releases/3.13.6/qla2xxx-fix-kernel-panic-on-selective-retransmission-request.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6f58c780e5a5b43a6d2121e0d43cdcba1d3cc5fc Mon Sep 17 00:00:00 2001
 From: "Dr. Greg Wettstein" <greg@enjellic.com>
 Date: Mon, 24 Feb 2014 13:59:53 -0600
 Subject: qla2xxx: Fix kernel panic on selective retransmission request

 From: "Dr. Greg Wettstein" <greg@enjellic.com>

 commit 6f58c780e5a5b43a6d2121e0d43cdcba1d3cc5fc upstream.

 A selective retransmission request (SRR) is a fibre-channel
 protocol control request which provides support for requesting
 retransmission of a data sequence in response to an issue such as
 frame loss or corruption.  These events are experienced
 infrequently in fibre-channel based networks which makes
 it difficult to test and assess codepaths which handle these
 events.

 We were fortunate enough, for some definition of fortunate, to
 have a metro-area single-mode SAN link which, at 10 GBPS
 sustained load levels, would consistently generate SRR's in
 a SCST based target implementation using our SCST/in-kernel
 Qlogic target interface driver.  In response to an SRR the
 in-kernel Qlogic target driver immediately panics resulting
 in a catastrophic storage failure for serviced initiators.

 The culprit was a debug statement in the qla_target.c file which
 does not verify that a pointer to the SCSI CDB is not null.
 The unchecked pointer dereference results in the kernel panic
 and resultant system failure.

 The other two references to the SCSI CDB by the SRR handling code
 use a ternary operator to verify a non-null pointer is being
 acted on.  This patch simply adds a similar test to the implicated
 debug statement.

 This patch is a candidate for any stable kernel being maintained
 since it addresses a potentially catastrophic event with
 minimal downside.

 Signed-off-by: Dr. Greg Wettstein <greg@enjellic.com>
 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/scsi/qla2xxx/qla_target.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 --- a/drivers/scsi/qla2xxx/qla_target.c
 +++ b/drivers/scsi/qla2xxx/qla_target.c
 @@ -3186,7 +3186,8 @@ restart:
  		ql_dbg(ql_dbg_tgt_mgt, vha, 0xf02c,
  		    "SRR cmd %p (se_cmd %p, tag %d, op %x), "
  		    "sg_cnt=%d, offset=%d", cmd, &cmd->se_cmd, cmd->tag,
 -		    se_cmd->t_task_cdb[0], cmd->sg_cnt, cmd->offset);
 +		    se_cmd->t_task_cdb ? se_cmd->t_task_cdb[0] : 0,
 +		    cmd->sg_cnt, cmd->offset);

  		qlt_handle_srr(vha, sctio, imm);
	From 6f58c780e5a5b43a6d2121e0d43cdcba1d3cc5fc Mon Sep 17 00:00:00 2001
	From: "Dr. Greg Wettstein" <greg@enjellic.com>
	Date: Mon, 24 Feb 2014 13:59:53 -0600
	Subject: qla2xxx: Fix kernel panic on selective retransmission request

	From: "Dr. Greg Wettstein" <greg@enjellic.com>

	commit 6f58c780e5a5b43a6d2121e0d43cdcba1d3cc5fc upstream.

	A selective retransmission request (SRR) is a fibre-channel
	protocol control request which provides support for requesting
	retransmission of a data sequence in response to an issue such as
	frame loss or corruption. These events are experienced
	infrequently in fibre-channel based networks which makes
	it difficult to test and assess codepaths which handle these
	events.

	We were fortunate enough, for some definition of fortunate, to
	have a metro-area single-mode SAN link which, at 10 GBPS
	sustained load levels, would consistently generate SRR's in
	a SCST based target implementation using our SCST/in-kernel
	Qlogic target interface driver. In response to an SRR the
	in-kernel Qlogic target driver immediately panics resulting
	in a catastrophic storage failure for serviced initiators.

	The culprit was a debug statement in the qla_target.c file which
	does not verify that a pointer to the SCSI CDB is not null.
	The unchecked pointer dereference results in the kernel panic
	and resultant system failure.

	The other two references to the SCSI CDB by the SRR handling code
	use a ternary operator to verify a non-null pointer is being
	acted on. This patch simply adds a similar test to the implicated
	debug statement.

	This patch is a candidate for any stable kernel being maintained
	since it addresses a potentially catastrophic event with
	minimal downside.

	Signed-off-by: Dr. Greg Wettstein <greg@enjellic.com>
	Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/scsi/qla2xxx/qla_target.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	--- a/drivers/scsi/qla2xxx/qla_target.c
	+++ b/drivers/scsi/qla2xxx/qla_target.c
	@@ -3186,7 +3186,8 @@ restart:
	ql_dbg(ql_dbg_tgt_mgt, vha, 0xf02c,
	"SRR cmd %p (se_cmd %p, tag %d, op %x), "
	"sg_cnt=%d, offset=%d", cmd, &cmd->se_cmd, cmd->tag,
	- se_cmd->t_task_cdb[0], cmd->sg_cnt, cmd->offset);
	+ se_cmd->t_task_cdb ? se_cmd->t_task_cdb[0] : 0,
	+ cmd->sg_cnt, cmd->offset);

	qlt_handle_srr(vha, sctio, imm);