[PATCH] loopback: Prevent uninitialized use of tl_tpg in tcm_loop_queuecommand

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>

This patch fixes a bug with tcm_loop where performing a scsi_host rescan was
causing an oops due to a received scsi_cmnd->device->id value not matching a
previously configured tcm_loop_tpg entry in tcm_loop_hba->tl_hba_tpgs[]
obtained from within tcm_loop_queuecommand() code.

This fix adds an explict check for tcm_loop_tpg->tl_hba in order to ensure
tcm_loop_make_naa_tpg() has already been invoked to initialize a given
tcm_loop_tpg entry, and also adds an explict clear of tcm_loop_tpg->tl_hba
from within the tcm_loop_drop_naa_tpg() release path.

This bug was manifesting itself with the following OOPs:

[176289.430909] BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
[176289.431337] IP: [<ffffffffa0395617>] transport_processing_thread+0x1e3/0x794 [target_core_mod]
[176289.431399] PGD 22e9b067 PUD 23375067 PMD 0
[176289.431399] Oops: 0000 [#1] SMP
[176289.431815] CPU 1
[176289.431815] Modules linked in: tcm_loop target_core_stgt target_core_pscsi target_core_file target_core_iblock target_core_mod crc32c ib_cm ib_sa ib_mad ib_core qla2xxx scsi_tgt configfs fcoe libfcoe libfc scsi_transport_fc ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi sr_mod cdrom sd_mod ata_piix libata e1000 mptspi mptscsih mptbase [last unloaded: target_core_mod]
[176289.431815]
[176289.431815] Pid: 12339, comm: LIO_iblock Tainted: G        W   3.1.0-rc8+
[176289.431815] RIP: 0010:[<ffffffffa0395617>]  [<ffffffffa0395617>] transport_processing_thread+0x1e3/0x794 [target_core_mod]
[176289.431815] RSP: 0018:ffff880023bfbe10  EFLAGS: 00010283
[176289.431815] RAX: 0000000000000000 RBX: ffff88002d600040 RCX: ffff88002d600108
[176289.431815] RDX: ffff88000c9e50bc RSI: 0000000000000246 RDI: 0000000000000246
[176289.431815] RBP: ffff880023bfbee0 R08: ffff88002d600108 R09: 0000000000000000
[176289.431815] R10: ffff88002fc8cc80 R11: ffffffff81671b60 R12: ffff88002d600108
[176289.431815] R13: ffff88000c9e4f38 R14: ffff88000c9e50b8 R15: 0000000000000000
[176289.431815] FS:  0000000000000000(0000) GS:ffff88002fc80000(0000) knlGS:0000000000000000
[176289.431815] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[176289.431815] CR2: 0000000000000090 CR3: 000000002a33f000 CR4: 00000000000006e0
[176289.431815] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[176289.431815] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[176289.431815] Process LIO_iblock (pid: 12339, threadinfo ffff880023bfa000, task ffff88002a2e0000)
[176289.431815] Stack:
[176289.431815]  0000000000011280 0000000000000246 ffff88002a2e0000 ffff880023a58900
[176289.431815]  ffff880023bfbed0 ffff880023bfa000 ffff880023bfa000 ffff88000c9e50d0
[176289.431815]  ffff88000c9e50c0 ffff88000c9e50bc ffff880023bfa000 ffff880023bfbfd8
[176289.431815] Call Trace:
[176289.431815]  [<ffffffff81056657>] ? wake_up_bit+0x25/0x25
[176289.431815]  [<ffffffffa0395434>] ? transport_handle_cdb_direct+0x92/0x92 [target_core_mod]
[176289.431815]  [<ffffffff8105619a>] kthread+0x7d/0x85
[176289.431815]  [<ffffffff813cbcb4>] kernel_thread_helper+0x4/0x10
[176289.431815]  [<ffffffff8105611d>] ? kthread_worker_fn+0x16d/0x16d
[176289.431815]  [<ffffffff813cbcb0>] ? gs_change+0x13/0x13
[176289.431815] Code: 67 05 00 00 41 8b 84 24 4c ff ff ff ff c8 83 f8 11 0f 87 f0 04 00 00 89 c0 ff 24 c5 b0 c6 39 a0 0f 0b eb fe 48 8b 83 d8 00 00 00
[176289.431815] RIP  [<ffffffffa0395617>] transport_processing_thread+0x1e3/0x794 [target_core_mod]
[176289.431815]  RSP <ffff880023bfbe10>
[176289.431815] CR2: 0000000000000090
[176295.041004] ---[ end trace 85dc6865b23b8f3e ]---

Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
---
 drivers/target/loopback/tcm_loop.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c
index 6d4f200..01fb171 100644
--- a/drivers/target/loopback/tcm_loop.c
+++ b/drivers/target/loopback/tcm_loop.c
@@ -290,6 +290,15 @@ static int tcm_loop_queuecommand(
 	 */
 	tl_hba = *(struct tcm_loop_hba **)shost_priv(sc->device->host);
 	tl_tpg = &tl_hba->tl_hba_tpgs[sc->device->id];
+	/*
+	 * Ensure that this tl_tpg reference from the incoming sc->device->id
+	 * has already been configured via tcm_loop_make_naa_tpg().
+	 */
+	if (!tl_tpg->tl_hba) {
+		set_host_byte(sc, DID_NO_CONNECT);
+		sc->scsi_done(sc);
+		return 0;
+	}
 	se_tpg = &tl_tpg->tl_se_tpg;
 	/*
 	 * Determine the SAM Task Attribute and allocate tl_cmd and
@@ -1245,6 +1254,9 @@ void tcm_loop_drop_naa_tpg(
 	 */
 	core_tpg_deregister(se_tpg);
 
+	tl_tpg->tl_hba = NULL;
+	tl_tpg->tl_tpgt = 0;
+
 	pr_debug("TCM_Loop_ConfigFS: Deallocated Emulated %s"
 		" Target Port %s,t,0x%04x\n", tcm_loop_dump_proto_id(tl_hba),
 		config_item_name(&wwn->wwn_group.cg_item), tpgt);
-- 
1.7.2.5

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux