scsi: qla2xxx: Fix kernel crash after disconnecting NVMe devices

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffffc050d10c>] qla_nvme_unregister_remote_port+0x6c/0xf0 [qla2xxx]
PGD 800000084cf41067 PUD 84d288067 PMD 0
Oops: 0000 [#1] SMP
Call Trace:
 [<ffffffff98abcfdf>] process_one_work+0x17f/0x440
 [<ffffffff98abdca6>] worker_thread+0x126/0x3c0
 [<ffffffff98abdb80>] ? manage_workers.isra.26+0x2a0/0x2a0
 [<ffffffff98ac4f81>] kthread+0xd1/0xe0
 [<ffffffff98ac4eb0>] ? insert_kthread_work+0x40/0x40
 [<ffffffff9918ad37>] ret_from_fork_nospec_begin+0x21/0x21
 [<ffffffff98ac4eb0>] ? insert_kthread_work+0x40/0x40
RIP  [<ffffffffc050d10c>] qla_nvme_unregister_remote_port+0x6c/0xf0 [qla2xxx]

The crash is due to a bad entry in the nvme_rport_list. This list is not
protected, and when a remoteport_delete callback is called, driver
traverses the list and crashes.

Actually, the list could be removed and driver could traverse the main
fcport list instead. Fix does exactly that.

Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 1a4095c56eeecff77f575088a07878ab96d97f5d..602ed24bb806da501b1a88ba3f2da95505aaec95 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -4376,7 +4376,6 @@ typedef struct scsi_qla_host {
 
        struct          nvme_fc_local_port *nvme_local_port;
        struct completion nvme_del_done;
-       struct list_head nvme_rport_list;
 
        uint16_t        fcoe_vlan_id;
        uint16_t        fcoe_fcf_idx;

diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
index 22e3fba28e5187816fee62b1017e24ec34172a94..b43c62758cec6775fd0af89a08258f5f06703f3d 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_nvme.c
+++ b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -74,7 +74,6 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport)
 
        rport = fcport->nvme_remote_port->private;
        rport->fcport = fcport;
-       list_add_tail(&rport->list, &vha->nvme_rport_list);
 
        fcport->nvme_flag |= NVME_FLAG_REGISTERED;
        return 0;
@@ -542,19 +541,12 @@ static void qla_nvme_localport_delete(struct nvme_fc_local_port *lport)
 static void qla_nvme_remoteport_delete(struct nvme_fc_remote_port *rport)
 {
        fc_port_t *fcport;
-       struct qla_nvme_rport *qla_rport = rport->private, *trport;
+       struct qla_nvme_rport *qla_rport = rport->private;
 
        fcport = qla_rport->fcport;
        fcport->nvme_remote_port = NULL;
        fcport->nvme_flag &= ~NVME_FLAG_REGISTERED;
 
-       list_for_each_entry_safe(qla_rport, trport,
-           &fcport->vha->nvme_rport_list, list) {
-               if (qla_rport->fcport == fcport) {
-                       list_del(&qla_rport->list);
-                       break;
-               }
-       }
        complete(&fcport->nvme_del_done);
 
        if (!test_bit(UNLOADING, &fcport->vha->dpc_flags)) {
@@ -590,7 +582,7 @@ static void qla_nvme_unregister_remote_port(struct work_struct *work)
 {
        struct fc_port *fcport = container_of(work, struct fc_port,
            nvme_del_work);
-       struct qla_nvme_rport *qla_rport, *trport;
+       int ret;
 
        if (!IS_ENABLED(CONFIG_NVME_FC))
                return;
@@ -598,23 +590,14 @@ static void qla_nvme_unregister_remote_port(struct work_struct *work)
        ql_log(ql_log_warn, NULL, 0x2112,
            "%s: unregister remoteport on %p\n",__func__, fcport);
 
-       list_for_each_entry_safe(qla_rport, trport,
-           &fcport->vha->nvme_rport_list, list) {
-               if (qla_rport->fcport == fcport) {
-                       ql_log(ql_log_info, fcport->vha, 0x2113,
-                           "%s: fcport=%p\n", __func__, fcport);
-                       nvme_fc_set_remoteport_devloss
-                               (fcport->nvme_remote_port, 0);
-                       init_completion(&fcport->nvme_del_done);
-                       if (nvme_fc_unregister_remoteport
-                           (fcport->nvme_remote_port))
-                               ql_log(ql_log_info, fcport->vha, 0x2114,
-                                   "%s: Failed to unregister nvme_remote_port\n",
-                                   __func__);
-                       wait_for_completion(&fcport->nvme_del_done);
-                       break;
-               }
-       }
+       nvme_fc_set_remoteport_devloss(fcport->nvme_remote_port, 0);
+       init_completion(&fcport->nvme_del_done);
+       ret = nvme_fc_unregister_remoteport(fcport->nvme_remote_port);
+       if (ret)
+               ql_log(ql_log_info, fcport->vha, 0x2114,
+                       "%s: Failed to unregister nvme_remote_port (%d)\n",
+                           __func__, ret);
+       wait_for_completion(&fcport->nvme_del_done);
 }
 
 void qla_nvme_delete(struct scsi_qla_host *vha)

diff --git a/drivers/scsi/qla2xxx/qla_nvme.h b/drivers/scsi/qla2xxx/qla_nvme.h
index d3b8a64401131a67c567626eb1c24c3fb4415b88..2d088add7011985077b58b8813e918a91ebe82a1 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_nvme.h
+++ b/drivers/scsi/qla2xxx/qla_nvme.h
@@ -37,7 +37,6 @@ struct nvme_private {
 };
 
 struct qla_nvme_rport {
-       struct list_head list;
        struct fc_port *fcport;
 };
 

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index e1c82a0a97451ee98d74b505dbe8e37fe62429a2..1a014d633d5fc8ccdd208bc1682c6fdd970a6925 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4789,7 +4789,6 @@ struct scsi_qla_host *qla2x00_create_host(struct scsi_host_template *sht,
        INIT_LIST_HEAD(&vha->plogi_ack_list);
        INIT_LIST_HEAD(&vha->qp_list);
        INIT_LIST_HEAD(&vha->gnl.fcports);
-       INIT_LIST_HEAD(&vha->nvme_rport_list);
        INIT_LIST_HEAD(&vha->gpnid_list);
        INIT_WORK(&vha->iocb_work, qla2x00_iocb_work_fn);