From: Roland Dreier <rdreier@cisco.com>
To: Bart Van Assche <bart.vanassche@gmail.com>
Cc: Boaz Harrosh <bharrosh@panasas.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
OpenIB <general@lists.openfabrics.org>,
Vladislav Bolkhovitin <vst@vlnb.net>,
linux-scsi <linux-scsi@vger.kernel.org>
Subject: Re: sg_reset can trigger a NULL pointer dereference in the SRP initiator
Date: Fri, 07 Aug 2009 14:14:03 -0700 [thread overview]
Message-ID: <adatz0jcoo4.fsf@cisco.com> (raw)
In-Reply-To: <e2e108260908070131r49dd2d37s8bb36c9365d991e8@mail.gmail.com> (Bart Van Assche's message of "Fri, 7 Aug 2009 10:31:18 +0200")
> A fix like the one below ?
I think this gets us part of the way, but not quite.
> --- linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp-orig.c 2009-08-03
> 12:13:11.000000000 +0200
> +++ linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp.c 2009-08-07
> 10:23:27.000000000 +0200
> @@ -1371,16 +1371,27 @@ out:
> return -1;
> }
>
> +/**
> + * Look up the struct srp_request that has been associated with the specified
> + * SCSI command by srp_queuecommand().
> + *
> + * Returns 0 upon success and -1 upon failure.
> + */
> static int srp_find_req(struct srp_target_port *target,
> struct scsi_cmnd *scmnd,
> struct srp_request **req)
> {
> - if (scmnd->host_scribble == (void *) -1L)
> - return -1;
> + /*
> + * The code below will only work if SRP_RQ_SIZE is a power of two,
> + * so check this first.
> + */
> + BUILD_BUG_ON((SRP_RQ_SIZE ^ (SRP_RQ_SIZE - 1))
> + != (SRP_RQ_SIZE | (SRP_RQ_SIZE - 1)));
could this be BUILD_BUG_ON(!is_power_of_2(SRP_RQ_SIZE)) ?
>
> - *req = &target->req_ring[(long) scmnd->host_scribble];
> + *req = &target->req_ring[(long)scmnd->host_scribble
> + & (SRP_RQ_SIZE - 1)];
>
> - return 0;
> + return (*req)->scmnd == scmnd ? 0 : -1;
> }
>
> static int srp_abort(struct scsi_cmnd *scmnd)
> @@ -1423,8 +1434,15 @@ static int srp_reset_device(struct scsi_
>
> if (target->qp_in_error)
> return FAILED;
> - if (srp_find_req(target, scmnd, &req))
> - return FAILED;
> + if (srp_find_req(target, scmnd, &req)) {
> + /*
> + * scmnd has not yet been queued -- queue it now. This can
> + * happen e.g. when a SG_SCSI_RESET ioctl has been issued.
> + */
> + if (srp_queuecommand(scmnd, scmnd->scsi_done)
> + || srp_find_req(target, scmnd, &req))
> + return FAILED;
I don't think we can just pass the command to srp_queuecommand() here.
For one thing queuecommand requires some locking, and second, we don't
actually want to queue the command -- in fact I'm not sure it is set up
properly with an opcode etc to execute the command.
What I think needs to happen is we need to allocate a request for the
command the same way srp_queuecommand() does, and in fact maybe that
code could be factored out to avoid duplication.
-R .
prev parent reply other threads:[~2009-08-07 21:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-06 7:39 sg_reset can trigger a NULL pointer dereference in the SRP initiator Bart Van Assche
2009-08-06 8:30 ` Boaz Harrosh
2009-08-06 15:38 ` [ofa-general] " Bart Van Assche
2009-08-06 15:43 ` James Bottomley
2009-08-06 17:41 ` [ofa-general] " Roland Dreier
2009-08-07 8:31 ` Bart Van Assche
2009-08-07 21:14 ` Roland Dreier [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adatz0jcoo4.fsf@cisco.com \
--to=rdreier@cisco.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=bart.vanassche@gmail.com \
--cc=bharrosh@panasas.com \
--cc=general@lists.openfabrics.org \
--cc=hal.rosenstock@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=sean.hefty@intel.com \
--cc=vst@vlnb.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.