On Tue, 2013-01-22 at 18:52 +0000, Chris Boot wrote:
> Hi Nick,
>
> I just booted into a 3.7.4 kernel and found myself unable to start any
> of my targets up:
>
> [ 1237.490697] BUG: unable to handle kernel NULL pointer dereference
> at (null)
> [ 1237.499827] IP: [<ffffffffa062c997>] target_fabric_port_link+0x8/0xd2
> [target_core_mod]
> [snip]
>
> (gdb) list *target_fabric_port_link+0x8
> 0x6997 is in target_fabric_port_link
> (drivers/target/target_core_fabric_configfs.c:754).
> 751 struct target_fabric_configfs *tf;
> 752 int ret;
> 753
> 754 if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) {
> 755 pr_err("Bad dev->dev_link_magic, not a valid
> se_dev_ci pointer:"
> 756 " %p to struct se_device: %p\n",
> se_dev_ci, dev);
> 757 return -EFAULT;
>
> It seems that "target: Add link_magic for fabric allow_link destination
> target_items" is to blame for this one:
>
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=commit;h=fdf9d862969f1be18814273b03fb9497ec2dbdae
>
> In 3.7.4 at least, 'dev' isn't initialised until much further below, so
> the patch adds an access to uninitialised memory and causes a NULL
> pointer dereference. It looks as though the initialisation order of
> struct se_device *dev has changed due to the removal of struct
> se_subsystem_dev.
>
Ugh..
> I think the fix is to simply move the dev_link_magic check to further
> below...
>
That is correct.
Please apply the following patch, and I'll ask Greg-KH to apply to
v3.7.y and v3.4.y shortly.
Thanks,
--nab
>From a2faf6488d13aa7f0dabe4ad9b003595b343e42e Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2013 12:17:00 -0800
Subject: [PATCH] target: Fix v3.7.y stable regression with dev_link_magic in target_fabric_port_link
This patch fixes a bug introduced with v3.7.y stable where the
dev->dev_link_magic check was incorrectly positioned head of the *dev
assignment in target_fabric_port_link()
Reported-by: Chris Boot <bootc@xxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
---
drivers/target/target_core_fabric_configfs.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/target/target_core_fabric_configfs.c b/drivers/target/target_core_fabric_configfs.c
index a55f91a..9430cd2 100644
--- a/drivers/target/target_core_fabric_configfs.c
+++ b/drivers/target/target_core_fabric_configfs.c
@@ -751,12 +751,6 @@ static int target_fabric_port_link(
struct target_fabric_configfs *tf;
int ret;
- if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) {
- pr_err("Bad dev->dev_link_magic, not a valid se_dev_ci pointer:"
- " %p to struct se_device: %p\n", se_dev_ci, dev);
- return -EFAULT;
- }
-
tpg_ci = &lun_ci->ci_parent->ci_group->cg_item;
se_tpg = container_of(to_config_group(tpg_ci),
struct se_portal_group, tpg_group);
@@ -774,6 +768,11 @@ static int target_fabric_port_link(
ret = -ENODEV;
goto out;
}
+ if (dev->dev_link_magic != SE_DEV_LINK_MAGIC) {
+ pr_err("Bad dev->dev_link_magic, not a valid se_dev_ci pointer:"
+ " %p to struct se_device: %p\n", se_dev_ci, dev);
+ return -EFAULT;
+ }
lun_p = core_dev_add_lun(se_tpg, dev, lun->unpacked_lun);
if (IS_ERR(lun_p)) {
--
1.7.2.5
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
