From patchwork Tue Jul 21 22:07:54 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Spencer Baugh <sbaugh@catern.com>
X-Patchwork-Id: 6838481
Return-Path: <linux-scsi-owner@kernel.org>
X-Original-To: patchwork-linux-scsi@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id D29EFC05AC
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 21 Jul 2015 22:10:08 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 00CDA2060E
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 21 Jul 2015 22:10:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 822F520689
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Tue, 21 Jul 2015 22:10:06 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933803AbbGUWIV (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Tue, 21 Jul 2015 18:08:21 -0400
Received: from catern.com ([104.131.201.120]:58793 "EHLO mail.catern.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932148AbbGUWIQ (ORCPT <rfc822;linux-scsi@vger.kernel.org>);
	Tue, 21 Jul 2015 18:08:16 -0400
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by mail.catern.com (Postfix) with ESMTPSA id 9596A479AE;
	Tue, 21 Jul 2015 22:08:14 +0000 (UTC)
From: Spencer Baugh <sbaugh@catern.com>
To: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
	linux-scsi@vger.kernel.org (open list:TARGET SUBSYSTEM),
	target-devel@vger.kernel.org (open list:TARGET SUBSYSTEM),
	linux-kernel@vger.kernel.org (open list)
Cc: Joern Engel <joern@purestorage.com>,
	Spencer Baugh <Spencer.baugh@purestorage.com>,
	Alexei Potashnik <alexei@purestorage.com>,
	Spencer Baugh <sbaugh@catern.com>
Subject: [PATCH] target: fix crash in cmd tracing when cmd didn't match a LUN
Date: Tue, 21 Jul 2015 15:07:54 -0700
Message-Id: <1437516477-30554-2-git-send-email-sbaugh@catern.com>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Alexei Potashnik <alexei@purestorage.com>

If command didn't match a LUN and we're sending check condition, the
target_cmd_complete ftrace point will crash because it assumes that
cmd->t_task_cdb has been set.

The fix will temporarily set t_task_cdb to the se_cmd buffer
and copy first 6 bytes of cdb in there as soon as possible.
At a later point t_task_cdb is reset to the correct buffer,
but until then traces and printks don't cause a crash.

Signed-off-by: Alexei Potashnik <alexei@purestorage.com>
Signed-off-by: Spencer Baugh <sbaugh@catern.com>
---
 drivers/target/target_core_device.c    | 7 +++++++
 drivers/target/target_core_transport.c | 7 ++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index c4a8db6..b74dfb2 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -63,6 +63,13 @@ transport_lookup_cmd_lun(struct se_cmd *se_cmd, u64 unpacked_lun)
 	struct se_node_acl *nacl = se_sess->se_node_acl;
 	struct se_dev_entry *deve;
 
+	/* Temporarily set t_task_cdb to the se_cmd buffer and save a portion
+	 * of cdb in there (fabrics must provide at least 6 bytes). t_task_cdb
+	 * will be correctly replaced in target_setup_cmd_from_cdb. Until then
+	 * tracing and printks can access t_task_cdb without causing a crash. */
+	se_cmd->t_task_cdb = se_cmd->__t_task_cdb;
+	memcpy(se_cmd->t_task_cdb, cdb, 6);
+
 	rcu_read_lock();
 	deve = target_nacl_find_deve(nacl, unpacked_lun);
 	if (deve) {
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index ce8574b..8dd15c7 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1210,15 +1210,16 @@ target_setup_cmd_from_cdb(struct se_cmd *cmd, unsigned char *cdb)
 	 * setup the pointer from __t_task_cdb to t_task_cdb.
 	 */
 	if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
-		cmd->t_task_cdb = kzalloc(scsi_command_size(cdb),
-						GFP_KERNEL);
-		if (!cmd->t_task_cdb) {
+		unsigned char *ptr = kzalloc(scsi_command_size(cdb),
+					     GFP_KERNEL);
+		if (!ptr) {
 			pr_err("Unable to allocate cmd->t_task_cdb"
 				" %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
 				scsi_command_size(cdb),
 				(unsigned long)sizeof(cmd->__t_task_cdb));
 			return TCM_OUT_OF_RESOURCES;
 		}
+		cmd->t_task_cdb = ptr;
 	} else
 		cmd->t_task_cdb = &cmd->__t_task_cdb[0];
 	/*