From: Duane Grigsby Date: Wed, 23 Aug 2017 22:05:01 +0000 (-0700) Subject: scsi: qla2xxx: Fix system panic due to pointer access problem X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a17305954d732ace786095ed6c911782c18529b9;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git scsi: qla2xxx: Fix system panic due to pointer access problem [ 1013.772926] BUG: unable to handle kernel paging request at 0000000300000020 [ 1013.772950] IP: qla24xx_els_ct_entry.isra.17+0x78/0x2a0 [qla2xxx] [ 1013.772951] PGD 0 [ 1013.772952] P4D 0 [ 1013.772952] [ 1013.772953] Oops: 0000 [#1] SMP [ 1013.772955] Modules linked in: qla2xxx(+) scsi_transport_fc nvme_fc nvme_fabrics nvme_core netconsole configfs af_packet iscsi_ibft iscsi_boot_sysfs xfs intel_rapl sb_edac libcrc32c x86_pkg_temp_thermal intel_powerclamp coretemp mgag200 kvm_intel ttm kvm drm_kms_helper ipmi_ssif irqbypass tg3 drm fb_sys_fops crct10dif_pclmul syscopyarea crc32_pclmul ghash_clmulni_intel ptp pcbc sysfillrect pps_core aesni_intel joydev aes_x86_64 sysimgblt crypto_simd iTCO_wdt libphy iTCO_vendor_support i2c_algo_bit glue_helper ipmi_si lpc_ich hpwdt ioatdma cryptd ipmi_devintf pcspkr mfd_core pcc_cpufreq ipmi_msghandler hpilo thermal dca button shpchp btrfs xor raid6_pq hid_generic usbhid sr_mod cdrom sd_mod ata_generic crc32c_intel serio_raw ata_piix ahci libahci uhci_hcd ehci_pci ehci_hcd libata usbcore hpsa scsi_transport_sas [ 1013.772994] sg scsi_mod autofs4 [ 1013.772998] CPU: 0 PID: 374 Comm: systemd-journal Not tainted 4.13.0-rc1-2-default #2 [ 1013.772999] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 07/15/2012 [ 1013.773000] task: ffff88082c188380 task.stack: ffffc90004d7c000 [ 1013.773011] RIP: 0010:qla24xx_els_ct_entry.isra.17+0x78/0x2a0 [qla2xxx] [ 1013.773012] RSP: 0000:ffff88042f603d90 EFLAGS: 00010082 [ 1013.773013] RAX: ffff88039f723ac8 RBX: ffff88039f723ac8 RCX: ffff8803a2e18010 [ 1013.773014] RDX: ffff88039f723ac0 RSI: ffff88042f603dc4 RDI: ffff88041b6787c0 [ 1013.773015] RBP: ffff88042f603e00 R08: 0000000000000002 R09: 000000000000000d [ 1013.773016] R10: 0000000000000002 R11: 0000000000000000 R12: ffff8803a2e80080 [ 1013.773016] R13: ffff88041b6787c0 R14: 0000000300000000 R15: 0000000000000102 [ 1013.773018] FS: 00007fa2e0a73880(0000) GS:ffff88042f600000(0000) knlGS:0000000000000000 [ 1013.773019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1013.773020] CR2: 0000000300000020 CR3: 000000042cd7e000 CR4: 00000000000406f0 [ 1013.773021] Call Trace: [ 1013.773022] [ 1013.773026] ? consume_skb+0x34/0xa0 [ 1013.773040] qla24xx_process_response_queue+0x319/0x700 [qla2xxx] [ 1013.773050] qla24xx_msix_rsp_q+0x7b/0xd0 [qla2xxx] [ 1013.773054] __handle_irq_event_percpu+0x3c/0x1b0 [ 1013.773056] handle_irq_event_percpu+0x23/0x60 [ 1013.773057] handle_irq_event+0x42/0x70 [ 1013.773059] handle_edge_irq+0x8f/0x190 [ 1013.773062] handle_irq+0x1d/0x30 [ 1013.773065] do_IRQ+0x48/0xd0 [ 1013.773067] common_interrupt+0x93/0x93 [ 1013.773068] RIP: 0033:0xed622c6e42 [ 1013.773069] RSP: 002b:00007ffee8b5c820 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff17 [ 1013.773071] RAX: 000000ed6316a3f0 RBX: 000000ed6316a840 RCX: 00000000000c4e33 [ 1013.773071] RDX: 000000ed6316a878 RSI: 000000ed6316a840 RDI: 000000ed631682d0 [ 1013.773072] RBP: 0000000000000001 R08: 0000000000000001 R09: 000000ed63179b70 [ 1013.773073] R10: 000000000005f6f8 R11: 0000000000000202 R12: 0000000000000001 [ 1013.773074] R13: 00007ffee8b5c85c R14: 000000ed6316a840 R15: 00007ffee8b5c850 [ 1013.773074] [ 1013.773076] Code: a9 8a 9a e0 48 8d 75 c4 48 89 da 4c 89 e1 4c 89 ef e8 54 6e fb ff 48 85 c0 48 89 c3 0f 84 0e 02 00 00 44 0f b7 48 36 4c 8b 70 58 <4d> 8b 7e 20 41 8d 41 fd 66 83 f8 0c 77 6c 0f b7 c0 ff 24 c5 88 [ 1013.773102] RIP: qla24xx_els_ct_entry.isra.17+0x78/0x2a0 [qla2xxx] RSP: ffff88042f603d90 [ 1013.773102] CR2: 0000000300000020 [ 1013.773129] ---[ end trace 532363559924f426 ]--- [ 1013.773131] Kernel panic - not syncing: Fatal exception in interrupt [ 1013.777719] Kernel Offset: disabled [ 1013.827528] ---[ end Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: Duane Grigsby Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen --- diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index d3a51df27b0d..c6c066186d97 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c @@ -1537,8 +1537,6 @@ qla24xx_els_ct_entry(scsi_qla_host_t *vha, struct req_que *req, sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); if (!sp) return; - bsg_job = sp->u.bsg_job; - bsg_reply = bsg_job->reply; type = NULL; switch (sp->type) { @@ -1577,6 +1575,8 @@ qla24xx_els_ct_entry(scsi_qla_host_t *vha, struct req_que *req, /* return FC_CTELS_STATUS_OK and leave the decoding of the ELS/CT * fc payload to the caller */ + bsg_job = sp->u.bsg_job; + bsg_reply = bsg_job->reply; bsg_reply->reply_data.ctels_reply.status = FC_CTELS_STATUS_OK; bsg_job->reply_len = sizeof(struct fc_bsg_reply) + sizeof(fw_status);