This bug has been copied from bug #567428 and has been proposed to be backported to 5.5 z-stream (EUS).
*** Bug 628583 has been marked as a duplicate of this bug. ***
This fixes the issue described in Bug 628583. A 5.5.z patch, a bit of bz567428 driver update, is needed.
Chad - please post the discrete patch that resolves the defect described in bug 628583, but posted as part of the wholesale 5.6 qla2xxx update in bug 567428, in this bugzlla for 5.5.z.
Created attachment 453533 [details] qla2xxx: Version updated to 8.03.01.05.05.06-k
(In reply to comment #4) > Chad - please post the discrete patch that resolves the defect described in bug > 628583, but posted as part of the wholesale 5.6 qla2xxx update in bug 567428, > in this bugzlla for 5.5.z. The specific patch from 567428 has been attached. The patch has a few point fixes in it but the one that specifically fixes this issue is "Correct use-after-free issue in terminate_rport_io callback".
Jiri/Don - Does QLogic need anything else to provide for this?
(In reply to comment #6) > (In reply to comment #4) > > Chad - please post the discrete patch that resolves the defect described in bug > > 628583, but posted as part of the wholesale 5.6 qla2xxx update in bug 567428, > > in this bugzlla for 5.5.z. > > The specific patch from 567428 has been attached. The patch has a few point > fixes in it but the one that specifically fixes this issue is "Correct > use-after-free issue in terminate_rport_io callback". Ok, can you please isolate this minimal fixing patch and post it to RHKL under this BZnum? Thanks!
Created attachment 453536 [details] qla2xxx: Correct use-after-free issue in terminate_rport_io callback.
> Ok, can you please isolate this minimal fixing patch and post it to RHKL under > this BZnum? Thanks! I've posted the minimal fixing patch.
(In reply to comment #10) > > Ok, can you please isolate this minimal fixing patch and post it to RHKL under > > this BZnum? Thanks! > > I've posted the minimal fixing patch. I do not see it anywhere in rhkernel-list
(In reply to comment #11) > (In reply to comment #10) > > > Ok, can you please isolate this minimal fixing patch and post it to RHKL under > > > this BZnum? Thanks! > > > > I've posted the minimal fixing patch. > > I do not see it anywhere in rhkernel-list Jiri, I believe he meant he posted it "here" in the BZ, but will post to rhkl in the morning. Is this too late?
Hi Chad, Andrius - Please post the minimal patch to rhkernel-list for review asap. Jiri needs to start the 5.5.z build tomorrow - the patch needs to be reviewed *today*.
(In reply to comment #13) > Hi Chad, Andrius - > > Please post the minimal patch to rhkernel-list for review asap. Jiri needs to > start the 5.5.z build tomorrow - the patch needs to be reviewed *today*. I just posted it for review.
in kernel 2.6.18-194.21.1.el5 linux-2.6-scsi-qla2xxx-correct-use-after-free-issue-in-terminate_rport_io-callback.patch
Chad, After patching the RHEL 5.5.z host with your fix above (and with Mike Christie's reverted block state patch for resolving the RHEL5 regression bug 632195), I hit another panic due to a NULL pointer dereference at qla24xx_queuecommand: Unable to handle kernel NULL pointer dereference at 0000000000000060 RIP: [<ffffffff880ce477>] :qla2xxx:qla24xx_queuecommand+0x1be/0x1dd PGD 0 Oops: 0000 [1] SMP last sysfs file: /class/fc_remote_ports/rport-1:0-1/scsi_target_id CPU 2 Modules linked in: nfs fscache nfs_acl autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc be2iscsi ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_addr iscsi_tcp bnx2i cnic ipv6 xfrm_ Pid: 433, comm: scsi_wq_0 Not tainted 2.6.18-194.11.1.el5.oct14.unblock.ver3 #1 RIP: 0010:[<ffffffff880ce477>] [<ffffffff880ce477>] :qla2xxx:qla24xx_queuecommand+0x1be/0x1dd RSP: 0000:ffff81007e0eda50 EFLAGS: 00010002 RAX: 0000000000000002 RBX: ffff8100056ee080 RCX: 0000000000000190 RDX: ffff81007e0d8000 RSI: ffffffff880755a6 RDI: ffff81007e0d8060 RBP: ffff81007e5984f8 R08: 0000000000000286 R09: 0000000000000000 R10: ffff8100056ee140 R11: 0000000000000060 R12: ffff8100056ee080 R13: ffff81007e5984f8 R14: 0000000000000000 R15: ffffffff880755a6 FS: 0000000000000000(0000) GS:ffff81007ff1dec0(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000000060 CR3: 0000000030267000 CR4: 00000000000006e0 Process scsi_wq_0 (pid: 433, threadinfo ffff81007e0ec000, task ffff810037c1a100) Stack: ffff8100763f6048 ffff8100056ee080 ffff81007e598000 0000000000000287 ffff8100763f6048 ffff810074b94178 ffff8100763f6048 ffffffff88075c61 ffff810027f8e1d8 ffff8100056ee080 ffff810027f8e000 ffff81007e598000 Call Trace: [<ffffffff88075c61>] :scsi_mod:scsi_dispatch_cmd+0x26e/0x2ff [<ffffffff8807b260>] :scsi_mod:scsi_request_fn+0x2c1/0x390 [<ffffffff80144fb3>] blk_execute_rq_nowait+0x86/0x9a [<ffffffff80145057>] blk_execute_rq+0x90/0xc0 [<ffffffff8807aca5>] :scsi_mod:scsi_execute+0xd1/0xea [<ffffffff8807ad64>] :scsi_mod:scsi_execute_req+0xa6/0xcf [<ffffffff8807c05a>] :scsi_mod:scsi_probe_and_add_lun+0x207/0x9c9 [<ffffffff8807ad37>] :scsi_mod:scsi_execute_req+0x79/0xcf [1;51 [<ffffffff8807d275>] :scsi_mod:__scsi_scan_target+0x58a/0x5c7 [<ffffffff8008c78b>] dequeue_task+0x18/0x37 [<ffffffff8807d55b>] : Is this a new issue? Do you want me to file a separate bug for this?
> > Is this a new issue? Do you want me to file a separate bug for this? Yes please, the signature of this bug looks completely different. The stack trace indicates that this occurs during LUN scanning.
(In reply to comment #19) > > > > Is this a new issue? Do you want me to file a separate bug for this? > > Yes please, the signature of this bug looks completely different. The stack > trace indicates that this occurs during LUN scanning. Done. Filed bug 644863 for the same.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0839.html
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Kernel panic occurred on a Red Hat Enterprise Linux 5.5 FC host with a QLogic 8G FC adapter (QLE2562) while running IO with target controller faults. With this update, kernel panic no longer occurs in the aforementioned case.