[ofa-general] Re: [PATCH 2.6.30.4] Fix for NULL pointer dereference by SRP initiator triggered by a SCSI reset after the SRP connection has been closed

[Bart Van Assche]

On Mon, Aug 3, 2009 at 10:36 PM, Roland Dreier<rdreier at cisco.com> wrote:
> How do we end up in srp_reset_device() with req->scmnd->device == NULL?
> Presumably req->scmnd should match scmnd if I am understanding the code
> properly -- and then scmnd->device == NULL??

An update: apparently it is possible to trigger scmnd->device == NULL even
without triggering a prior IB CM disconnect. The following shell commands
are sufficient to trigger the WARN_ON statement in the patch below:

rmmod ib_srp
modprobe ib_srp
ibsrpdm -c | while read target_info; do echo "${target_info}"; echo
"${target_info}" >/sys/class/infiniband_srp/srp-mlx4_0-1/add_target;
done
sg_reset -d ${srp_device}

So it should be analyzed why scmnd->device can be NULL before applying any
patches to fix the NULL pointer dereference.

Bart.

--- linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp-orig.c	2009-08-03
12:13:11.000000000 +0200
+++ linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp.c	2009-08-04
17:25:27.000000000 +0200
@@ -1330,6 +1330,8 @@ static int srp_send_tsk_mgmt(struct srp_
 	struct srp_iu *iu;
 	struct srp_tsk_mgmt *tsk_mgmt;

+	BUG_ON(!req->scmnd->device);
+
 	spin_lock_irq(target->scsi_host->host_lock);

 	if (target->state == SRP_TARGET_DEAD ||
@@ -1425,6 +1427,8 @@ static int srp_reset_device(struct scsi_
 		return FAILED;
 	if (srp_find_req(target, scmnd, &req))
 		return FAILED;
+	if (WARN_ON(!req->scmnd->device))
+		return FAILED;
 	if (srp_send_tsk_mgmt(target, req, SRP_TSK_LUN_RESET))
 		return FAILED;
 	if (req->tsk_status)