[Bug 198161] incremental patch-4.9.51-52 on sg.c break Nero 4 nero burning rom application (it works again with patch-4.9.111-112)
https://bugzilla.kernel.org/show_bug.cgi?id=198161 --- Comment #5 from Jean-Luc (luc.ber...@gmail.com) --- Problem solved with the latest incremental patch (patch-4.9.111-112) -- You are receiving this mail because: You are watching the assignee of the bug.
[Bug 198161] incremental patch-4.9.51-52 on sg.c break Nero 4 nero burning rom application (it works again with patch-4.9.111-112)
https://bugzilla.kernel.org/show_bug.cgi?id=198161 Jean-Luc (luc.ber...@gmail.com) changed: What|Removed |Added Summary|incremental patch-4.9.51-52 |incremental patch-4.9.51-52 |on sg.c break Nero 4 nero |on sg.c break Nero 4 nero |burning rom application |burning rom application (it ||works again with ||patch-4.9.111-112) -- You are receiving this mail because: You are watching the assignee of the bug.
[PATCH] scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
In iscsi_check_tmf_restrictions() task->hdr is dereferenced
to print the opcode, it is possible that task->hdr is NULL.
There are two cases based on opcode argument -
1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
after iscsi_check_tmf_restrictions()
iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() ->
alloc_pdu().
Transport drivers allocate memory for iSCSI hdr in alloc_pdu()
and assign it to task->hdr. In case of TMF task->hdr will be NULL
resulting in NULL pointer dereference.
2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver
can free the memory for iSCSI hdr after transmitting the pdu
so task->hdr can be NULL or invalid.
This patch fixes this issue by removing task->hdr->opcode
from the printk statement.
Signed-off-by: Varun Prakash
---
drivers/scsi/libiscsi.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index d609383..c972cc2 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -284,11 +284,11 @@ static int iscsi_check_tmf_restrictions(struct iscsi_task
*task, int opcode)
*/
if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
iscsi_conn_printk(KERN_INFO, conn,
- "task [op %x/%x itt "
+ "task [op %x itt "
"0x%x/0x%x] "
"rejected.\n",
- task->hdr->opcode, opcode,
- task->itt, task->hdr_itt);
+ opcode, task->itt,
+ task->hdr_itt);
return -EACCES;
}
/*
@@ -297,10 +297,10 @@ static int iscsi_check_tmf_restrictions(struct iscsi_task
*task, int opcode)
*/
if (conn->session->fast_abort) {
iscsi_conn_printk(KERN_INFO, conn,
- "task [op %x/%x itt "
+ "task [op %x itt "
"0x%x/0x%x] fast abort.\n",
- task->hdr->opcode, opcode,
- task->itt, task->hdr_itt);
+ opcode, task->itt,
+ task->hdr_itt);
return -EACCES;
}
break;
--
2.0.2
Re: [PATCH 4/4] fcoe: hold disc_mutex when traversing rport lists
Looks good, Reviewed-by: Johannes Thumshirn -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
Re: [PATCH 3/4] libfc: Add WARN_ON() when deleting rports
Looks good, Reviewed-by: Johannes Thumshirn -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
Re: [PATCH 2/4] libfc: hold disc_mutex in fc_disc_stop_rports()
Looks good, Reviewed-by: Johannes Thumshirn -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
Re: [PATCH 1/4] libfc: fixup lockdep annotations
Looks good, Reviewed-by: Johannes Thumshirn -- Johannes Thumshirn Storage jthumsh...@suse.de+49 911 74053 689 SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
Re: [PATCH 0/4] libfc/fcoe: disc_mutex fixes
On Wed, 2018-07-11 at 10:09 +0200, Hannes Reinecke wrote: > Hi all, > > it turned out that my original patch for fixing up disc_mutex > handling > wasn't quite perfect, as it was causing 'scheduling while atomie' > warnings. > Upon inspection it turns out that we can't use RCU list traversal in > most cases, as these list iterations would be calling > fc_rport_login() / > fc_rport_logoff(), which in turn would be acquiring a mutex. > So this patchset fixes up the remoaining uses, and also adds a > warining > to catch reference counting issues. > > As usual, comments and reviews are welcome. > > Hannes Reinecke (4): > libfc: fixup lockdep annotations > libfc: hold disc_mutex in fc_disc_stop_rports() > libfc: Add WARN_ON() when deleting rports > fcoe: hold disc_mutex when traversing rport lists > > drivers/scsi/fcoe/fcoe_ctlr.c | 12 > drivers/scsi/libfc/fc_disc.c | 10 -- > drivers/scsi/libfc/fc_rport.c | 3 ++- > 3 files changed, 10 insertions(+), 15 deletions(-) > Hannes Series looks fine to me, I will try get this tested as well. Reviewed-by Laurence Oberman
[PATCH 1/4] libfc: fixup lockdep annotations
fc_rport_recv_plogi_req() needs the lport mutex to be held; the
rport mutex will be acquired in the function itself.
Fixes: ee35624e1e4e ("scsi: libfc: Add lockdep annotations")
Reported-by: Stephen Rothwell
Signed-off-by: Hannes Reinecke
---
drivers/scsi/libfc/fc_rport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
index 6aff9303251a..3d51a936f6d5 100644
--- a/drivers/scsi/libfc/fc_rport.c
+++ b/drivers/scsi/libfc/fc_rport.c
@@ -1835,7 +1835,7 @@ static void fc_rport_recv_plogi_req(struct fc_lport
*lport,
struct fc_seq_els_data rjt_data;
u32 sid;
- lockdep_assert_held(>rp_mutex);
+ lockdep_assert_held(>lp_mutex);
sid = fc_frame_sid(fp);
--
2.12.3
[PATCH 0/4] libfc/fcoe: disc_mutex fixes
Hi all, it turned out that my original patch for fixing up disc_mutex handling wasn't quite perfect, as it was causing 'scheduling while atomie' warnings. Upon inspection it turns out that we can't use RCU list traversal in most cases, as these list iterations would be calling fc_rport_login() / fc_rport_logoff(), which in turn would be acquiring a mutex. So this patchset fixes up the remoaining uses, and also adds a warining to catch reference counting issues. As usual, comments and reviews are welcome. Hannes Reinecke (4): libfc: fixup lockdep annotations libfc: hold disc_mutex in fc_disc_stop_rports() libfc: Add WARN_ON() when deleting rports fcoe: hold disc_mutex when traversing rport lists drivers/scsi/fcoe/fcoe_ctlr.c | 12 drivers/scsi/libfc/fc_disc.c | 10 -- drivers/scsi/libfc/fc_rport.c | 3 ++- 3 files changed, 10 insertions(+), 15 deletions(-) -- 2.12.3
[PATCH 3/4] libfc: Add WARN_ON() when deleting rports
The discovery rport list handling is quite odd; the list traversal is independent from the lifetime of the rport itself. This makes auditing quite tricky, and the chance remains that we've missed something. So this patch adds a WARN_ON() statement when freeing an rport which is still part of a list. Signed-off-by: Hannes Reinecke --- drivers/scsi/libfc/fc_rport.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c index 3d51a936f6d5..d69531ab2db8 100644 --- a/drivers/scsi/libfc/fc_rport.c +++ b/drivers/scsi/libfc/fc_rport.c @@ -184,6 +184,7 @@ void fc_rport_destroy(struct kref *kref) struct fc_rport_priv *rdata; rdata = container_of(kref, struct fc_rport_priv, kref); + WARN_ON(!list_empty(>peers)); kfree_rcu(rdata, rcu); } EXPORT_SYMBOL(fc_rport_destroy); -- 2.12.3
[PATCH 2/4] libfc: hold disc_mutex in fc_disc_stop_rports()
fc_disc_stop_rports() is calling fc_rport_logoff(), which in turn
is acquiring the rport mutex. So we cannot use RCU list traversal
here, but rather need to hold the disc mutex to avoid list corruption
while traversing.
Fixes: a407c593398c ("scsi: libfc: Fixup disc_mutex handling")
Signed-off-by: Hannes Reinecke
---
drivers/scsi/libfc/fc_disc.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c
index c1756b9b3ea5..f969a71348ef 100644
--- a/drivers/scsi/libfc/fc_disc.c
+++ b/drivers/scsi/libfc/fc_disc.c
@@ -62,20 +62,16 @@ static void fc_disc_restart(struct fc_disc *);
*/
static void fc_disc_stop_rports(struct fc_disc *disc)
{
- struct fc_lport *lport;
struct fc_rport_priv *rdata;
- lport = fc_disc_lport(disc);
- lockdep_assert_held(>lp_mutex);
+ lockdep_assert_held(>disc_mutex);
- rcu_read_lock();
- list_for_each_entry_rcu(rdata, >rports, peers) {
+ list_for_each_entry(rdata, >rports, peers) {
if (kref_get_unless_zero(>kref)) {
fc_rport_logoff(rdata);
kref_put(>kref, fc_rport_destroy);
}
}
- rcu_read_unlock();
}
/**
@@ -699,7 +695,9 @@ static void fc_disc_stop(struct fc_lport *lport)
if (disc->pending)
cancel_delayed_work_sync(>disc_work);
+ mutex_lock(>disc_mutex);
fc_disc_stop_rports(disc);
+ mutex_unlock(>disc_mutex);
}
/**
--
2.12.3
[PATCH 4/4] fcoe: hold disc_mutex when traversing rport lists
When calling either fc_rport_logon() or fc_rport_logoff() during
rport list traversal we cannot use the RCU list traversal, as
either of these functions will be taking a mutex.
So we need to partially revert commit a407c593398c to take the
disc mutex during traversal.
We should, however, continue to use krefs to ensure that the rport
object will not be freed from under us.
Fixes: a407c593398c ("scsi: libfc: Fixup disc_mutex handling")
Signed-off-by: Hannes Reinecke
---
drivers/scsi/fcoe/fcoe_ctlr.c | 12
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c
index ea23c8dffc25..b42bfc790e04 100644
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -2175,15 +2175,13 @@ static void fcoe_ctlr_disc_stop_locked(struct fc_lport
*lport)
{
struct fc_rport_priv *rdata;
- rcu_read_lock();
+ mutex_lock(>disc.disc_mutex);
list_for_each_entry_rcu(rdata, >disc.rports, peers) {
if (kref_get_unless_zero(>kref)) {
fc_rport_logoff(rdata);
kref_put(>kref, fc_rport_destroy);
}
}
- rcu_read_unlock();
- mutex_lock(>disc.disc_mutex);
lport->disc.disc_callback = NULL;
mutex_unlock(>disc.disc_mutex);
}
@@ -2712,7 +2710,7 @@ static unsigned long fcoe_ctlr_vn_age(struct fcoe_ctlr
*fip)
unsigned long deadline;
next_time = jiffies + msecs_to_jiffies(FIP_VN_BEACON_INT * 10);
- rcu_read_lock();
+ mutex_lock(>disc.disc_mutex);
list_for_each_entry_rcu(rdata, >disc.rports, peers) {
if (!kref_get_unless_zero(>kref))
continue;
@@ -2733,7 +2731,7 @@ static unsigned long fcoe_ctlr_vn_age(struct fcoe_ctlr
*fip)
next_time = deadline;
kref_put(>kref, fc_rport_destroy);
}
- rcu_read_unlock();
+ mutex_unlock(>disc.disc_mutex);
return next_time;
}
@@ -3080,8 +3078,6 @@ static void fcoe_ctlr_vn_disc(struct fcoe_ctlr *fip)
mutex_lock(>disc_mutex);
callback = disc->pending ? disc->disc_callback : NULL;
disc->pending = 0;
- mutex_unlock(>disc_mutex);
- rcu_read_lock();
list_for_each_entry_rcu(rdata, >rports, peers) {
if (!kref_get_unless_zero(>kref))
continue;
@@ -3090,7 +3086,7 @@ static void fcoe_ctlr_vn_disc(struct fcoe_ctlr *fip)
fc_rport_login(rdata);
kref_put(>kref, fc_rport_destroy);
}
- rcu_read_unlock();
+ mutex_unlock(>disc_mutex);
if (callback)
callback(lport, DISC_EV_SUCCESS);
}
--
2.12.3
