scsi: lpfc: fix pci hot plug crash in list_add call

Orabug: 27631736

During pci hot plug, the kernel crashes in a list_add_call

The lookup by tag function will return null if the IOCB is out of range
or does not have the on txcmplq flag set.

Fix: Check for null return from lookup by tag.

Cc: <stable@vger.kernel.org> # 4.12+
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <james.smart@broadcom.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 401bb4169da655f3e5d28d0b208182e1ab60bf2a)
Signed-off-by: Dick dkennedy <dick.kennedy@broadcom.com>
Signed-off-by: Dan Duval <dan.duval@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>

diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index bbfbc8370553c93e40891dd0c3a50a5d5d9c701b..d3322431f9807a175563bd450ac3d80f66912b2c 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -11805,19 +11805,21 @@ lpfc_sli4_els_wcqe_to_rspiocbq(struct lpfc_hba *phba,
        /* Look up the ELS command IOCB and create pseudo response IOCB */
        cmdiocbq = lpfc_sli_iocbq_lookup_by_tag(phba, pring,
                                bf_get(lpfc_wcqe_c_request_tag, wcqe));
-       /* Put the iocb back on the txcmplq */
-       lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq);
-       spin_unlock_irqrestore(&pring->ring_lock, iflags);
-
        if (unlikely(!cmdiocbq)) {
+               spin_unlock_irqrestore(&pring->ring_lock, iflags);
                lpfc_printf_log(phba, KERN_WARNING, LOG_SLI,
                                "0386 ELS complete with no corresponding "
-                               "cmdiocb: iotag (%d)\n",
-                               bf_get(lpfc_wcqe_c_request_tag, wcqe));
+                               "cmdiocb: 0x%x 0x%x 0x%x 0x%x\n",
+                               wcqe->word0, wcqe->total_data_placed,
+                               wcqe->parameter, wcqe->word3);
                lpfc_sli_release_iocbq(phba, irspiocbq);
                return NULL;
        }
 
+       /* Put the iocb back on the txcmplq */
+       lpfc_sli_ringtxcmpl_put(phba, pring, cmdiocbq);
+       spin_unlock_irqrestore(&pring->ring_lock, iflags);
+
        /* Fake the irspiocbq and copy necessary response information */
        lpfc_sli4_iocb_param_transfer(phba, irspiocbq, cmdiocbq, wcqe);
 
@@ -15779,7 +15781,8 @@ exit:
        if (pcmd && pcmd->virt)
                pci_pool_free(phba->lpfc_drb_pool, pcmd->virt, pcmd->phys);
        kfree(pcmd);
-       lpfc_sli_release_iocbq(phba, iocbq);
+       if (iocbq)
+               lpfc_sli_release_iocbq(phba, iocbq);
        lpfc_in_buf_free(phba, &dmabuf->dbuf);
 }