diff mbox

targt:fix oops in core_scsi3_emulate_pro_register_and_move()

Message ID 20170821112158.3904-1-tang.wenji@zte.com.cn (mailing list archive)
State New, archived
Headers show

Commit Message

tang.wenji@zte.com.cn Aug. 21, 2017, 11:21 a.m. UTC 
From: tangwenji <tang.wenji@zte.com.cn>

Initiator port is identified using the world wide unique SCSI device name
of the iSCSI initiator device containing the initiator port,so function
target_parse_pr_out_transport_id returned the point 'iport_ptr' is NULL .
Subsequent search pr_reg, always can not find the matching pr_reg,but the
back of the direct use of the pointer 'dest_pr_reg' assignment operation
resulting in a kernel crash.
crash information is as follows:
[209991.785536] BUG: unable to handle kernel NULL pointer dereference at
000000000000021c
[209991.795507] IP: [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209991.807606] PGD 0
[209991.811007] Oops: 0002 [#1] SMP
[209991.953966] CPU: 2 PID: 19864 Comm: iscsi_trx Tainted: G           OE
------------   3.10.0-514.10.2.el7.x86_64 #1
[209991.967184] Hardware name: ZTE SGLMA/SGLMA, BIOS UBF03.06.50_SVN62419
02/25/2016
[209991.977027] task: ffff88085978ce70 ti: ffff8807dcae4000 task.ti:
ffff8807dcae4000
[209991.986983] RIP: 0010:[<ffffffffa084e11c>]  [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209992.003799] RSP: 0018:ffff8807dcae7bb8  EFLAGS: 00010292
[209992.011404] RAX: 0000000000000001 RBX: ffff88085dbe4020 RCX:
ffff880856f19050
[209992.021083] RDX: 00000000fffffffd RSI: 000000000000000c RDI:
0000000000000000
[209992.030730] RBP: ffff8807dcae7c80 R08: 0000000000000000 R09:
000000000000ffff
[209992.040394] R10: 0000000000000000 R11: ffffea00413ee200 R12:
0000000000000000
[209992.050038] R13: ffff88084d0a8350 R14: ffff88085dbe1520 R15:
ffff88104bf25000
[209992.059701] FS:  0000000000000000(0000) GS:ffff88085fc80000(0000)
knlGS:0000000000000000
[209992.070426] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[209992.078550] CR2: 000000000000021c CR3: 000000085e7a0000 CR4:
00000000001407e0
[209992.088208] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[209992.097886] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[209992.107532] Stack:
[209992.111462]  0000000000000000 0000003c00000100 0000000259503980
ffff880fe9f63520
[209992.121505]  ffff881059c59948 ffff880fe9f63520 ffff88104bf2506c
0000000100000001
[209992.131532]  0000000000000000 ffff881059c59948 ffff880852fda900
0000000000123abc
[209992.141577] Call Trace:
[209992.146025]  [<ffffffffa085016c>]
target_scsi3_emulate_pr_out+0x22c/0xa30 [target_core_mod]
[209992.157133]  [<ffffffffa085b93f>] __target_execute_cmd+0x1f/0xa0
[target_core_mod]
[209992.167353]  [<ffffffffa085c56c>] target_execute_cmd+0x18c/0x330
[target_core_mod]
[209992.177588]  [<ffffffffa08c843d>] iscsit_execute_cmd+0x25d/0x2d0
[iscsi_target_mod]
[209992.187934]  [<ffffffffa08d0e35>] iscsit_sequence_cmd+0xb5/0x1a0
[iscsi_target_mod]
[209992.198291]  [<ffffffffa08d7794>] iscsit_get_rx_pdu+0x424/0xd60
[iscsi_target_mod]
[209992.208569]  [<ffffffff810c7f05>] ? sched_clock_cpu+0x85/0xc0
[209992.216825]  [<ffffffff8133326d>] ? list_del+0xd/0x30
[209992.224317]  [<ffffffffa08d90d8>] iscsi_target_rx_thread+0x78/0xb0
[iscsi_target_mod]
[209992.234954]  [<ffffffffa08d9060>] ? iscsi_target_tx_thread+0x210/0x210
[iscsi_target_mod]
[209992.245998]  [<ffffffff810b06ff>] kthread+0xcf/0xe0
[209992.253368]  [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140
[209992.262561]  [<ffffffff81696a58>] ret_from_fork+0x58/0x90
[209992.270463]  [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140
[209992.279606] Code: 8b 97 a8 00 00 00 48 8b b5 60 ff ff ff 31 c9 45 31
c0 4c 89 ff e8 c5 d8 ff ff 8b 85 70 ff ff ff 48 8b 4d 98 4d 89 a7 a8 00 00
00 <41> c7 84 24 1c 02 00 00 01 00 00 00 41 89 84 24 20 02 00 00 80
[209992.305124] RIP  [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209992.318027]  RSP <ffff8807dcae7bb8>
[209992.323794] CR2: 000000000000021c

Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
---
 drivers/target/target_core_pr.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)
diff mbox

Patch

diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index 6d5def64db61..424e621b56f6 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -3164,6 +3164,8 @@  core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	sense_reason_t ret;
 	unsigned short rtpi;
 	unsigned char proto_ident;
+	char *isid = NULL, dest_buf[PR_REG_ISID_ID_LEN];	
+	struct se_session *dest_sess = NULL;
 
 	if (!se_sess || !se_lun) {
 		pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
@@ -3347,6 +3349,19 @@  core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 		goto out;
 	}
 
+	dest_sess = dest_node_acl->nacl_sess;	
+	if (!dest_sess) {
+		pr_err("nacl_sess for dest_node_acl is NULL.\n");
+		atomic_dec_mb(&dest_node_acl->acl_pr_ref_count);
+		dest_node_acl = NULL;
+		ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+		goto out;
+	}
+	if (dest_tf_ops->sess_get_initiator_sid != NULL) {
+		dest_tf_ops->sess_get_initiator_sid(dest_sess, &dest_buf[0], PR_REG_ISID_LEN);
+		isid = &dest_buf[0];
+	}
+
 	if (core_scsi3_nodeacl_depend_item(dest_node_acl)) {
 		pr_err("core_scsi3_nodeacl_depend_item() for"
 			" dest_node_acl\n");
@@ -3435,6 +3450,7 @@  core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	 */
 	type = pr_res_holder->pr_res_type;
 	scope = pr_res_holder->pr_res_type;
+	isid = (iport_ptr) ? iport_ptr : isid;
 	/*
 	 * c) Associate the reservation key specified in the SERVICE ACTION
 	 *    RESERVATION KEY field with the I_T nexus specified as the
@@ -3456,7 +3472,7 @@  core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	 * reservation key or a different reservation key.
 	 */
 	dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl,
-					iport_ptr);
+					isid);
 	if (!dest_pr_reg) {
 		struct se_lun *dest_lun = rcu_dereference_check(dest_se_deve->se_lun,
 				kref_read(&dest_se_deve->pr_kref) != 0);
@@ -3464,15 +3480,19 @@  core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 		spin_unlock(&dev->dev_reservation_lock);
 		if (core_scsi3_alloc_registration(cmd->se_dev, dest_node_acl,
 					dest_lun, dest_se_deve, dest_se_deve->mapped_lun,
-					iport_ptr, sa_res_key, 0, aptpl, 2, 1)) {
+					isid, sa_res_key, 0, aptpl, 2, 1)) {
 			ret = TCM_INVALID_PARAMETER_LIST;
 			goto out;
 		}
 		spin_lock(&dev->dev_reservation_lock);
 		dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl,
-						iport_ptr);
+						isid);
 		new_reg = 1;
 	}
+	if (!dest_pr_reg) {
+		ret = TCM_INVALID_PARAMETER_LIST;
+		goto out;
+	}
 	/*
 	 * f) Release the persistent reservation for the persistent reservation
 	 *    holder (i.e., the I_T nexus on which the