* [PATCH-v4.1.y] target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer
@ 2015-09-23 7:49 Nicholas A. Bellinger
2015-10-13 18:36 ` Patch "target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer" has been added to the 4.1-stable tree gregkh
0 siblings, 1 reply; 2+ messages in thread
From: Nicholas A. Bellinger @ 2015-09-23 7:49 UTC (permalink / raw)
To: target-devel; +Cc: stable, Greg-KH, Nicholas Bellinger, Alex Gorbachev
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a v4.1 only regression bug as reported by Martin
where UNIT_ATTENTION checking for pre v4.2-rc1 RCU conversion code
legacy se_node_acl->device_list[] was hitting a NULL pointer
dereference in:
[ 1858.639654] CPU: 2 PID: 1293 Comm: kworker/2:1 Tainted: G I 4.1.6-fixxcopy+ #1
[ 1858.639699] Hardware name: Dell Inc. PowerEdge R410/0N83VF, BIOS 1.11.0 07/20/2012
[ 1858.639747] Workqueue: xcopy_wq target_xcopy_do_work [target_core_mod]
[ 1858.639782] task: ffff880036f0cbe0 ti: ffff880317940000 task.ti: ffff880317940000
[ 1858.639822] RIP: 0010:[<ffffffffa01d3774>] [<ffffffffa01d3774>] target_scsi3_ua_check+0x24/0x60 [target_core_mod]
[ 1858.639884] RSP: 0018:ffff880317943ce0 EFLAGS: 00010282
[ 1858.639913] RAX: 0000000000000000 RBX: ffff880317943dc0 RCX: 0000000000000000
[ 1858.639950] RDX: 0000000000000000 RSI: ffff880317943dd0 RDI: ffff88030eaee408
[ 1858.639987] RBP: ffff88030eaee408 R08: 0000000000000001 R09: 0000000000000001
[ 1858.640025] R10: 0000000000000000 R11: 00000000000706e0 R12: ffff880315e0a000
[ 1858.640062] R13: ffff88030eaee408 R14: 0000000000000001 R15: ffff88030eaee408
[ 1858.640100] FS: 0000000000000000(0000) GS:ffff880322e80000(0000) knlGS:0000000000000000
[ 1858.640143] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1858.640173] CR2: 0000000000000000 CR3: 000000000180d000 CR4: 00000000000006e0
[ 1858.640210] Stack:
[ 1858.640223] ffffffffa01cadfa ffff88030eaee400 ffff880318e7c340 ffff880315e0a000
[ 1858.640267] ffffffffa01d8c25 ffff8800cae809e0 0000000000000400 0000000000000400
[ 1858.640310] ffff880318e7c3d0 0000000006b75800 0000000000080000 ffff88030eaee400
[ 1858.640354] Call Trace:
[ 1858.640379] [<ffffffffa01cadfa>] ? target_setup_cmd_from_cdb+0x13a/0x2c0 [target_core_mod]
[ 1858.640429] [<ffffffffa01d8c25>] ? target_xcopy_setup_pt_cmd+0x85/0x320 [target_core_mod]
[ 1858.640479] [<ffffffffa01d9424>] ? target_xcopy_do_work+0x264/0x700 [target_core_mod]
[ 1858.640526] [<ffffffff810ac3a0>] ? pick_next_task_fair+0x720/0x8f0
[ 1858.640562] [<ffffffff8108b3fb>] ? process_one_work+0x14b/0x430
[ 1858.640595] [<ffffffff8108bf5b>] ? worker_thread+0x6b/0x560
[ 1858.640627] [<ffffffff8108bef0>] ? rescuer_thread+0x390/0x390
[ 1858.640661] [<ffffffff810913b3>] ? kthread+0xd3/0xf0
[ 1858.640689] [<ffffffff810912e0>] ? kthread_create_on_node+0x180/0x180
Also, check for the same se_node_acl->device_list[] during EXTENDED_COPY
operation as a non-holding persistent reservation port.
Reported-by: Martin Svec <martin,svec@zoner.cz>
Tested-by: Martin Svec <martin,svec@zoner.cz>
Cc: Martin Svec <martin,svec@zoner.cz>
Cc: Alex Gorbachev <ag@iss-integration.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
drivers/target/target_core_pr.c | 3 +++
drivers/target/target_core_ua.c | 8 ++++----
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index a15411c..08aa7cc 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -328,6 +328,9 @@ static int core_scsi3_pr_seq_non_holder(
int legacy = 0; /* Act like a legacy device and return
* RESERVATION CONFLICT on some CDBs */
+ if (!se_sess->se_node_acl->device_list)
+ return;
+
se_deve = se_sess->se_node_acl->device_list[cmd->orig_fe_lun];
/*
* Determine if the registration should be ignored due to
diff --git a/drivers/target/target_core_ua.c b/drivers/target/target_core_ua.c
index 1738b16..9fc33e8 100644
--- a/drivers/target/target_core_ua.c
+++ b/drivers/target/target_core_ua.c
@@ -48,7 +48,7 @@ target_scsi3_ua_check(struct se_cmd *cmd)
return 0;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return 0;
deve = nacl->device_list[cmd->orig_fe_lun];
@@ -90,7 +90,7 @@ int core_scsi3_ua_allocate(
/*
* PASSTHROUGH OPS
*/
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return -EINVAL;
ua = kmem_cache_zalloc(se_ua_cache, GFP_ATOMIC);
@@ -208,7 +208,7 @@ void core_scsi3_ua_for_check_condition(
return;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return;
spin_lock_irq(&nacl->device_list_lock);
@@ -276,7 +276,7 @@ int core_scsi3_ua_clear_for_request_sense(
return -EINVAL;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return -EINVAL;
spin_lock_irq(&nacl->device_list_lock);
--
1.8.5.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Patch "target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer" has been added to the 4.1-stable tree
2015-09-23 7:49 [PATCH-v4.1.y] target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer Nicholas A. Bellinger
@ 2015-10-13 18:36 ` gregkh
0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2015-10-13 18:36 UTC (permalink / raw)
To: nab, ag, gregkh, svec, stable, target-devel; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer
to the 4.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
target-fix-v4.1-unit_attention-se_node_acl-device_list-null-pointer.patch
and it can be found in the queue-4.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From nab@linux-iscsi.org Tue Oct 13 11:33:46 2015
From: "Nicholas A. Bellinger" <nab@linux-iscsi.org>
Date: Wed, 23 Sep 2015 07:49:26 +0000
Subject: target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer
To: target-devel <target-devel@vger.kernel.org>
Cc: stable <stable@vger.kernel.org>, Greg-KH <gregkh@linuxfoundation.org>, Nicholas Bellinger <nab@linux-iscsi.org>, Alex Gorbachev <ag@iss-integration.com>
Message-ID: <1442994566-32287-1-git-send-email-nab@linux-iscsi.org>
From: Nicholas Bellinger <nab@linux-iscsi.org>
This patch fixes a v4.1 only regression bug as reported by Martin
where UNIT_ATTENTION checking for pre v4.2-rc1 RCU conversion code
legacy se_node_acl->device_list[] was hitting a NULL pointer
dereference in:
[ 1858.639654] CPU: 2 PID: 1293 Comm: kworker/2:1 Tainted: G I 4.1.6-fixxcopy+ #1
[ 1858.639699] Hardware name: Dell Inc. PowerEdge R410/0N83VF, BIOS 1.11.0 07/20/2012
[ 1858.639747] Workqueue: xcopy_wq target_xcopy_do_work [target_core_mod]
[ 1858.639782] task: ffff880036f0cbe0 ti: ffff880317940000 task.ti: ffff880317940000
[ 1858.639822] RIP: 0010:[<ffffffffa01d3774>] [<ffffffffa01d3774>] target_scsi3_ua_check+0x24/0x60 [target_core_mod]
[ 1858.639884] RSP: 0018:ffff880317943ce0 EFLAGS: 00010282
[ 1858.639913] RAX: 0000000000000000 RBX: ffff880317943dc0 RCX: 0000000000000000
[ 1858.639950] RDX: 0000000000000000 RSI: ffff880317943dd0 RDI: ffff88030eaee408
[ 1858.639987] RBP: ffff88030eaee408 R08: 0000000000000001 R09: 0000000000000001
[ 1858.640025] R10: 0000000000000000 R11: 00000000000706e0 R12: ffff880315e0a000
[ 1858.640062] R13: ffff88030eaee408 R14: 0000000000000001 R15: ffff88030eaee408
[ 1858.640100] FS: 0000000000000000(0000) GS:ffff880322e80000(0000) knlGS:0000000000000000
[ 1858.640143] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1858.640173] CR2: 0000000000000000 CR3: 000000000180d000 CR4: 00000000000006e0
[ 1858.640210] Stack:
[ 1858.640223] ffffffffa01cadfa ffff88030eaee400 ffff880318e7c340 ffff880315e0a000
[ 1858.640267] ffffffffa01d8c25 ffff8800cae809e0 0000000000000400 0000000000000400
[ 1858.640310] ffff880318e7c3d0 0000000006b75800 0000000000080000 ffff88030eaee400
[ 1858.640354] Call Trace:
[ 1858.640379] [<ffffffffa01cadfa>] ? target_setup_cmd_from_cdb+0x13a/0x2c0 [target_core_mod]
[ 1858.640429] [<ffffffffa01d8c25>] ? target_xcopy_setup_pt_cmd+0x85/0x320 [target_core_mod]
[ 1858.640479] [<ffffffffa01d9424>] ? target_xcopy_do_work+0x264/0x700 [target_core_mod]
[ 1858.640526] [<ffffffff810ac3a0>] ? pick_next_task_fair+0x720/0x8f0
[ 1858.640562] [<ffffffff8108b3fb>] ? process_one_work+0x14b/0x430
[ 1858.640595] [<ffffffff8108bf5b>] ? worker_thread+0x6b/0x560
[ 1858.640627] [<ffffffff8108bef0>] ? rescuer_thread+0x390/0x390
[ 1858.640661] [<ffffffff810913b3>] ? kthread+0xd3/0xf0
[ 1858.640689] [<ffffffff810912e0>] ? kthread_create_on_node+0x180/0x180
Also, check for the same se_node_acl->device_list[] during EXTENDED_COPY
operation as a non-holding persistent reservation port.
Reported-by: Martin Svec <martin,svec@zoner.cz>
Tested-by: Martin Svec <martin,svec@zoner.cz>
Cc: Martin Svec <martin,svec@zoner.cz>
Cc: Alex Gorbachev <ag@iss-integration.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_pr.c | 3 +++
drivers/target/target_core_ua.c | 8 ++++----
2 files changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -328,6 +328,9 @@ static int core_scsi3_pr_seq_non_holder(
int legacy = 0; /* Act like a legacy device and return
* RESERVATION CONFLICT on some CDBs */
+ if (!se_sess->se_node_acl->device_list)
+ return;
+
se_deve = se_sess->se_node_acl->device_list[cmd->orig_fe_lun];
/*
* Determine if the registration should be ignored due to
--- a/drivers/target/target_core_ua.c
+++ b/drivers/target/target_core_ua.c
@@ -48,7 +48,7 @@ target_scsi3_ua_check(struct se_cmd *cmd
return 0;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return 0;
deve = nacl->device_list[cmd->orig_fe_lun];
@@ -90,7 +90,7 @@ int core_scsi3_ua_allocate(
/*
* PASSTHROUGH OPS
*/
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return -EINVAL;
ua = kmem_cache_zalloc(se_ua_cache, GFP_ATOMIC);
@@ -208,7 +208,7 @@ void core_scsi3_ua_for_check_condition(
return;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return;
spin_lock_irq(&nacl->device_list_lock);
@@ -276,7 +276,7 @@ int core_scsi3_ua_clear_for_request_sens
return -EINVAL;
nacl = sess->se_node_acl;
- if (!nacl)
+ if (!nacl || !nacl->device_list)
return -EINVAL;
spin_lock_irq(&nacl->device_list_lock);
Patches currently in stable-queue which might be from nab@linux-iscsi.org are
queue-4.1/target-iscsi-fix-np_ip-bracket-issue-by-removing-np_ip.patch
queue-4.1/iser-target-put-the-reference-on-commands-waiting-for-unsol-data.patch
queue-4.1/iser-target-remove-command-with-state-istate_remove.patch
queue-4.1/target-attach-extended_copy-local-i-o-descriptors-to-xcopy_pt_sess.patch
queue-4.1/target-fix-v4.1-unit_attention-se_node_acl-device_list-null-pointer.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-10-13 19:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-23 7:49 [PATCH-v4.1.y] target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer Nicholas A. Bellinger
2015-10-13 18:36 ` Patch "target: Fix v4.1 UNIT_ATTENTION se_node_acl->device_list[] NULL pointer" has been added to the 4.1-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).