• Quinn Tran's avatar
    scsi: qla2xxx: Fix unintialized List head crash · e3dde080
    Quinn Tran authored
    In case of IOCB Queue full or system where memory is low and driver
    receives large number of RSCN storm, the stale sp pointer can stay on
    gpnid_list resulting in page_fault.
    
    This patch fixes this issue by initializing the sp->elem list head and
    removing sp->elem before memory is freed.
    
    Following stack trace is seen
    
     9 [ffff987b37d1bc60] page_fault at ffffffffad516768 [exception RIP: qla24xx_async_gpnid+496]
    10 [ffff987b37d1bd10] qla24xx_async_gpnid at ffffffffc039866d [qla2xxx]
    11 [ffff987b37d1bd80] qla2x00_do_work at ffffffffc036169c [qla2xxx]
    12 [ffff987b37d1be38] qla2x00_do_dpc_all_vps at ffffffffc03adfed [qla2xxx]
    13 [ffff987b37d1be78] qla2x00_do_dpc at ffffffffc036458a [qla2xxx]
    14 [ffff987b37d1bec8] kthread at ffffffffacebae31
    
    Fixes: 2d73ac61 ("scsi: qla2xxx: Serialize GPNID for multiple RSCN")
    Cc: <stable@vger.kernel.org> # v4.17+
    Signed-off-by: default avatarQuinn Tran <quinn.tran@cavium.com>
    Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    e3dde080
qla_inline.h 8.08 KB