Re: BUG: Null deref with pscsi backstore, iscsi fabric, and Windows XP initiator

"Nicholas A. Bellinger" <nab@xxxxxxxxxxxxxxx> · Fri, 03 Aug 2012 00:27:49 -0700

Hi Alex,

On Thu, 2012-08-02 at 21:15 -0700, Alex Elsayed wrote:
> Hi, I'm trying to pass my host computer's DVD drive through to a VM via 
> iscsi (because libvirt's scsi passthrough uses scsi-disc rather than scsi-
> generic, I can't use that.) I used targetcli to set up the DVD drive via the 
> pSCSI backstore, added an iSCSI target, created a LUN backed by the drive, 
> set up authentication (both discovery and node-acl), and tried to connect 
> using the Windows XP software initiator. When I did, I met the NULL deref 
> bug in the subject. I have attached both the backtrace and my 
> tcm_start.sh/lio_start.sh scripts, though the latter has had userids and 
> passwords sanitized.
> 
> I'm running 3.5.0 with target-pending/for-next-merge pulled in.

Based upon your trace, I'm pretty certain this is related to the two old
pSCSI specific hacks in target_core_pscsi.c:pscsi_complete_cmd() that
manually set MODE_SENSE write_protect bit in the data payload, or
sd->blocksize w/ MODE_SELECT for with TYPE_TAPE export.   The OOPsen
here appears to be related to the former..

The following (untested) patch to stub out both of these cases should
get you up and running with TYPE_ROM, and I think for modern pSCSI code
we should be able to now just drop this section all together..

Please give it a shot and let us know if your able to get pSCSI +
TYPE_ROM export up and running on your setup.

Thanks for reporting!

--nab

diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
index 6e32ff6..2b0b4ea 100644
--- a/drivers/target/target_core_pscsi.c
+++ b/drivers/target/target_core_pscsi.c
@@ -676,6 +676,7 @@ static int pscsi_transport_complete(struct se_cmd *cmd, struct scatterlist *sg)
        unsigned char *cdb = &pt->pscsi_cdb[0];
 
        result = pt->pscsi_result;
+#if 0
        /*
         * Hack to make sure that Write-Protect modepage is set if R/O mode is
         * forced.
@@ -742,7 +743,7 @@ after_mode_sense:
                sd->sector_size = blocksize;
        }
 after_mode_select:
-
+#endif
        if (status_byte(result) & CHECK_CONDITION)
                return 1;

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





