linux/drivers/target
Nicholas Bellinger 7fd29aa920 target: Fix transport_get_lun_for_tmr failure cases
This patch fixes two possible NULL pointer dereferences in target v4.0
code where se_tmr release path in core_tmr_release_req() can OOPs upon
transport_get_lun_for_tmr() failure by attempting to access se_device or
se_tmr->tmr_list without a valid member of se_device->tmr_list during
transport_free_se_cmd() release.  This patch moves the se_tmr->tmr_dev
pointer assignment in transport_get_lun_for_tmr() until after possible
-ENODEV failures during unpacked_lun lookup.

This addresses an OOPs originally reported with LIO v4.1 upstream on
.39 code here:

    TARGET_CORE[qla2xxx]: Detected NON_EXISTENT_LUN Access for 0x00000000
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000550
    IP: [<ffffffff81035ec4>] __ticket_spin_trylock+0x4/0x20
    PGD 0
    Oops: 0000 [#1] SMP
    last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
    CPU 1
    Modules linked in: netconsole target_core_pscsi target_core_file
tcm_qla2xxx target_core_iblock tcm_loop target_core_mod configfs
ipmi_devintf ipmi_si ipmi_msghandler serio_raw i7core_edac ioatdma dca
edac_core ps_bdrv ses enclosure usbhid usb_storage ahci qla2xxx hid
uas e1000e mpt2sas libahci mlx4_core scsi_transport_fc
scsi_transport_sas raid_class scsi_tgt [last unloaded: netconsole]

    Pid: 0, comm: kworker/0:0 Tainted: G        W   2.6.39+ #1 Xyratex Storage Server
    RIP: 0010:[<ffffffff81035ec4>] [<ffffffff81035ec4>]__ticket_spin_trylock+0x4/0x20
    RSP: 0018:ffff88063e803c08  EFLAGS: 00010286
    RAX: ffff880619ab45e0 RBX: 0000000000000550 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000550
    RBP: ffff88063e803c08 R08: 0000000000000002 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000568
    R13: 0000000000000001 R14: 0000000000000000 R15: ffff88060cd96a20
    FS:  0000000000000000(0000) GS:ffff88063e800000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000550 CR3: 0000000001a03000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process kworker/0:0 (pid: 0, threadinfo ffff880619ab8000, task ffff880619ab45e0)
    Stack:
     ffff88063e803c28 ffffffff812cf039 0000000000000550 0000000000000568
     ffff88063e803c58 ffffffff8157071e ffffffffa028a1dc ffff88060f7e4600
     0000000000000550 ffff880616961480 ffff88063e803c78 ffffffffa028a1dc
    Call Trace:
<IRQ>
     [<ffffffff812cf039>] do_raw_spin_trylock+0x19/0x50
     [<ffffffff8157071e>] _raw_spin_lock+0x3e/0x70
     [<ffffffffa028a1dc>] ? core_tmr_release_req+0x2c/0x60 [target_core_mod]
     [<ffffffffa028a1dc>] core_tmr_release_req+0x2c/0x60 [target_core_mod]
     [<ffffffffa028d0d2>] transport_free_se_cmd+0x22/0x50 [target_core_mod]
     [<ffffffffa028d120>] transport_release_cmd_to_pool+0x20/0x40 [target_core_mod]
     [<ffffffffa028e525>] transport_generic_free_cmd+0xa5/0xb0 [target_core_mod]
     [<ffffffffa0147cc4>] tcm_qla2xxx_handle_tmr+0xc4/0xd0 [tcm_qla2xxx]
     [<ffffffffa0191ba3>] __qla24xx_handle_abts+0xd3/0x150 [qla2xxx]
     [<ffffffffa0197651>] qla_tgt_response_pkt+0x171/0x520 [qla2xxx]
     [<ffffffffa0197a2d>] qla_tgt_response_pkt_all_vps+0x2d/0x220 [qla2xxx]
     [<ffffffffa0171dd3>] qla24xx_process_response_queue+0x1a3/0x670 [qla2xxx]
     [<ffffffffa0196281>] ? qla24xx_atio_pkt+0x81/0x120 [qla2xxx]
     [<ffffffffa0174025>] ? qla24xx_msix_default+0x45/0x2a0 [qla2xxx]
     [<ffffffffa0174198>] qla24xx_msix_default+0x1b8/0x2a0 [qla2xxx]
     [<ffffffff810dadb4>] handle_irq_event_percpu+0x54/0x210
     [<ffffffff810dafb8>] handle_irq_event+0x48/0x70
     [<ffffffff810dd5ee>] ? handle_edge_irq+0x1e/0x110
     [<ffffffff810dd647>] handle_edge_irq+0x77/0x110
     [<ffffffff8100d362>] handle_irq+0x22/0x40
     [<ffffffff8157b28d>] do_IRQ+0x5d/0xe0
     [<ffffffff81571413>] common_interrupt+0x13/0x13
<EOI>
     [<ffffffff813003f7>] ? intel_idle+0xd7/0x130
     [<ffffffff813003f0>] ? intel_idle+0xd0/0x130
     [<ffffffff8144832b>] cpuidle_idle_call+0xab/0x1c0
     [<ffffffff8100a26b>] cpu_idle+0xab/0xf0
     [<ffffffff81566c59>] start_secondary+0x1cb/0x1d2

Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2011-06-23 23:59:45 +00:00
..
loopback [SCSI] target: Convert TASK_ATTR to scsi_tcq.h definitions 2011-05-24 13:03:56 -04:00
tcm_fc [SCSI] target: Convert TASK_ATTR to scsi_tcq.h definitions 2011-05-24 13:03:56 -04:00
Kconfig [SCSI] tcm_fc: Adding FC_FC4 provider (tcm_fc) for FCoE target (TCM - target core) support 2011-05-17 10:52:46 +04:00
Makefile [SCSI] tcm_fc: Adding FC_FC4 provider (tcm_fc) for FCoE target (TCM - target core) support 2011-05-17 10:52:46 +04:00
target_core_alua.c Merge branch 'master' into for-next 2011-04-26 10:22:59 +02:00
target_core_alua.h
target_core_cdb.c [SCSI] target: Fix volume size misreporting for volumes > 2TB 2011-03-14 18:31:08 -05:00
target_core_configfs.c [SCSI] target: Convert REPORT_LUNs to use int_to_scsilun 2011-05-24 13:02:42 -04:00
target_core_device.c target: Fix transport_get_lun_for_tmr failure cases 2011-06-23 23:59:45 +00:00
target_core_fabric_configfs.c [SCSI] target: add initial statistics 2011-03-23 11:36:50 -05:00
target_core_fabric_lib.c Fix common misspellings 2011-03-31 11:26:23 -03:00
target_core_file.c Fix common misspellings 2011-03-31 11:26:23 -03:00
target_core_file.h
target_core_hba.c [SCSI] target: Remove unnecessary hba_dev_list walk and se_clear_dev_ports legacy code 2011-03-23 11:36:27 -05:00
target_core_hba.h
target_core_iblock.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-03-25 21:06:13 -07:00
target_core_iblock.h
target_core_pr.c Fix common misspellings 2011-03-31 11:26:23 -03:00
target_core_pr.h
target_core_pscsi.c [SCSI] target: Convert TASK_ATTR to scsi_tcq.h definitions 2011-05-24 13:03:56 -04:00
target_core_pscsi.h
target_core_rd.c [SCSI] target: Convert rd_build_device_space() to use errno 2011-03-23 11:36:32 -05:00
target_core_rd.h [SCSI] target: Minor sparse warning fixes and annotations 2011-03-23 11:36:29 -05:00
target_core_scdb.c
target_core_scdb.h
target_core_stat.c [SCSI] target: add initial statistics 2011-03-23 11:36:50 -05:00
target_core_stat.h [SCSI] target: add initial statistics 2011-03-23 11:36:50 -05:00
target_core_tmr.c target: Fix transport_get_lun_for_tmr failure cases 2011-06-23 23:59:45 +00:00
target_core_tpg.c drivers: remove extraneous includes of smp_lock.h 2011-03-02 00:02:40 +01:00
target_core_transport.c [SCSI] target: Convert TASK_ATTR to scsi_tcq.h definitions 2011-05-24 13:03:56 -04:00
target_core_ua.c Fix common misspellings 2011-03-31 11:26:23 -03:00
target_core_ua.h