6fd
#22 [ffffffffbe403e40] cpuidle_enter at ffffffffbd67c907
#23 [ffffffffbe403e50] call_cpuidle at ffffffffbd0d98f3
#24 [ffffffffbe403e60] do_idle at ffffffffbd0d9b42
#25 [ffffffffbe403e98] cpu_startup_entry at ffffffffbd0d9da3
#26 [ffffffffbe403ec0] rest_init at ffffffffbd81d4aa
#27 [ffffffffbe403ed0] start_kernel at ffffffffbe67d2ca
#28 [ffffffffbe403f28] x86_64_start_reservations at ffffffffbe67c675
#29 [ffffffffbe403f38] x86_64_start_kernel at ffffffffbe67c6eb
#30 [ffffffffbe403f50] secondary_startup_64 at ffffffffbd0000d5

Fixes: 040036bb0bc1 ("scsi: qla2xxx: Delay loop id allocation at login")
Cc: <stable@xxxxxxxxxxxxxxx> # v4.17+
Signed-off-by: Chuck Anderson <chuck.anderson@xxxxxxxxxx>
Signed-off-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/scsi/qla2xxx/qla_init.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -591,12 +591,14 @@ static void qla24xx_handle_gnl_done_even
conflict_fcport =
qla2x00_find_fcport_by_wwpn(vha,
e->port_name, 0);
- ql_dbg(ql_dbg_disc, vha, 0x20e6,
- "%s %d %8phC post del sess\n",
- __func__, __LINE__,
- conflict_fcport->port_name);
- qlt_schedule_sess_for_deletion
- (conflict_fcport);
+ if (conflict_fcport) {
+ qlt_schedule_sess_for_deletion
+ (conflict_fcport);
+ ql_dbg(ql_dbg_disc, vha, 0x20e6,
+ "%s %d %8phC post del sess\n",
+ __func__, __LINE__,
+ conflict_fcport->port_name);
+ }
}

/* FW already picked this loop id for another fcport */