| Message ID | 20220725072703.5562-1-xi.fengfei@h3c.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: mpt3sas: fix kernel panic in scsih_qcmd after shutdown/unload | expand |
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c index b519f4b59..d8994eaec 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -5140,7 +5140,8 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd) scsi_print_command(scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { scmd->result = DID_NO_CONNECT << 16; scsi_done(scmd); return 0;
We encountered a kernel crash problem after the user performed a shutdown operation. By analyzing the vmcore file, it is confirmed that it is scsih_qcmd called memset to access ioc->request resources that have been released in shutdown/module unload path. crash> struct MPT3SAS_ADAPTER 0xffff00ff85806880 struct MPT3SAS_ADAPTER { list = { next = 0xffff800008eb8038 <mpt3sas_ioc_list>, prev = 0xffff800008eb8038 <mpt3sas_ioc_list> }, ... name = "mpt3sas_cm0\000\000\000\000\000\000\000\ ... remove_host = 1 '\001', ... request_sz = 128, request = 0x0, ... sense = 0x0, The SCSI queuecommand handlers(scsih_qcmd) may be invoked after shutdown/unload, depending on other components. So we should add checks for 'ioc->remove_host' in scsih_qcmd, so not to access pointers/resources potentially freed in the PCI shutdown/module unload path. Just like the following commit: 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 scsi: mpt3sas: fix oops in error handlers after shutdown/unload Signed-off-by: Fengfei Xi <xi.fengfei@h3c.com> --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)