diff options
| author | Eddie Wai <eddie.wai@broadcom.com> | 2011-12-07 01:41:21 -0500 |
|---|---|---|
| committer | James Bottomley <JBottomley@Parallels.com> | 2011-12-14 08:05:23 -0500 |
| commit | a878185c3b93e692ace0d1628a47f3d75504ab4f (patch) | |
| tree | c061bbc691ada3711e64331b911b0776b8b22ad4 /drivers/scsi/bnx2i | |
| parent | ff1d0319ac6a5fd859884b30c0a3cb6733b8fb2d (diff) | |
[SCSI] bnx2i: Fixed kernel panic caused by unprotected task->sc->request deref
During session recovery, the conn_stop call will trigger a flush
to all outstanding SCSI cmds in the xmit queue. This will set
all outstanding task->sc to NULL prior to the session_teardown
call which frees the task memory.
In the bnx2i SCSI response processing path, only the task was being checked
for NULL under the session lock before the task->sc->request dereferencing.
If there are outstanding SCSI cmd responses pending for process, the
following kernel panic can be exposed where task->sc was found to be NULL.
Call Trace:
[ 69.720205] [<ffffffffa040d0d0>] bnx2i_process_new_cqes+0x290/0x3c0 [bnx2i]
[ 69.804289] [<ffffffffa040d233>] bnx2i_fastpath_notification+0x33/0xa0 [bnx2
i]
[ 69.891490] [<ffffffffa040d37b>] bnx2i_indicate_kcqe+0xdb/0x330 [bnx2i]
[ 69.971427] [<ffffffffa03eac5e>] service_kcqes+0x16e/0x1d0 [cnic]
[ 70.045132] [<ffffffffa03eacea>] cnic_service_bnx2x_kcq+0x2a/0x50 [cnic]
[ 70.126105] [<ffffffffa03ead53>] cnic_service_bnx2x_bh+0x43/0x140 [cnic]
[ 70.207081] [<ffffffff81060676>] tasklet_action+0x66/0x110
[ 70.273521] [<ffffffff8106025f>] __do_softirq+0xef/0x220
[ 70.337887] [<ffffffff81447ebc>] call_softirq+0x1c/0x30
This patch adds the !task->sc check and also protects the sc dereferencing
under the session lock.
Signed-off-by: Eddie Wai <eddie.wai@broadcom.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Diffstat (limited to 'drivers/scsi/bnx2i')
| -rw-r--r-- | drivers/scsi/bnx2i/bnx2i_hwi.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c index dba72a4e6a1c..1ad0b8225560 100644 --- a/drivers/scsi/bnx2i/bnx2i_hwi.c +++ b/drivers/scsi/bnx2i/bnx2i_hwi.c | |||
| @@ -1906,18 +1906,19 @@ static int bnx2i_queue_scsi_cmd_resp(struct iscsi_session *session, | |||
| 1906 | spin_lock(&session->lock); | 1906 | spin_lock(&session->lock); |
| 1907 | task = iscsi_itt_to_task(bnx2i_conn->cls_conn->dd_data, | 1907 | task = iscsi_itt_to_task(bnx2i_conn->cls_conn->dd_data, |
| 1908 | cqe->itt & ISCSI_CMD_RESPONSE_INDEX); | 1908 | cqe->itt & ISCSI_CMD_RESPONSE_INDEX); |
| 1909 | if (!task) { | 1909 | if (!task || !task->sc) { |
| 1910 | spin_unlock(&session->lock); | 1910 | spin_unlock(&session->lock); |
| 1911 | return -EINVAL; | 1911 | return -EINVAL; |
| 1912 | } | 1912 | } |
| 1913 | sc = task->sc; | 1913 | sc = task->sc; |
| 1914 | spin_unlock(&session->lock); | ||
| 1915 | 1914 | ||
| 1916 | if (!blk_rq_cpu_valid(sc->request)) | 1915 | if (!blk_rq_cpu_valid(sc->request)) |
| 1917 | cpu = smp_processor_id(); | 1916 | cpu = smp_processor_id(); |
| 1918 | else | 1917 | else |
| 1919 | cpu = sc->request->cpu; | 1918 | cpu = sc->request->cpu; |
| 1920 | 1919 | ||
| 1920 | spin_unlock(&session->lock); | ||
| 1921 | |||
| 1921 | p = &per_cpu(bnx2i_percpu, cpu); | 1922 | p = &per_cpu(bnx2i_percpu, cpu); |
| 1922 | spin_lock(&p->p_work_lock); | 1923 | spin_lock(&p->p_work_lock); |
| 1923 | if (unlikely(!p->iothread)) { | 1924 | if (unlikely(!p->iothread)) { |