From patchwork Wed May 2 15:56:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Garry X-Patchwork-Id: 134849 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp849504lji; Wed, 2 May 2018 09:00:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoMsE1aDXZuv8YmMwcBxzOavGucik7jlt7re9TNw/ttA36D+Ja440xXo33xw3DlBCokVmg2 X-Received: by 2002:a63:87c6:: with SMTP id i189-v6mr16183781pge.2.1525276838752; Wed, 02 May 2018 09:00:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525276838; cv=none; d=google.com; s=arc-20160816; b=jOGTSa9EMG3UuTo+s8P/xSezfJSPy0L3MNo+wlPh9TY+MtxY3OPv05Tr75natySzHB CpY5A+Gz2RmaYU3eDG1WLzpEfuPf4QR1CdaYtTFhpuoEuJrbpKZiX5XgvQlkCzXUM6JQ wzlBzcSRj+yddlU5qqA+KuCDDFRO28tSpi6ZIGKudnnh/OhTvEbE2VM3xwp+WWouKAti oSi3BEnWtwRV+27R1bzFLqkmHzTu4ja3HA4jxwBht0Kg4SoypHhHZCMdYRAhWJ/dq0lP jjNAja/ZFHS1zhZ7pK0vxe1sMZycSXJRhm8N3xOiapJOtC9x7TRt9GK0ao5hAIX0b4hA rhCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=rpYHG5/pw6ZwNTmVsSQo4ahbCeJQWSeQd4g3HM4V1Yc=; b=yk/huLWYxfzagl98I650mt3xxGH5amD1BfVmJWflo1gYoI/0ZnSPsztLgZSAicgOIi huP+/FZPNZRbAMriIxpMq6v7Ye5XTWCKMhLuVf31bCwuFMmvjYvFv8l+gFP3/nV4619q dC/gGewNzYDAadFNWonwCGAxj85YTzbjIqpzSd4CzX6zwDK4r9lL9yqkX2tWRglzkINo up6w16QbXSq7TRAZroUVot2HE3YfoV8CYJzcoFmuZNQQIBQrUcYEQ60b54wqHP8oGkLw 1hfz/2f4CCgViISfYEvn0Pu7hfHTU8ujB4VBGzhWUe9AqrI0Hb7E8tEa7pp3q4DmO2j3 2Dqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g72si9401876pfb.280.2018.05.02.09.00.38; Wed, 02 May 2018 09:00:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752324AbeEBQAe (ORCPT + 29 others); Wed, 2 May 2018 12:00:34 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:54538 "EHLO huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1751637AbeEBP52 (ORCPT ); Wed, 2 May 2018 11:57:28 -0400 Received: from DGGEMS403-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id D0F3AD342A90E; Wed, 2 May 2018 23:57:23 +0800 (CST) Received: from localhost.localdomain (10.67.212.75) by DGGEMS403-HUB.china.huawei.com (10.3.19.203) with Microsoft SMTP Server id 14.3.361.1; Wed, 2 May 2018 23:57:17 +0800 From: John Garry To: , CC: , , , Xiang Chen , "John Garry" Subject: [PATCH 05/11] scsi: hisi_sas: check sas_dev gone earlier in hisi_sas_abort_task() Date: Wed, 2 May 2018 23:56:28 +0800 Message-ID: <1525276594-92173-6-git-send-email-john.garry@huawei.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1525276594-92173-1-git-send-email-john.garry@huawei.com> References: <1525276594-92173-1-git-send-email-john.garry@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.67.212.75] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiang Chen It is possible to dereference a NULL-pointer in hisi_sas_abort_task() in special scenario when the device has been removed. If an SMP task times-out, it will call hisi_sas_abort_task() to recover. And currently there is a check in hisi_sas_abort_task() to avoid the situation of processing the abort for the removed device. However we have an ordering problem, in that we may reference a task for the removed device before checking if the device has been removed. Fix this by only referencing the sas_dev after we know it is still present. Signed-off-by: Xiang Chen Signed-off-by: John Garry --- drivers/scsi/hisi_sas/hisi_sas_main.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) -- 1.9.1 diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c index 8f8e642..24416bb 100644 --- a/drivers/scsi/hisi_sas/hisi_sas_main.c +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c @@ -1166,15 +1166,16 @@ static int hisi_sas_abort_task(struct sas_task *task) struct hisi_sas_tmf_task tmf_task; struct domain_device *device = task->dev; struct hisi_sas_device *sas_dev = device->lldd_dev; - struct hisi_hba *hisi_hba = dev_to_hisi_hba(task->dev); - struct device *dev = hisi_hba->dev; + struct hisi_hba *hisi_hba; + struct device *dev; int rc = TMF_RESP_FUNC_FAILED; unsigned long flags; - if (!sas_dev) { - dev_warn(dev, "Device has been removed\n"); + if (!sas_dev) return TMF_RESP_FUNC_FAILED; - } + + hisi_hba = dev_to_hisi_hba(task->dev); + dev = hisi_hba->dev; spin_lock_irqsave(&task->task_state_lock, flags); if (task->task_state_flags & SAS_TASK_STATE_DONE) {