Re: [PATCH-v3 12/14] xen-scsiback: Convert to TARGET_SCF_ACK_KREF I/O krefs

2016-02-02 Thread Nicholas A. Bellinger 
Hi Juergen,

On Tue, 2016-02-02 at 17:31 +0100, Juergen Gross wrote:
> On 30/01/16 08:05, Nicholas A. Bellinger wrote:
> > From: Nicholas Bellinger 
> > 
> > Cc: Juergen Gross 
> > Cc: Hannes Reinecke 
> > Cc: David Vrabel 
> > Signed-off-by: Nicholas Bellinger 
> 
> Sorry, with your patches applied xen-scsiback isn't working any more.
> I've tried multiple times with and without your patches. Without the
> patches everything is fine, while with the patches applied I get the
> warnings shown in the attached log. I just passed through a DVD drive
> and did "eject" in the domain.
> 

Thanks for testing.  :)

So it looks like a left-over memset of pending_req->se_cmd memory in
scsiback_cmd_exec() was clobbering the saved percpu_ida map_tag from
scsiback_get_pend_req(), resulting in a use-after-free.

Please verify with the following:

diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index eaf9e21..c3f55a2 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -400,10 +400,6 @@ static void scsiback_cmd_exec(struct vscsibk_pend 
*pending_req)
struct se_session *sess = pending_req->v2p->tpg->tpg_nexus->tvn_se_sess;
int rc;
 
-   memset(pending_req->sense_buffer, 0, VSCSIIF_SENSE_BUFFERSIZE);
-
-   memset(se_cmd, 0, sizeof(*se_cmd));
-
scsiback_get(pending_req->info);
se_cmd->tag = pending_req->rqid;
rc = target_submit_cmd_map_sgls(se_cmd, sess, pending_req->cmnd,


--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH-v3 12/14] xen-scsiback: Convert to TARGET_SCF_ACK_KREF I/O krefs

2016-02-02 Thread Juergen Gross 
On 30/01/16 08:05, Nicholas A. Bellinger wrote:
> From: Nicholas Bellinger 
> 
> Cc: Juergen Gross 
> Cc: Hannes Reinecke 
> Cc: David Vrabel 
> Signed-off-by: Nicholas Bellinger 

Sorry, with your patches applied xen-scsiback isn't working any more.
I've tried multiple times with and without your patches. Without the
patches everything is fine, while with the patches applied I get the
warnings shown in the attached log. I just passed through a DVD drive
and did "eject" in the domain.


Juergen

[10984.266570] [ cut here ]
[10984.266597] WARNING: CPU: 0 PID: 0 at 
drivers/target/target_core_transport.c:717 target_complete_cmd+0x1cb/0x200 
[target_core_mod]()
[10984.266601] Modules linked in: xt_physdev br_netfilter iptable_filter 
ip_tables x_tables loop target_core_pscsi target_core_file target_core_iblock 
iscsi_target_mod tcm_loop xen_scsiback bridge stp llc iscsi_ibft 
iscsi_boot_sysfs tun arc4 iwldvm mac80211 joydev iwlwifi uvcvideo 
videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core 
snd_hda_codec_realtek cfg80211 snd_hda_codec_hdmi snd_hda_codec_generic 
videodev intel_rapl x86_pkg_temp_thermal e1000e intel_powerclamp snd_hda_intel 
media snd_hda_codec coretemp crct10dif_pclmul iTCO_wdt snd_hda_core 
crc32_pclmul iTCO_vendor_support dell_laptop crc32c_intel sdhci_pci rfkill 
ghash_clmulni_intel ptp snd_hwdep hmac i2c_hid drbg snd_pcm ansi_cprng hid 
dell_wmi ppdev snd_timer sparse_keymap dcdbas dell_smm_hwmon parport_pc parport 
snd i2c_designware_platform
[10984.266670]  i2c_designware_core thermal tpm_tis xhci_pci tpm evdev mei_me 
xhci_hcd aesni_intel mei aes_x86_64 psmouse shpchp lrw lpc_ich gf128mul 
i2c_i801 soundcore mfd_core pps_core ac glue_helper ablk_helper battery 
serio_raw pcspkr cryptd wmi target_core_mod xenfs xen_privcmd configfs dm_mod 
ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom i915 ehci_pci ehci_hcd i2c_algo_bit 
drm_kms_helper ahci libahci libata usbcore usb_common drm sdhci_acpi video 
sdhci mmc_core button xen_acpi_processor xen_pciback xen_netback xen_blkback 
xen_gntalloc xen_gntdev xen_evtchn sg scsi_mod autofs4
[10984.266735] CPU: 0 PID: 0 Comm: swapper/0 Tainted: GW   
4.5.0-rc1-pv+ #1
[10984.266739] Hardware name: Dell Inc. Latitude E6440/0159N7, BIOS A07 
06/26/2014
[10984.266742]  a0422408 812e8bb4  
8106e95c
[10984.266748]  8800d2e007d0 8800d2e008e0 0001 
a08c3150
[10984.266753]   a04091ab 8800da13ea20 
88000294f7c0
[10984.266758] Call Trace:
[10984.266761][] ? dump_stack+0x40/0x5c
[10984.266776]  [] ? warn_slowpath_common+0x7c/0xb0
[10984.266784]  [] ? pscsi_bi_endio+0x10/0x10 
[target_core_pscsi]
[10984.266794]  [] ? target_complete_cmd+0x1cb/0x200 
[target_core_mod]
[10984.266799]  [] ? pscsi_req_done+0x85/0xd0 
[target_core_pscsi]
[10984.266811]  [] ? scsi_end_request+0xf7/0x1a0 [scsi_mod]
[10984.266820]  [] ? scsi_io_completion+0xfa/0x5f0 [scsi_mod]
[10984.266830]  [] ? blk_done_softirq+0x73/0x90
[10984.266836]  [] ? __do_softirq+0xcc/0x240
[10984.266842]  [] ? irq_exit+0x86/0x90
[10984.266852]  [] ? xen_evtchn_do_upcall+0x2c/0x40
[10984.266862]  [] ? xen_do_hypervisor_callback+0x1e/0x40
[10984.266864][] ? xen_hypercall_sched_op+0xa/0x20
[10984.266874]  [] ? xen_hypercall_sched_op+0xa/0x20
[10984.266882]  [] ? xen_safe_halt+0xc/0x20
[10984.266891]  [] ? default_idle+0x13/0x90
[10984.266898]  [] ? cpu_startup_entry+0x25d/0x2f0
[10984.266903]  [] ? start_kernel+0x471/0x47c
[10984.266907]  [] ? set_init_arg+0x50/0x50
[10984.266912]  [] ? xen_start_kernel+0x522/0x52c
[10984.266916] ---[ end trace 07ad307d0cb62aa4 ]---

[10984.266940] [ cut here ]
[10984.266953] WARNING: CPU: 0 PID: 2448 at 
drivers/target/target_core_transport.c:2120 target_complete_ok_work+0x291/0x2e0 
[target_core_mod]()
[10984.266955] Modules linked in: xt_physdev br_netfilter iptable_filter 
ip_tables x_tables loop target_core_pscsi target_core_file target_core_iblock 
iscsi_target_mod tcm_loop xen_scsiback bridge stp llc iscsi_ibft 
iscsi_boot_sysfs tun arc4 iwldvm mac80211 joydev iwlwifi uvcvideo 
videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core 
snd_hda_codec_realtek cfg80211 snd_hda_codec_hdmi snd_hda_codec_generic 
videodev intel_rapl x86_pkg_temp_thermal e1000e intel_powerclamp snd_hda_intel 
media snd_hda_codec coretemp crct10dif_pclmul iTCO_wdt snd_hda_core 
crc32_pclmul iTCO_vendor_support dell_laptop crc32c_intel sdhci_pci rfkill 
ghash_clmulni_intel ptp snd_hwdep hmac i2c_hid drbg snd_pcm ansi_cprng hid 
dell_wmi ppdev snd_timer sparse_keymap dcdbas dell_smm_hwmon parport_pc parport 
snd i2c_designware_platform
[10984.267013]  i2c_designware_core thermal tpm_tis xhci_pci tpm evdev mei_me 
xhci_hcd aesni_intel mei aes_x86_64 psmouse shpchp lrw lpc_ich gf128mul 
i2c_i801 soundcore mfd_core