From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
To: linux-scsi <linux-scsi@vger.kernel.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 08/31] target: Fix demo-mode MappedLUN shutdown UA/PR breakage
Date: Wed, 9 Feb 2011 15:34:43 -0800 [thread overview]
Message-ID: <1297294506-23579-9-git-send-email-nab@linux-iscsi.org> (raw)
In-Reply-To: <1297294506-23579-1-git-send-email-nab@linux-iscsi.org>
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a bug in core_update_device_list_for_node() where individual
demo-mode generated MappedLUN's UA + Persistent Reservations metadata where being
leaked, instead of falling through and calling existing core_scsi3_ua_release_all()
and core_scsi3_free_pr_reg_from_nacl() at the end of core_update_device_list_for_node().
This bug would manifest itself with the following OOPs w/ TPG demo-mode endpoints
(tfo->tpg_check_demo_mode()=1), and PROUT REGISTER+RESERVE -> explict struct se_session
logout -> struct se_device shutdown:
[ 697.021139] LIO_iblock used greatest stack depth: 2704 bytes left
[ 702.235017] general protection fault: 0000 [#1] SMP
[ 702.235074] last sysfs file: /sys/devices/virtual/net/lo/operstate
[ 704.372695] CPU 0
[ 704.372725] Modules linked in: crc32c target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs sr_mod cdrom sd_mod ata_piix mptspi mptscsih libata mptbase [last unloaded: iscsi_target_mod]
[ 704.375442]
[ 704.375563] Pid: 4964, comm: tcm_node Not tainted 2.6.37+ #1 440BX Desktop Reference Platform/VMware Virtual Platform
[ 704.375912] RIP: 0010:[<ffffffffa00aaa16>] [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.376017] RSP: 0018:ffff88001e5ffcb8 EFLAGS: 00010296
[ 704.376017] RAX: 6d32335b1b0a0d0a RBX: ffff88001d952cb0 RCX: 0000000000000015
[ 704.376017] RDX: ffff88001b428000 RSI: ffff88001da5a4c0 RDI: ffff88001e5ffcd8
[ 704.376017] RBP: ffff88001e5ffd28 R08: ffff88001e5ffcd8 R09: ffff88001d952080
[ 704.377116] R10: ffff88001dfc5480 R11: ffff88001df8abb0 R12: ffff88001d952cb0
[ 704.377319] R13: 0000000000000000 R14: ffff88001df8abb0 R15: ffff88001b428000
[ 704.377521] FS: 00007f033d15c6e0(0000) GS:ffff88001fa00000(0000) knlGS:0000000000000000
[ 704.377861] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 704.378043] CR2: 00007fff09281510 CR3: 000000001e5db000 CR4: 00000000000006f0
[ 704.378110] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 704.378110] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 704.378110] Process tcm_node (pid: 4964, threadinfo ffff88001e5fe000, task ffff88001d99c260)
[ 704.378110] Stack:
[ 704.378110] ffffea0000678980 ffff88001da5a4c0 ffffea0000678980 ffff88001f402b00
[ 704.378110] ffff88001e5ffd08 ffffffff810ea236 ffff88001e5ffd18 0000000000000282
[ 704.379772] ffff88001d952080 ffff88001d952cb0 ffff88001d952cb0 ffff88001dc79010
[ 704.380082] Call Trace:
[ 704.380220] [<ffffffff810ea236>] ? __slab_free+0x89/0x11c
[ 704.380403] [<ffffffffa00ab781>] core_scsi3_free_all_registrations+0x3e/0x157 [target_core_mod]
[ 704.380479] [<ffffffffa00a752b>] se_release_device_for_hba+0xa6/0xd8 [target_core_mod]
[ 704.380479] [<ffffffffa00a7598>] se_free_virtual_device+0x3b/0x45 [target_core_mod]
[ 704.383750] [<ffffffffa00a3177>] target_core_drop_subdev+0x13a/0x18d [target_core_mod]
[ 704.384068] [<ffffffffa00960db>] client_drop_item+0x25/0x31 [configfs]
[ 704.384263] [<ffffffffa00967b5>] configfs_rmdir+0x1a1/0x223 [configfs]
[ 704.384459] [<ffffffff810fa8cd>] vfs_rmdir+0x7e/0xd3
[ 704.384631] [<ffffffff810fc3be>] do_rmdir+0xa3/0xf4
[ 704.384895] [<ffffffff810eed15>] ? filp_close+0x67/0x72
[ 704.386485] [<ffffffff810fc446>] sys_rmdir+0x11/0x13
[ 704.387893] [<ffffffff81002a92>] system_call_fastpath+0x16/0x1b
[ 704.388083] Code: 4c 8d 45 b0 41 56 49 89 d7 41 55 41 89 cd 41 54 b9 15 00 00 00 53 48 89 fb 48 83 ec 48 4c 89 c7 48 89 75 98 48 8b 86 28 01 00 00 <48> 8b 80 90 01 00 00 48 89 45 a0 31 c0 f3 aa c7 45 ac 00 00 00
[ 704.388763] RIP [<ffffffffa00aaa16>] __core_scsi3_complete_pro_release+0x31/0x133 [target_core_mod]
[ 704.389142] RSP <ffff88001e5ffcb8>
[ 704.389572] ---[ end trace 2a3614f3cd6261a5 ]---
Signed-off-by: Nicholas A. Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_device.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index 317ce58..969d727 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -373,11 +373,11 @@ int core_update_device_list_for_node(
/*
* deve->se_lun_acl will be NULL for demo-mode created LUNs
* that have not been explictly concerted to MappedLUNs ->
- * struct se_lun_acl.
+ * struct se_lun_acl, but we remove deve->alua_port_list from
+ * port->sep_alua_list. This also means that active UAs and
+ * NodeACL context specific PR metadata for demo-mode
+ * MappedLUN *deve will be released below..
*/
- if (!(deve->se_lun_acl))
- return 0;
-
spin_lock_bh(&port->sep_alua_lock);
list_del(&deve->alua_port_list);
spin_unlock_bh(&port->sep_alua_lock);
--
1.7.4
next prev parent reply other threads:[~2011-02-09 23:35 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-09 23:34 [PATCH 00/31] target: mainline updates for .38-rc5 Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 01/31] target: iblock/pscsi claim checking for NULL instead of IS_ERR Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 02/31] target: fix dubious one-bit signed bitfield Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 03/31] target/iblock: Fix failed bd claim NULL pointer dereference Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 04/31] target: Fix memory leak on error path Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 05/31] target/file: Fix memory leak in fd_set_configfs_dev_params() Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 06/31] target/iblock: Fix memory leak in iblock_set_configfs_dev_params Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 07/31] target: Fix memory leaks in target_core_dev_pr_store_attr_res_aptpl_metadata Nicholas A. Bellinger
2011-02-09 23:34 ` Nicholas A. Bellinger [this message]
2011-02-09 23:34 ` [PATCH 09/31] target: Release left-over demo-mode NodeACLs w/ tfo->tpg_check_demo_mode_cache()=1 Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 10/31] target: tcm_mod_builder.py generated Makefile cleanups Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 11/31] target: do not include target_core_mib.h under include/target Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 12/31] target: Convert backend ->create_virtdevice() call to return ERR_PTR Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 13/31] target: Drop nacl->device_list_lock on core_update_device_list_for_node failure Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 14/31] target: Convert rd_build_device_space() to use errno Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 15/31] target: Convert TMR REQ/RSP definitions to target namespace Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 16/31] target core v4.0.0-rc7 Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 17/31] target: Avoid mem leak and needless work in transport_generic_get_mem Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 18/31] target: Fix top-level configfs_subsystem default_group shutdown breakage Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 19/31] target: Move core_delete_hba() into ->release() callback Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 20/31] target: Move subdev release logic " Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 21/31] target: Move core_alua_free_lu_gp() " Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 22/31] target: Move core_alua_free_tg_pt_gp() " Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 23/31] target: Move fabric dependent struct se_wwn free " Nicholas A. Bellinger
2011-02-09 23:34 ` [PATCH 24/31] target: Move fabric dependent se_portal_group " Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 25/31] target: Move fabric dependent se_node_acl free into ->release callback() Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 26/31] target: Move fabric dependent struct se_tpg_np free into ->release() callback Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 27/31] target: Move fabric independent se_lun_acl " Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 28/31] target: Remove procfs based target_core_mib.c code Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 29/31] target: Fix SCF_SCSI_CONTROL_SG_IO_CDB breakage Nicholas A. Bellinger
2011-02-09 23:35 ` [PATCH 30/31] target: Fix bogus return in transport_add_device_to_core_hba failure path Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297294506-23579-9-git-send-email-nab@linux-iscsi.org \
--to=nab@linux-iscsi.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).