Bug 234896

Summary: [Emulex 5.2 bug] NULL pointer dereference while unloading driver
Product: Red Hat Enterprise Linux 5 Reporter: Bino J Sebastian <bino.sebastian>
Component: kernelAssignee: Chip Coldwell <coldwell>
Status: CLOSED NOTABUG QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: andriusb, coughlan, james.smart, laurie.barry
Target Milestone: ---Keywords: OtherQA
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-17 16:45:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 217217, 425461    

Description Bino J Sebastian 2007-04-02 19:20:55 UTC 
Description of problem:
Run modprobe lpfc ; rmmod lpfc in a loop for an overnight
run. This caused following crash in SCSI midlayer.
=====================
Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
 [<ffffffff801a3ee7>] make_class_name+0x30/0x7c
PGD 1b32c9067 PUD 1b3152067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /class/scsi_generic/sg89/dev
CPU 1
Modules linked in: lpfc(U) autofs4 hidp rfcomm l2cap bluetooth sunrpc video sbs
i2c_ec button battery asus_acpi acpi_memhotplug ac ipv6 parport_pc lp parport
shpchp amd_rng i2c_amd756 i2c_core ide_cd cdrom floppy k8_edac pcspkr edac_mc
serio_raw tg3 sg dm_snapshot dm_zero dm_mirror dm_mod scsi_transport_fc cciss sd
_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
Pid: 4681, comm: rmmod Not tainted 2.6.18-8.el5 #1
RIP: 0010:[<ffffffff801a3ee7>]  [<ffffffff801a3ee7>] make_class_name+0x30/0x7c
RSP: 0018:ffff8101b7573d28  EFLAGS: 00010246
RAX: ffffffff88097d00 RBX: fffffffffffffff4 RCX: ffffffffffffffff
RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000
RBP: ffffffff880884e0 R08: ffffffffffffffff R09: 0000000000000000
R10: ffffffff8040cde0 R11: ffffffff8807c088 R12: ffff8101b9224360
R13: ffffffff88097d60 R14: 0000000000000000 R15: 0000000000000000
FS:  00002aaaaaad1240(0000) GS:ffff81023ff3e7c0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 00000001b16be000 CR4: 00000000000006e0
Process rmmod (pid: 4681, threadinfo ffff8101b7572000, task ffff8101b2cfd7a0)
Stack:  ffff8101b9224350 ffffffff88097e50 ffff8101b9224360 ffff8101b9224350
 ffffffff88097e50 ffffffff801a4149 ffffffff80301930 ffff8101b9224350
 ffff8101b92240e8 0000000000000246 ffff81023f888000 00007fff99aa7700
Call Trace:
 [<ffffffff801a4149>] class_device_del+0xb2/0x18f
 [<ffffffff801a422f>] class_device_unregister+0x9/0x12
 [<ffffffff8807ca6f>] :scsi_mod:__scsi_remove_device+0x2a/0x78
 [<ffffffff8807a75e>] :scsi_mod:scsi_forget_host+0x39/0x5c
 [<ffffffff880756c1>] :scsi_mod:scsi_remove_host+0x75/0xfc
 [<ffffffff880eb023>] :lpfc:lpfc_pci_remove_one+0x7f/0x1fd
 [<ffffffff80257474>] klist_release+0x0/0x45
 [<ffffffff80145b89>] pci_device_remove+0x24/0x3a
 [<ffffffff801a359b>] __device_release_driver+0x75/0x91
 [<ffffffff801a3905>] driver_detach+0xad/0x101
 [<ffffffff801a2c2f>] bus_remove_driver+0x6d/0x90
 [<ffffffff801a398c>] driver_unregister+0xd/0x16
 [<ffffffff80145e23>] pci_unregister_driver+0x10/0x5f
 [<ffffffff880f94e0>] :lpfc:lpfc_exit+0x10/0x22
 [<ffffffff800a0f16>] sys_delete_module+0x196/0x1c5
 [<ffffffff8005b2c1>] tracesys+0xd1/0xdc


Code: f2 ae 48 f7 d1 01 f1 be d0 00 00 00 48 63 f9 e8 21 85 f2 ff
RIP  [<ffffffff801a3ee7>] make_class_name+0x30/0x7c
 RSP <ffff8101b7573d28>


Version-Release number of selected component (if applicable):
2.6.18-8.el5

How reproducible:
run modprobe lpfc ; rmmod lpfc in a loop.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
System caused a NULL pointer dereference.

Expected results:
Complete a 24 for hour run with no NULL pointer dereference.

Additional info:
Comment 1 Andrius Benokraitis 2007-08-16 18:29:49 UTC 
This has been proposed for RHEL 5.2 inclusion.
Comment 2 RHEL Program Management 2007-10-30 20:36:07 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Chip Coldwell 2007-12-17 14:06:29 UTC 
Is this issue fixed by the update to lpfc version 8.2.0.8 (bug 252989)?

Chip
Comment 5 Bino J Sebastian 2007-12-17 14:17:01 UTC 
Bug 252989 is not related to this issue.
This issue looks like a use after free in the SCSI midlayer or transport layer.
Comment 6 James Smart 2007-12-17 15:31:21 UTC 
Regarding the midlayer reuse-after-free comment:  Refer to bugzilla 214228,
specifically comment #7, which highlights that the choice was not to fix the
root cause, but rather work around it. Due to this, there are still conditions
where it can be hit, and unloading the driver is one of them.
Comment 7 Chip Coldwell 2007-12-17 16:45:55 UTC 
(In reply to comment #6)
> Regarding the midlayer reuse-after-free comment:  Refer to bugzilla 214228,
> specifically comment #7, which highlights that the choice was not to fix the
> root cause, but rather work around it. Due to this, there are still conditions
> where it can be hit, and unloading the driver is one of them.

I see.  Then it looks like this bug should be closed as either CANTFIX or
WONTFIX, or as a duplicate of 214228.

Chip
Comment 8 Chip Coldwell 2007-12-17 17:06:05 UTC 
Oh, it's already closed -- NOTABUG.  Sorry for the noise.

Chip