Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 27b1313c authored by Dick Kennedy's avatar Dick Kennedy Committed by Greg Kroah-Hartman
Browse files

scsi: lpfc: Fix crash receiving ELS while detaching driver 



commit 1234a6d54fed8a00091968c4eb2fb52e1cbb8e2e upstream.

The driver crashes when attempting to use a freed ndpl pointer.

The pci_remove_one handler runs on a separate kernel thread. The order
of the removal is starting by freeing all of the ndlps and then
disabling interrupts. In between these two events the driver can still
receive an ELS and process it. When it tries to use the ndlp pointer
will be NULL

Change the order of the pci_remove_one vs disable interrupts so that
interrupts are disabled before the ndlp's are freed.

Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: default avatarJames Smart <james.smart@broadcom.com>
Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 6d697650

drivers/scsi/lpfc/lpfc_attr.c

+4 −2
Original line number Diff line number Diff line
@@ -3134,7 +3134,8 @@ lpfc_txq_hw_show(struct device *dev, struct device_attribute *attr, char *buf) 
	struct lpfc_hba   *phba = ((struct lpfc_vport *) shost->hostdata)->phba;

	struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba);



	return snprintf(buf, PAGE_SIZE, "%d\n", pring->txq_max);

	return snprintf(buf, PAGE_SIZE, "%d\n",

			pring ? pring->txq_max : 0);

}



static DEVICE_ATTR(txq_hw, S_IRUGO,
@@ -3147,7 +3148,8 @@ lpfc_txcmplq_hw_show(struct device *dev, struct device_attribute *attr, 
	struct lpfc_hba   *phba = ((struct lpfc_vport *) shost->hostdata)->phba;

	struct lpfc_sli_ring *pring = lpfc_phba_elsring(phba);



	return snprintf(buf, PAGE_SIZE, "%d\n", pring->txcmplq_max);

	return snprintf(buf, PAGE_SIZE, "%d\n",

			pring ? pring->txcmplq_max : 0);

}



static DEVICE_ATTR(txcmplq_hw, S_IRUGO,

drivers/scsi/lpfc/lpfc_bsg.c

+3 −1
Original line number Diff line number Diff line
@@ -2911,7 +2911,7 @@ static int lpfcdiag_loop_post_rxbufs(struct lpfc_hba *phba, uint16_t rxxri, 
		}

	}



	if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer) {

	if (!cmdiocbq || !rxbmp || !rxbpl || !rxbuffer || !pring) {

		ret_val = -ENOMEM;

		goto err_post_rxbufs_exit;

	}
@@ -5421,6 +5421,8 @@ lpfc_bsg_timeout(struct bsg_job *job) 
	struct lpfc_iocbq *check_iocb, *next_iocb;



	pring = lpfc_phba_elsring(phba);

	if (unlikely(!pring))

		return -EIO;



	/* if job's driver data is NULL, the command completed or is in the

	 * the process of completing.  In this case, return status to request

drivers/scsi/lpfc/lpfc_els.c

+6 −1
Original line number Diff line number Diff line
@@ -7430,6 +7430,8 @@ lpfc_els_timeout_handler(struct lpfc_vport *vport) 
	timeout = (uint32_t)(phba->fc_ratov << 1);



	pring = lpfc_phba_elsring(phba);

	if (unlikely(!pring))

		return;



	if ((phba->pport->load_flag & FC_UNLOADING))

		return;
@@ -9310,6 +9312,9 @@ void lpfc_fabric_abort_nport(struct lpfc_nodelist *ndlp) 


	pring = lpfc_phba_elsring(phba);



	if (unlikely(!pring))

		return;



	spin_lock_irq(&phba->hbalock);

	list_for_each_entry_safe(piocb, tmp_iocb, &phba->fabric_iocb_list,

				 list) {
@@ -9416,7 +9421,7 @@ lpfc_sli4_els_xri_aborted(struct lpfc_hba *phba, 
				rxid, 1);



			/* Check if TXQ queue needs to be serviced */

			if (!(list_empty(&pring->txq)))

			if (pring && !list_empty(&pring->txq))

				lpfc_worker_wake_up(phba);

			return;

		}

drivers/scsi/lpfc/lpfc_hbadisc.c

+4 −1
Original line number Diff line number Diff line
@@ -3324,6 +3324,7 @@ lpfc_mbx_cmpl_read_topology(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) 


	/* Unblock ELS traffic */

	pring = lpfc_phba_elsring(phba);

	if (pring)

		pring->flag &= ~LPFC_STOP_IOCB_EVENT;



	/* Check for error */
@@ -5430,6 +5431,8 @@ lpfc_free_tx(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp) 


	psli = &phba->sli;

	pring = lpfc_phba_elsring(phba);

	if (unlikely(!pring))

		return;



	/* Error matching iocb on txq or txcmplq

	 * First check the txq.

drivers/scsi/lpfc/lpfc_init.c

+7 −7
Original line number Diff line number Diff line
@@ -11404,6 +11404,13 @@ lpfc_pci_remove_one_s4(struct pci_dev *pdev) 
	/* Remove FC host and then SCSI host with the physical port */

	fc_remove_host(shost);

	scsi_remove_host(shost);

	/*

	 * Bring down the SLI Layer. This step disables all interrupts,

	 * clears the rings, discards all mailbox commands, and resets

	 * the HBA FCoE function.

	 */

	lpfc_debugfs_terminate(vport);

	lpfc_sli4_hba_unset(phba);



	/* Perform ndlp cleanup on the physical port.  The nvme and nvmet

	 * localports are destroyed after to cleanup all transport memory.
@@ -11412,13 +11419,6 @@ lpfc_pci_remove_one_s4(struct pci_dev *pdev) 
	lpfc_nvmet_destroy_targetport(phba);

	lpfc_nvme_destroy_localport(vport);



	/*

	 * Bring down the SLI Layer. This step disables all interrupts,

	 * clears the rings, discards all mailbox commands, and resets

	 * the HBA FCoE function.

	 */

	lpfc_debugfs_terminate(vport);

	lpfc_sli4_hba_unset(phba);



	lpfc_stop_hba_timers(phba);

	spin_lock_irq(&phba->hbalock);