IB/srpt: Simplify srpt_handle_tsk_mgmt()
Let the target core check task existence instead of the SRP target
driver. Additionally, let the target core check the validity of the
task management request instead of the ib_srpt driver.
This patch fixes the following kernel crash:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffffa0565f37>] srpt_handle_new_iu+0x6d7/0x790 [ib_srpt]
Oops: 0002 [#1] SMP
Call Trace:
[<ffffffffa05660ce>] srpt_process_completion+0xde/0x570 [ib_srpt]
[<ffffffffa056669f>] srpt_compl_thread+0x13f/0x160 [ib_srpt]
[<ffffffff8109726f>] kthread+0xcf/0xe0
[<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Fixes: 3e4f574857 ("ib_srpt: Convert TMR path to target_submit_tmr")
Tested-by: Alex Estrin <alex.estrin@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
This commit is contained in:
Bart Van Assche
Doug Ledford
parent
fc77dbd34c
commit
51093254bf
|
|
@ -1670,47 +1670,6 @@ send_sense:
|
|||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
* srpt_rx_mgmt_fn_tag() - Process a task management function by tag.
|
||||
* @ch: RDMA channel of the task management request.
|
||||
* @fn: Task management function to perform.
|
||||
* @req_tag: Tag of the SRP task management request.
|
||||
* @mgmt_ioctx: I/O context of the task management request.
|
||||
*
|
||||
* Returns zero if the target core will process the task management
|
||||
* request asynchronously.
|
||||
*
|
||||
* Note: It is assumed that the initiator serializes tag-based task management
|
||||
* requests.
|
||||
*/
|
||||
static int srpt_rx_mgmt_fn_tag(struct srpt_send_ioctx *ioctx, u64 tag)
|
||||
{
|
||||
struct srpt_device *sdev;
|
||||
struct srpt_rdma_ch *ch;
|
||||
struct srpt_send_ioctx *target;
|
||||
int ret, i;
|
||||
|
||||
ret = -EINVAL;
|
||||
ch = ioctx->ch;
|
||||
BUG_ON(!ch);
|
||||
BUG_ON(!ch->sport);
|
||||
sdev = ch->sport->sdev;
|
||||
BUG_ON(!sdev);
|
||||
spin_lock_irq(&sdev->spinlock);
|
||||
for (i = 0; i < ch->rq_size; ++i) {
|
||||
target = ch->ioctx_ring[i];
|
||||
if (target->cmd.se_lun == ioctx->cmd.se_lun &&
|
||||
target->cmd.tag == tag &&
|
||||
srpt_get_cmd_state(target) != SRPT_STATE_DONE) {
|
||||
ret = 0;
|
||||
/* now let the target core abort &target->cmd; */
|
||||
break;
|
||||
}
|
||||
}
|
||||
spin_unlock_irq(&sdev->spinlock);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int srp_tmr_to_tcm(int fn)
|
||||
{
|
||||
switch (fn) {
|
||||
|
|
@ -1745,7 +1704,6 @@ static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch,
|
|||
struct se_cmd *cmd;
|
||||
struct se_session *sess = ch->sess;
|
||||
uint64_t unpacked_lun;
|
||||
uint32_t tag = 0;
|
||||
int tcm_tmr;
|
||||
int rc;
|
||||
|
||||
|
|
@ -1761,25 +1719,10 @@ static void srpt_handle_tsk_mgmt(struct srpt_rdma_ch *ch,
|
|||
srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);
|
||||
send_ioctx->cmd.tag = srp_tsk->tag;
|
||||
tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);
|
||||
if (tcm_tmr < 0) {
|
||||
send_ioctx->cmd.se_tmr_req->response =
|
||||
TMR_TASK_MGMT_FUNCTION_NOT_SUPPORTED;
|
||||
goto fail;
|
||||
}
|
||||
unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_tsk->lun,
|
||||
sizeof(srp_tsk->lun));
|
||||
|
||||
if (srp_tsk->tsk_mgmt_func == SRP_TSK_ABORT_TASK) {
|
||||
rc = srpt_rx_mgmt_fn_tag(send_ioctx, srp_tsk->task_tag);
|
||||
if (rc < 0) {
|
||||
send_ioctx->cmd.se_tmr_req->response =
|
||||
TMR_TASK_DOES_NOT_EXIST;
|
||||
goto fail;
|
||||
}
|
||||
tag = srp_tsk->task_tag;
|
||||
}
|
||||
rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL, unpacked_lun,
|
||||
srp_tsk, tcm_tmr, GFP_KERNEL, tag,
|
||||
srp_tsk, tcm_tmr, GFP_KERNEL, srp_tsk->task_tag,
|
||||
TARGET_SCF_ACK_KREF);
|
||||
if (rc != 0) {
|
||||
send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;
|
||||
|
|
|
|||
Loading…
Reference in New Issue