From: tangwenji <tang.wenji@xxxxxxxxxx> Initiator port is identified using the world wide unique SCSI device name of the iSCSI initiator device containing the initiator port,so function target_parse_pr_out_transport_id returned the point 'iport_ptr' is NULL . Subsequent search pr_reg, always can not find the matching pr_reg,but the back of the direct use of the pointer 'dest_pr_reg' assignment operation resulting in a kernel crash. crash information is as follows: [209991.785536] BUG: unable to handle kernel NULL pointer dereference at 000000000000021c [209991.795507] IP: [<ffffffffa084e11c>] core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod] [209991.807606] PGD 0 [209991.811007] Oops: 0002 [#1] SMP [209991.953966] CPU: 2 PID: 19864 Comm: iscsi_trx Tainted: G OE ------------ 3.10.0-514.10.2.el7.x86_64 #1 [209991.967184] Hardware name: ZTE SGLMA/SGLMA, BIOS UBF03.06.50_SVN62419 02/25/2016 [209991.977027] task: ffff88085978ce70 ti: ffff8807dcae4000 task.ti: ffff8807dcae4000 [209991.986983] RIP: 0010:[<ffffffffa084e11c>] [<ffffffffa084e11c>] core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod] [209992.003799] RSP: 0018:ffff8807dcae7bb8 EFLAGS: 00010292 [209992.011404] RAX: 0000000000000001 RBX: ffff88085dbe4020 RCX: ffff880856f19050 [209992.021083] RDX: 00000000fffffffd RSI: 000000000000000c RDI: 0000000000000000 [209992.030730] RBP: ffff8807dcae7c80 R08: 0000000000000000 R09: 000000000000ffff [209992.040394] R10: 0000000000000000 R11: ffffea00413ee200 R12: 0000000000000000 [209992.050038] R13: ffff88084d0a8350 R14: ffff88085dbe1520 R15: ffff88104bf25000 [209992.059701] FS: 0000000000000000(0000) GS:ffff88085fc80000(0000) knlGS:0000000000000000 [209992.070426] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [209992.078550] CR2: 000000000000021c CR3: 000000085e7a0000 CR4: 00000000001407e0 [209992.088208] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [209992.097886] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [209992.107532] Stack: [209992.111462] 0000000000000000 0000003c00000100 0000000259503980 ffff880fe9f63520 [209992.121505] ffff881059c59948 ffff880fe9f63520 ffff88104bf2506c 0000000100000001 [209992.131532] 0000000000000000 ffff881059c59948 ffff880852fda900 0000000000123abc [209992.141577] Call Trace: [209992.146025] [<ffffffffa085016c>] target_scsi3_emulate_pr_out+0x22c/0xa30 [target_core_mod] [209992.157133] [<ffffffffa085b93f>] __target_execute_cmd+0x1f/0xa0 [target_core_mod] [209992.167353] [<ffffffffa085c56c>] target_execute_cmd+0x18c/0x330 [target_core_mod] [209992.177588] [<ffffffffa08c843d>] iscsit_execute_cmd+0x25d/0x2d0 [iscsi_target_mod] [209992.187934] [<ffffffffa08d0e35>] iscsit_sequence_cmd+0xb5/0x1a0 [iscsi_target_mod] [209992.198291] [<ffffffffa08d7794>] iscsit_get_rx_pdu+0x424/0xd60 [iscsi_target_mod] [209992.208569] [<ffffffff810c7f05>] ? sched_clock_cpu+0x85/0xc0 [209992.216825] [<ffffffff8133326d>] ? list_del+0xd/0x30 [209992.224317] [<ffffffffa08d90d8>] iscsi_target_rx_thread+0x78/0xb0 [iscsi_target_mod] [209992.234954] [<ffffffffa08d9060>] ? iscsi_target_tx_thread+0x210/0x210 [iscsi_target_mod] [209992.245998] [<ffffffff810b06ff>] kthread+0xcf/0xe0 [209992.253368] [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140 [209992.262561] [<ffffffff81696a58>] ret_from_fork+0x58/0x90 [209992.270463] [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140 [209992.279606] Code: 8b 97 a8 00 00 00 48 8b b5 60 ff ff ff 31 c9 45 31 c0 4c 89 ff e8 c5 d8 ff ff 8b 85 70 ff ff ff 48 8b 4d 98 4d 89 a7 a8 00 00 00 <41> c7 84 24 1c 02 00 00 01 00 00 00 41 89 84 24 20 02 00 00 80 [209992.305124] RIP [<ffffffffa084e11c>] core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod] [209992.318027] RSP <ffff8807dcae7bb8> [209992.323794] CR2: 000000000000021c Signed-off-by: tangwenji <tang.wenji@xxxxxxxxxx> --- drivers/target/target_core_pr.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c index 6d5def64db61..424e621b56f6 100644 --- a/drivers/target/target_core_pr.c +++ b/drivers/target/target_core_pr.c @@ -3164,6 +3164,8 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, sense_reason_t ret; unsigned short rtpi; unsigned char proto_ident; + char *isid = NULL, dest_buf[PR_REG_ISID_ID_LEN]; + struct se_session *dest_sess = NULL; if (!se_sess || !se_lun) { pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n"); @@ -3347,6 +3349,19 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, goto out; } + dest_sess = dest_node_acl->nacl_sess; + if (!dest_sess) { + pr_err("nacl_sess for dest_node_acl is NULL.\n"); + atomic_dec_mb(&dest_node_acl->acl_pr_ref_count); + dest_node_acl = NULL; + ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE; + goto out; + } + if (dest_tf_ops->sess_get_initiator_sid != NULL) { + dest_tf_ops->sess_get_initiator_sid(dest_sess, &dest_buf[0], PR_REG_ISID_LEN); + isid = &dest_buf[0]; + } + if (core_scsi3_nodeacl_depend_item(dest_node_acl)) { pr_err("core_scsi3_nodeacl_depend_item() for" " dest_node_acl\n"); @@ -3435,6 +3450,7 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, */ type = pr_res_holder->pr_res_type; scope = pr_res_holder->pr_res_type; + isid = (iport_ptr) ? iport_ptr : isid; /* * c) Associate the reservation key specified in the SERVICE ACTION * RESERVATION KEY field with the I_T nexus specified as the @@ -3456,7 +3472,7 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, * reservation key or a different reservation key. */ dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl, - iport_ptr); + isid); if (!dest_pr_reg) { struct se_lun *dest_lun = rcu_dereference_check(dest_se_deve->se_lun, kref_read(&dest_se_deve->pr_kref) != 0); @@ -3464,15 +3480,19 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, spin_unlock(&dev->dev_reservation_lock); if (core_scsi3_alloc_registration(cmd->se_dev, dest_node_acl, dest_lun, dest_se_deve, dest_se_deve->mapped_lun, - iport_ptr, sa_res_key, 0, aptpl, 2, 1)) { + isid, sa_res_key, 0, aptpl, 2, 1)) { ret = TCM_INVALID_PARAMETER_LIST; goto out; } spin_lock(&dev->dev_reservation_lock); dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl, - iport_ptr); + isid); new_reg = 1; } + if (!dest_pr_reg) { + ret = TCM_INVALID_PARAMETER_LIST; + goto out; + } /* * f) Release the persistent reservation for the persistent reservation * holder (i.e., the I_T nexus on which the -- 2.13.2.windows.1 -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html