-
Nicholas Bellinger authored
This patch addresses a bug reported during iser-target login/logout stress testing, where iscsit_take_action_for_connection_exit() is incorrectly invoking iscsit_close_connection() twice during IN_LOGOUT state, after connection shutdown has already been initiated by iser-target code. Here is the backtrace: BUG: unable to handle kernel NULL pointer dereference at 00000000000001f0 IP: [<ffffffffa033d992>] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] PGD 0 Oops: 0000 [#1] SMP Modules linked in: target_core_pscsi(O) target_core_file(O) target_core_iblock(O) ib_isert(O) iscsi_target_mod(O) ib_srpt(O) tcm_loop(O) tcm_fc(O) target_core_mod(O) mst_pciconf(OE) bonding mlx5_ib(O) mlx5_core libfc scsi_transport_fc netconsole configfs nfsv3 nfs_acl mlx4_ib(O) rdma_ucm(O) ib_ucm(O) rdma_cm(O) iw_cm(O) ib_uverbs(O) libiscsi_tcp libiscsi scsi_transport_iscsi mlx4_en mlx4_core ib_ipoib(O) ib_cm(O) ib_sa(O) ib_umad(O) ib_mad(O) ib_core(O) ib_addr(O) rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs fscache lockd grace autofs4 sunrpc 8021q garp stp llc ipv6 dm_mirror dm_region_hash dm_log dm_multipath uinput ipmi_si ipmi_msghandler acpi_pad iTCO_wdt iTCO_vendor_support dcdbas microcode pcspkr wmi sb_edac edac_core sg lpc_ich mfd_core shpchp tg3 ptp pps_core dm_mod ext3(E) jbd(E) mbcache(E) sr_mod(E) cdrom(E) sd_mod(E) ahci(E) libahci(E) megaraid_sas(E) [last unloaded: target_core_mod] CPU: 2 PID: 5280 Comm: iscsi_ttx Tainted: G W OE 3.18.0-rc2+ #22 Hardware name: Dell Inc. PowerEdge R720/0VWT90, BIOS 2.0.9 03/08/2013 task: ffff8806132f9010 ti: ffff880601d6c000 task.ti: ffff880601d6c000 RIP: 0010:[<ffffffffa033d992>] [<ffffffffa033d992>] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] RSP: 0018:ffff880601d6fe18 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8805dc437800 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000200 RDI: ffffffffa033d98b RBP: ffff880601d6fe28 R08: 0000000000000000 R09: 000000000000dd37 R10: 00000000ec5d4202 R11: 0000000000000001 R12: ffff8805dc437bf4 R13: ffff88061b831600 R14: ffff880601d6fe58 R15: ffff8806132f9010 FS: 0000000000000000(0000) GS:ffff88032fa20000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001f0 CR3: 0000000001a14000 CR4: 00000000000407e0 Stack: ffff8805dc437800 fffffffffffffe00 ffff880601d6feb8 ffffffffa034ed40 ffff8806132f9010 ffff880601d6fe70 0f00000000000000 ffff8805d51fbef0 0000000000000000 ffff8806132f9010 ffffffff8108e7f0 ffff880601d6fe70 Call Trace: [<ffffffffa034ed40>] iscsi_target_tx_thread+0x160/0x220 [iscsi_target_mod] [<ffffffff8108e7f0>] ? bit_waitqueue+0xb0/0xb0 [<ffffffffa034ebe0>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod] [<ffffffff8107017e>] kthread+0xce/0xf0 [<ffffffff810700b0>] ? kthread_freezable_should_stop+0x70/0x70 [<ffffffff815a0b6c>] ret_from_fork+0x7c/0xb0 [<ffffffff810700b0>] ? kthread_freezable_should_stop+0x70/0x70 Code: 06 0f 84 82 00 00 00 3c 08 74 4e f6 05 39 e6 02 00 04 0f 85 9e 00 00 00 c6 43 19 08 4c 89 e7 e8 65 2a 26 e1 48 8b 83 a0 04 00 00 <48> 8b 88 f0 01 00 00 80 b9 d8 04 00 00 02 74 2e f6 05 31 e6 02 RIP [<ffffffffa033d992>] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] RSP <ffff880601d6fe18> CR2: 00000000000001f0 ---[ end trace a0c33436cd0836b4 ]--- This special case is still required by ISCSI_TCP transport during a iscsit_handle_logout_cmd() failure case in iscsi_target_rx_opcode(), but must be avoided for iser-target. Reported-by: Sagi Grimberg <sagig@mellanox.com> Reported-by: Slava Shwartsman <valyushash@gmail.com> Cc: Sagi Grimberg <sagig@mellanox.com> Cc: Slava Shwartsman <valyushash@gmail.com> Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
72859d91