From 72859d91d93319c00a18c29f577e56bf73a8654a Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger Date: Thu, 12 Feb 2015 00:48:25 -0800 Subject: [PATCH] iscsi-target: Avoid IN_LOGOUT failure case for iser-target This patch addresses a bug reported during iser-target login/logout stress testing, where iscsit_take_action_for_connection_exit() is incorrectly invoking iscsit_close_connection() twice during IN_LOGOUT state, after connection shutdown has already been initiated by iser-target code. Here is the backtrace: BUG: unable to handle kernel NULL pointer dereference at 00000000000001f0 IP: [] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] PGD 0 Oops: 0000 [#1] SMP Modules linked in: target_core_pscsi(O) target_core_file(O) target_core_iblock(O) ib_isert(O) iscsi_target_mod(O) ib_srpt(O) tcm_loop(O) tcm_fc(O) target_core_mod(O) mst_pciconf(OE) bonding mlx5_ib(O) mlx5_core libfc scsi_transport_fc netconsole configfs nfsv3 nfs_acl mlx4_ib(O) rdma_ucm(O) ib_ucm(O) rdma_cm(O) iw_cm(O) ib_uverbs(O) libiscsi_tcp libiscsi scsi_transport_iscsi mlx4_en mlx4_core ib_ipoib(O) ib_cm(O) ib_sa(O) ib_umad(O) ib_mad(O) ib_core(O) ib_addr(O) rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs fscache lockd grace autofs4 sunrpc 8021q garp stp llc ipv6 dm_mirror dm_region_hash dm_log dm_multipath uinput ipmi_si ipmi_msghandler acpi_pad iTCO_wdt iTCO_vendor_support dcdbas microcode pcspkr wmi sb_edac edac_core sg lpc_ich mfd_core shpchp tg3 ptp pps_core dm_mod ext3(E) jbd(E) mbcache(E) sr_mod(E) cdrom(E) sd_mod(E) ahci(E) libahci(E) megaraid_sas(E) [last unloaded: target_core_mod] CPU: 2 PID: 5280 Comm: iscsi_ttx Tainted: G W OE 3.18.0-rc2+ #22 Hardware name: Dell Inc. PowerEdge R720/0VWT90, BIOS 2.0.9 03/08/2013 task: ffff8806132f9010 ti: ffff880601d6c000 task.ti: ffff880601d6c000 RIP: 0010:[] [] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] RSP: 0018:ffff880601d6fe18 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffff8805dc437800 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000200 RDI: ffffffffa033d98b RBP: ffff880601d6fe28 R08: 0000000000000000 R09: 000000000000dd37 R10: 00000000ec5d4202 R11: 0000000000000001 R12: ffff8805dc437bf4 R13: ffff88061b831600 R14: ffff880601d6fe58 R15: ffff8806132f9010 FS: 0000000000000000(0000) GS:ffff88032fa20000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001f0 CR3: 0000000001a14000 CR4: 00000000000407e0 Stack: ffff8805dc437800 fffffffffffffe00 ffff880601d6feb8 ffffffffa034ed40 ffff8806132f9010 ffff880601d6fe70 0f00000000000000 ffff8805d51fbef0 0000000000000000 ffff8806132f9010 ffffffff8108e7f0 ffff880601d6fe70 Call Trace: [] iscsi_target_tx_thread+0x160/0x220 [iscsi_target_mod] [] ? bit_waitqueue+0xb0/0xb0 [] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod] [] kthread+0xce/0xf0 [] ? kthread_freezable_should_stop+0x70/0x70 [] ret_from_fork+0x7c/0xb0 [] ? kthread_freezable_should_stop+0x70/0x70 Code: 06 0f 84 82 00 00 00 3c 08 74 4e f6 05 39 e6 02 00 04 0f 85 9e 00 00 00 c6 43 19 08 4c 89 e7 e8 65 2a 26 e1 48 8b 83 a0 04 00 00 <48> 8b 88 f0 01 00 00 80 b9 d8 04 00 00 02 74 2e f6 05 31 e6 02 RIP [] iscsit_take_action_for_connection_exit+0x62/0x110 [iscsi_target_mod] RSP CR2: 00000000000001f0 ---[ end trace a0c33436cd0836b4 ]--- This special case is still required by ISCSI_TCP transport during a iscsit_handle_logout_cmd() failure case in iscsi_target_rx_opcode(), but must be avoided for iser-target. Reported-by: Sagi Grimberg Reported-by: Slava Shwartsman Cc: Sagi Grimberg Cc: Slava Shwartsman Cc: stable@vger.kernel.org # 3.10+ Signed-off-by: Nicholas Bellinger --- drivers/target/iscsi/iscsi_target_erl0.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target_erl0.c b/drivers/target/iscsi/iscsi_target_erl0.c index bdd8731a4daa..1c197bad6132 100644 --- a/drivers/target/iscsi/iscsi_target_erl0.c +++ b/drivers/target/iscsi/iscsi_target_erl0.c @@ -22,6 +22,7 @@ #include #include +#include #include "iscsi_target_seq_pdu_list.h" #include "iscsi_target_tq.h" #include "iscsi_target_erl0.h" @@ -939,7 +940,8 @@ void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) if (conn->conn_state == TARG_CONN_STATE_IN_LOGOUT) { spin_unlock_bh(&conn->state_lock); - iscsit_close_connection(conn); + if (conn->conn_transport->transport_type == ISCSI_TCP) + iscsit_close_connection(conn); return; } -- 2.20.1