From patchwork Mon Aug 21 11:21:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: tang.wenji@zte.com.cn
X-Patchwork-Id: 9912179
Return-Path: <target-devel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D2E3D600C8 for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 21 Aug 2017 11:21:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7C54286EC
	for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 21 Aug 2017 11:21:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BA16F28764; Mon, 21 Aug 2017 11:21:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A44AF286EC
	for <patchwork-target-devel@patchwork.kernel.org>;
	Mon, 21 Aug 2017 11:21:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752462AbdHULVt (ORCPT
	<rfc822;patchwork-target-devel@patchwork.kernel.org>);
	Mon, 21 Aug 2017 07:21:49 -0400
Received: from out1.zte.com.cn ([202.103.147.172]:60173 "EHLO
	out1.zte.com.cn"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750967AbdHULVs (ORCPT <rfc822;target-devel@vger.kernel.org>);
	Mon, 21 Aug 2017 07:21:48 -0400
X-scanvirus: By SEG_CYREN AntiVirus Engine
X-scanresult: CLEAN
X-MAILFROM: <tang.wenji@zte.com.cn>
X-RCPTTO: <target-devel@vger.kernel.org>
X-FROMIP: 10.30.3.20
X-SEG-Scaned: 1
X-Received: unknown,10.30.3.20,20170821191738
Received: from unknown (HELO mse01.zte.com.cn) (10.30.3.20)
	by localhost with (AES256-SHA encrypted) SMTP;
	21 Aug 2017 11:17:38 -0000
Received: from notes_smtp.zte.com.cn ([10.30.1.239])
	by mse01.zte.com.cn with ESMTP id v7LBLXaU053548;
	Mon, 21 Aug 2017 19:21:33 +0800 (GMT-8)
	(envelope-from tang.wenji@zte.com.cn)
Received: from localhost.localdomain ([10.118.202.203])
	by szsmtp06.zte.com.cn (Lotus Domino Release 8.5.3FP6)
	with ESMTP id 2017082119213643-417439 ;
	Mon, 21 Aug 2017 19:21:36 +0800
From: tang.wenji@zte.com.cn
To: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: target-devel@vger.kernel.org, tangwenji <tang.wenji@zte.com.cn>
Subject: [PATCH] targt:fix oops in core_scsi3_emulate_pro_register_and_move()
Date: Mon, 21 Aug 2017 19:21:58 +0800
Message-Id: <20170821112158.3904-1-tang.wenji@zte.com.cn>
X-Mailer: git-send-email 2.13.2.windows.1
X-MIMETrack: Itemize by SMTP Server on SZSMTP06/server/zte_ltd(Release
	8.5.3FP6|November 21, 2013) at 2017-08-21 19:21:36,
	Serialize by Router on notes_smtp/zte_ltd(Release 9.0.1FP7|August 17,
	2016) at 2017-08-21 19:21:33,
	Serialize complete at 2017-08-21 19:21:33
X-MAIL: mse01.zte.com.cn v7LBLXaU053548
X-HQIP: 127.0.0.1
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: tangwenji <tang.wenji@zte.com.cn>

Initiator port is identified using the world wide unique SCSI device name
of the iSCSI initiator device containing the initiator port,so function
target_parse_pr_out_transport_id returned the point 'iport_ptr' is NULL .
Subsequent search pr_reg, always can not find the matching pr_reg,but the
back of the direct use of the pointer 'dest_pr_reg' assignment operation
resulting in a kernel crash.
crash information is as follows:
[209991.785536] BUG: unable to handle kernel NULL pointer dereference at
000000000000021c
[209991.795507] IP: [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209991.807606] PGD 0
[209991.811007] Oops: 0002 [#1] SMP
[209991.953966] CPU: 2 PID: 19864 Comm: iscsi_trx Tainted: G           OE
------------   3.10.0-514.10.2.el7.x86_64 #1
[209991.967184] Hardware name: ZTE SGLMA/SGLMA, BIOS UBF03.06.50_SVN62419
02/25/2016
[209991.977027] task: ffff88085978ce70 ti: ffff8807dcae4000 task.ti:
ffff8807dcae4000
[209991.986983] RIP: 0010:[<ffffffffa084e11c>]  [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209992.003799] RSP: 0018:ffff8807dcae7bb8  EFLAGS: 00010292
[209992.011404] RAX: 0000000000000001 RBX: ffff88085dbe4020 RCX:
ffff880856f19050
[209992.021083] RDX: 00000000fffffffd RSI: 000000000000000c RDI:
0000000000000000
[209992.030730] RBP: ffff8807dcae7c80 R08: 0000000000000000 R09:
000000000000ffff
[209992.040394] R10: 0000000000000000 R11: ffffea00413ee200 R12:
0000000000000000
[209992.050038] R13: ffff88084d0a8350 R14: ffff88085dbe1520 R15:
ffff88104bf25000
[209992.059701] FS:  0000000000000000(0000) GS:ffff88085fc80000(0000)
knlGS:0000000000000000
[209992.070426] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[209992.078550] CR2: 000000000000021c CR3: 000000085e7a0000 CR4:
00000000001407e0
[209992.088208] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[209992.097886] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[209992.107532] Stack:
[209992.111462]  0000000000000000 0000003c00000100 0000000259503980
ffff880fe9f63520
[209992.121505]  ffff881059c59948 ffff880fe9f63520 ffff88104bf2506c
0000000100000001
[209992.131532]  0000000000000000 ffff881059c59948 ffff880852fda900
0000000000123abc
[209992.141577] Call Trace:
[209992.146025]  [<ffffffffa085016c>]
target_scsi3_emulate_pr_out+0x22c/0xa30 [target_core_mod]
[209992.157133]  [<ffffffffa085b93f>] __target_execute_cmd+0x1f/0xa0
[target_core_mod]
[209992.167353]  [<ffffffffa085c56c>] target_execute_cmd+0x18c/0x330
[target_core_mod]
[209992.177588]  [<ffffffffa08c843d>] iscsit_execute_cmd+0x25d/0x2d0
[iscsi_target_mod]
[209992.187934]  [<ffffffffa08d0e35>] iscsit_sequence_cmd+0xb5/0x1a0
[iscsi_target_mod]
[209992.198291]  [<ffffffffa08d7794>] iscsit_get_rx_pdu+0x424/0xd60
[iscsi_target_mod]
[209992.208569]  [<ffffffff810c7f05>] ? sched_clock_cpu+0x85/0xc0
[209992.216825]  [<ffffffff8133326d>] ? list_del+0xd/0x30
[209992.224317]  [<ffffffffa08d90d8>] iscsi_target_rx_thread+0x78/0xb0
[iscsi_target_mod]
[209992.234954]  [<ffffffffa08d9060>] ? iscsi_target_tx_thread+0x210/0x210
[iscsi_target_mod]
[209992.245998]  [<ffffffff810b06ff>] kthread+0xcf/0xe0
[209992.253368]  [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140
[209992.262561]  [<ffffffff81696a58>] ret_from_fork+0x58/0x90
[209992.270463]  [<ffffffff810b0630>] ? kthread_create_on_node+0x140/0x140
[209992.279606] Code: 8b 97 a8 00 00 00 48 8b b5 60 ff ff ff 31 c9 45 31
c0 4c 89 ff e8 c5 d8 ff ff 8b 85 70 ff ff ff 48 8b 4d 98 4d 89 a7 a8 00 00
00 <41> c7 84 24 1c 02 00 00 01 00 00 00 41 89 84 24 20 02 00 00 80
[209992.305124] RIP  [<ffffffffa084e11c>]
core_scsi3_emulate_pro_register_and_move+0x43c/0xa70 [target_core_mod]
[209992.318027]  RSP <ffff8807dcae7bb8>
[209992.323794] CR2: 000000000000021c

Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
---
 drivers/target/target_core_pr.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index 6d5def64db61..424e621b56f6 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -3164,6 +3164,8 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	sense_reason_t ret;
 	unsigned short rtpi;
 	unsigned char proto_ident;
+	char *isid = NULL, dest_buf[PR_REG_ISID_ID_LEN];	
+	struct se_session *dest_sess = NULL;
 
 	if (!se_sess || !se_lun) {
 		pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
@@ -3347,6 +3349,19 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 		goto out;
 	}
 
+	dest_sess = dest_node_acl->nacl_sess;	
+	if (!dest_sess) {
+		pr_err("nacl_sess for dest_node_acl is NULL.\n");
+		atomic_dec_mb(&dest_node_acl->acl_pr_ref_count);
+		dest_node_acl = NULL;
+		ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+		goto out;
+	}
+	if (dest_tf_ops->sess_get_initiator_sid != NULL) {
+		dest_tf_ops->sess_get_initiator_sid(dest_sess, &dest_buf[0], PR_REG_ISID_LEN);
+		isid = &dest_buf[0];
+	}
+
 	if (core_scsi3_nodeacl_depend_item(dest_node_acl)) {
 		pr_err("core_scsi3_nodeacl_depend_item() for"
 			" dest_node_acl\n");
@@ -3435,6 +3450,7 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	 */
 	type = pr_res_holder->pr_res_type;
 	scope = pr_res_holder->pr_res_type;
+	isid = (iport_ptr) ? iport_ptr : isid;
 	/*
 	 * c) Associate the reservation key specified in the SERVICE ACTION
 	 *    RESERVATION KEY field with the I_T nexus specified as the
@@ -3456,7 +3472,7 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 	 * reservation key or a different reservation key.
 	 */
 	dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl,
-					iport_ptr);
+					isid);
 	if (!dest_pr_reg) {
 		struct se_lun *dest_lun = rcu_dereference_check(dest_se_deve->se_lun,
 				kref_read(&dest_se_deve->pr_kref) != 0);
@@ -3464,15 +3480,19 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
 		spin_unlock(&dev->dev_reservation_lock);
 		if (core_scsi3_alloc_registration(cmd->se_dev, dest_node_acl,
 					dest_lun, dest_se_deve, dest_se_deve->mapped_lun,
-					iport_ptr, sa_res_key, 0, aptpl, 2, 1)) {
+					isid, sa_res_key, 0, aptpl, 2, 1)) {
 			ret = TCM_INVALID_PARAMETER_LIST;
 			goto out;
 		}
 		spin_lock(&dev->dev_reservation_lock);
 		dest_pr_reg = __core_scsi3_locate_pr_reg(dev, dest_node_acl,
-						iport_ptr);
+						isid);
 		new_reg = 1;
 	}
+	if (!dest_pr_reg) {
+		ret = TCM_INVALID_PARAMETER_LIST;
+		goto out;
+	}
 	/*
 	 * f) Release the persistent reservation for the persistent reservation
 	 *    holder (i.e., the I_T nexus on which the