Commit 51093254 authored by Bart Van Assche's avatar Bart Van Assche Committed by Doug Ledford
Browse files

IB/srpt: Simplify srpt_handle_tsk_mgmt() 



Let the target core check task existence instead of the SRP target
driver. Additionally, let the target core check the validity of the
task management request instead of the ib_srpt driver.

This patch fixes the following kernel crash:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffffa0565f37>] srpt_handle_new_iu+0x6d7/0x790 [ib_srpt]
Oops: 0002 [#1] SMP
Call Trace:
 [<ffffffffa05660ce>] srpt_process_completion+0xde/0x570 [ib_srpt]
 [<ffffffffa056669f>] srpt_compl_thread+0x13f/0x160 [ib_srpt]
 [<ffffffff8109726f>] kthread+0xcf/0xe0
 [<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0

Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
Fixes: 3e4f5748 ("ib_srpt: Convert TMR path to target_submit_tmr")
Tested-by: default avatarAlex Estrin <alex.estrin@intel.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent fc77dbd3

drivers/infiniband/ulp/srpt/ib_srpt.c

+1 −58
Original line number Diff line number Diff line
@@ -1670,47 +1670,6 @@ send_sense: 
	return -1;

}



/**

 * srpt_rx_mgmt_fn_tag() - Process a task management function by tag.

 * @ch: RDMA channel of the task management request.

 * @fn: Task management function to perform.

 * @req_tag: Tag of the SRP task management request.

 * @mgmt_ioctx: I/O context of the task management request.

 *

 * Returns zero if the target core will process the task management

 * request asynchronously.

 *

 * Note: It is assumed that the initiator serializes tag-based task management

 * requests.

 */

static int srpt_rx_mgmt_fn_tag(struct srpt_send_ioctx *ioctx, u64 tag)

{

	struct srpt_device *sdev;

	struct srpt_rdma_ch *ch;

	struct srpt_send_ioctx *target;

	int ret, i;



	ret = -EINVAL;

	ch = ioctx->ch;

	BUG_ON(!ch);

	BUG_ON(!ch->sport);

	sdev = ch->sport->sdev;

	BUG_ON(!sdev);

	spin_lock_irq(&sdev->spinlock);

	for (i = 0; i < ch->rq_size; ++i) {

		target = ch->ioctx_ring[i];

		if (target->cmd.se_lun == ioctx->cmd.se_lun &&

		    target->cmd.tag == tag &&

		    srpt_get_cmd_state(target) != SRPT_STATE_DONE) {

			ret = 0;

			/* now let the target core abort &target->cmd; */

			break;

		}

	}

	spin_unlock_irq(&sdev->spinlock);

	return ret;

}



static int srp_tmr_to_tcm(int fn)

{

	switch (fn) {
@@ -1745,7 +1704,6 @@ static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch, 
	struct se_cmd *cmd;

	struct se_session *sess = ch->sess;

	uint64_t unpacked_lun;

	uint32_t tag = 0;

	int tcm_tmr;

	int rc;
@@ -1761,25 +1719,10 @@ static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch, 
	srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);

	send_ioctx->cmd.tag = srp_tsk->tag;

	tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);

	if (tcm_tmr < 0) {

		send_ioctx->cmd.se_tmr_req->response =

			TMR_TASK_MGMT_FUNCTION_NOT_SUPPORTED;

		goto fail;

	}

	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_tsk->lun,

				       sizeof(srp_tsk->lun));



	if (srp_tsk->tsk_mgmt_func == SRP_TSK_ABORT_TASK) {

		rc = srpt_rx_mgmt_fn_tag(send_ioctx, srp_tsk->task_tag);

		if (rc < 0) {

			send_ioctx->cmd.se_tmr_req->response =

					TMR_TASK_DOES_NOT_EXIST;

			goto fail;

		}

		tag = srp_tsk->task_tag;

	}

	rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL, unpacked_lun,

				srp_tsk, tcm_tmr, GFP_KERNEL, tag,

				srp_tsk, tcm_tmr, GFP_KERNEL, srp_tsk->task_tag,

				TARGET_SCF_ACK_KREF);

	if (rc != 0) {

		send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;

CRA Git | Maintained and supported by SUSTech CRA and CCSE