[SRU][Bionic][PATCH 0/3] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][PATCH 0/3] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)

Juerg Haefliger
BugLink: https://bugs.launchpad.net/bugs/1812086

Rebooting an iSCSI target while the initiator is writing to a LUN leads to the following trace:

[   59.879202] ------------[ cut here ]------------
[   59.879202] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
[   59.880636] invalid opcode: 0000 [#1] SMP PTI
[   59.881569] Modules linked in: iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_user uio target_core_mod nls_iso8859_1 kvm_intel isofs kvm irqbypass joydev input_leds serio_raw sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse virtio_blk virtio_net floppy
[   59.891096] CPU: 0 PID: 1027 Comm: iscsi_np Not tainted 4.15.0-43-generic #46-Ubuntu
[   59.892726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
[   59.894606] RIP: 0010:kfree+0x16a/0x180
[   59.895429] RSP: 0018:ffffac0d8050fe58 EFLAGS: 00010246
[   59.896531] RAX: ffff9cf099475800 RBX: ffff9cf099475800 RCX: ffff9cf099475800
[   59.898083] RDX: 0000000000011bbb RSI: ffff9cf09fc27140 RDI: ffff9cf09f002000
[   59.899627] RBP: ffffac0d8050fe70 R08: 0000000000000000 R09: ffffffffc07a329b
[   59.901186] R10: ffffe95780651d40 R11: ffffffffa511dc90 R12: ffff9cf099625600
[   59.902769] R13: ffffffffc07a329b R14: ffff9cf09ee07600 R15: ffff9cf099475800
[   59.904321] FS:  0000000000000000(0000) GS:ffff9cf09fc00000(0000) knlGS:0000000000000000
[   59.906120] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.907806] CR2: 00007f7153b88470 CR3: 000000001babe000 CR4: 00000000000006f0
[   59.909376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   59.910950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   59.913098] Call Trace:
[   59.913783]  iscsi_target_login_sess_out+0x1fb/0x250 [iscsi_target_mod]
[   59.915292]  iscsi_target_login_thread+0x44d/0x1060 [iscsi_target_mod]
[   59.916775]  kthread+0x121/0x140
[   59.917622]  ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
[   59.919244]  ? kthread_create_worker_on_cpu+0x70/0x70
[   59.920483]  ? do_syscall_64+0x73/0x130
[   59.921460]  ? SyS_exit_group+0x14/0x20
[   59.922583]  ret_from_fork+0x35/0x40
[   59.923523] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c4 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00
[   59.927778] RIP: kfree+0x16a/0x180 RSP: ffffac0d8050fe58
[   59.929063] ---[ end trace 082da4d341633d3e ]---

Clean cherry-pick of 3 upstream patches. Sucessfully tested, no more BUG trace
in the log.

Signed-off-by: Juerg Haefliger <[hidden email]>


Mike Christie (2):
  iscsi target: fix session creation failure handling
  scsi: iscsi: target: Fix conn_ops double free

Vincent Pelletier (1):
  scsi: iscsi: target: Set conn->sess to NULL when
    iscsi_login_set_conn_values fails

 drivers/target/iscsi/iscsi_target.c       |   9 +-
 drivers/target/iscsi/iscsi_target_login.c | 184 ++++++++++++----------
 drivers/target/iscsi/iscsi_target_login.h |   2 +-
 3 files changed, 101 insertions(+), 94 deletions(-)

--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][PATCH 1/3] iscsi target: fix session creation failure handling

Juerg Haefliger
From: Mike Christie <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1812086

The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory.

This patch has iscsi_login_zero_tsih_s1 either completely setup the
session or completely tear it down, so later in
iscsi_target_login_sess_out we can just check for it being set to the
connection.

Cc: [hidden email]
Fixes: 0957627a9960 ("iscsi-target: Fix sess allocation leak in...")
Signed-off-by: Mike Christie <[hidden email]>
Acked-by: Martin K. Petersen <[hidden email]>
Signed-off-by: Matthew Wilcox <[hidden email]>
(cherry picked from commit 26abc916a898d34c5ad159315a2f683def3c5555)
Signed-off-by: Juerg Haefliger <[hidden email]>
---
 drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++---------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 64c5a57b92e4..05801c51c3e2 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -348,8 +348,7 @@ static int iscsi_login_zero_tsih_s1(
  pr_err("idr_alloc() for sess_idr failed\n");
  iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
  ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess);
- return -ENOMEM;
+ goto free_sess;
  }
 
  sess->creation_time = get_jiffies_64();
@@ -365,20 +364,28 @@ static int iscsi_login_zero_tsih_s1(
  ISCSI_LOGIN_STATUS_NO_RESOURCES);
  pr_err("Unable to allocate memory for"
  " struct iscsi_sess_ops.\n");
- kfree(sess);
- return -ENOMEM;
+ goto remove_idr;
  }
 
  sess->se_sess = transport_init_session(TARGET_PROT_NORMAL);
  if (IS_ERR(sess->se_sess)) {
  iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
  ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess->sess_ops);
- kfree(sess);
- return -ENOMEM;
+ goto free_ops;
  }
 
  return 0;
+
+free_ops:
+ kfree(sess->sess_ops);
+remove_idr:
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+free_sess:
+ kfree(sess);
+ conn->sess = NULL;
+ return -ENOMEM;
 }
 
 static int iscsi_login_zero_tsih_s2(
@@ -1161,13 +1168,13 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
    ISCSI_LOGIN_STATUS_INIT_ERR);
  if (!zero_tsih || !conn->sess)
  goto old_sess_out;
- if (conn->sess->se_sess)
- transport_free_session(conn->sess->se_sess);
- if (conn->sess->session_index != 0) {
- spin_lock_bh(&sess_idr_lock);
- idr_remove(&sess_idr, conn->sess->session_index);
- spin_unlock_bh(&sess_idr_lock);
- }
+
+ transport_free_session(conn->sess->se_sess);
+
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, conn->sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+
  kfree(conn->sess->sess_ops);
  kfree(conn->sess);
  conn->sess = NULL;
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][PATCH 2/3] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails

Juerg Haefliger
In reply to this post by Juerg Haefliger
From: Vincent Pelletier <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1812086

Fixes a use-after-free reported by KASAN when later
iscsi_target_login_sess_out gets called and it tries to access
conn->sess->se_sess:

Disabling lock debugging due to kernel taint
iSCSI Login timeout on Network Portal [::]:3260
iSCSI Login negotiation failed.
==================================================================
BUG: KASAN: use-after-free in
iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
Read of size 8 at addr ffff880109d070c8 by task iscsi_np/980

CPU: 1 PID: 980 Comm: iscsi_np Tainted: G           O
4.17.8kasan.sess.connops+ #4
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB,
BIOS 5.6.5 05/19/2014
Call Trace:
 dump_stack+0x71/0xac
 print_address_description+0x65/0x22e
 ? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
 kasan_report.cold.6+0x241/0x2fd
 iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
 iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod]
 ? __sched_text_start+0x8/0x8
 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
 ? __kthread_parkme+0xcc/0x100
 ? parse_args.cold.14+0xd3/0xd3
 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ? kthread_bind+0x30/0x30
 ret_from_fork+0x35/0x40

Allocated by task 980:
 kasan_kmalloc+0xbf/0xe0
 kmem_cache_alloc_trace+0x112/0x210
 iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ret_from_fork+0x35/0x40

Freed by task 980:
 __kasan_slab_free+0x125/0x170
 kfree+0x90/0x1d0
 iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod]
 kthread+0x1a0/0x1c0
 ret_from_fork+0x35/0x40

The buggy address belongs to the object at ffff880109d06f00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 456 bytes inside of
 512-byte region [ffff880109d06f00, ffff880109d07100)
The buggy address belongs to the page:
page:ffffea0004274180 count:1 mapcount:0 mapping:0000000000000000
index:0x0 compound_mapcount: 0
flags: 0x17fffc000008100(slab|head)
raw: 017fffc000008100 0000000000000000 0000000000000000 00000001000c000c
raw: dead000000000100 dead000000000200 ffff88011b002e00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: Vincent Pelletier <[hidden email]>
[rebased against idr/ida changes and to handle ret review comments from Matthew]
Signed-off-by: Mike Christie <[hidden email]>
Cc: Matthew Wilcox <[hidden email]>
Reviewed-by: Matthew Wilcox <[hidden email]>
Signed-off-by: Martin K. Petersen <[hidden email]>
(cherry picked from commit 7915919bb94e12460c58e27c708472e6f85f6699)
Signed-off-by: Juerg Haefliger <[hidden email]>
---
 drivers/target/iscsi/iscsi_target_login.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 05801c51c3e2..ba22a4873d7b 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1(
  return -ENOMEM;
  }
 
- ret = iscsi_login_set_conn_values(sess, conn, pdu->cid);
- if (unlikely(ret)) {
- kfree(sess);
- return ret;
- }
+ if (iscsi_login_set_conn_values(sess, conn, pdu->cid))
+ goto free_sess;
+
  sess->init_task_tag = pdu->itt;
  memcpy(&sess->isid, pdu->isid, 6);
  sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Bionic][PATCH 3/3] scsi: iscsi: target: Fix conn_ops double free

Juerg Haefliger
In reply to this post by Juerg Haefliger
From: Mike Christie <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1812086

If iscsi_login_init_conn fails it can free conn_ops.
__iscsi_target_login_thread will then call iscsi_target_login_sess_out
which will also free it.

This fixes the problem by organizing conn allocation/setup into parts that
are needed through the life of the conn and parts that are only needed for
the login. The free functions then release what was allocated in the alloc
functions.

With this patch we have:

iscsit_alloc_conn/iscsit_free_conn - allocs/frees the conn we need for the
entire life of the conn.

iscsi_login_init_conn/iscsi_target_nego_release - allocs/frees the parts
of the conn that are only needed during login.

Signed-off-by: Mike Christie <[hidden email]>
Signed-off-by: Martin K. Petersen <[hidden email]>
(cherry picked from commit 05a86e78ea9823ec25b3515db078dd8a76fc263c)
Signed-off-by: Juerg Haefliger <[hidden email]>
---
 drivers/target/iscsi/iscsi_target.c       |   9 +-
 drivers/target/iscsi/iscsi_target_login.c | 141 ++++++++++++----------
 drivers/target/iscsi/iscsi_target_login.h |   2 +-
 3 files changed, 77 insertions(+), 75 deletions(-)

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 9eb10d34682c..016ee40ef364 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4235,22 +4235,15 @@ int iscsit_close_connection(
  crypto_free_ahash(tfm);
  }
 
- free_cpumask_var(conn->conn_cpumask);
-
- kfree(conn->conn_ops);
- conn->conn_ops = NULL;
-
  if (conn->sock)
  sock_release(conn->sock);
 
  if (conn->conn_transport->iscsit_free_conn)
  conn->conn_transport->iscsit_free_conn(conn);
 
- iscsit_put_transport(conn->conn_transport);
-
  pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
  conn->conn_state = TARG_CONN_STATE_FREE;
- kfree(conn);
+ iscsit_free_conn(conn);
 
  spin_lock_bh(&sess->conn_lock);
  atomic_dec(&sess->nconn);
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index ba22a4873d7b..da77fa616b86 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -67,45 +67,10 @@ static struct iscsi_login *iscsi_login_init_conn(struct iscsi_conn *conn)
  goto out_req_buf;
  }
 
- conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL);
- if (!conn->conn_ops) {
- pr_err("Unable to allocate memory for"
- " struct iscsi_conn_ops.\n");
- goto out_rsp_buf;
- }
-
- init_waitqueue_head(&conn->queues_wq);
- INIT_LIST_HEAD(&conn->conn_list);
- INIT_LIST_HEAD(&conn->conn_cmd_list);
- INIT_LIST_HEAD(&conn->immed_queue_list);
- INIT_LIST_HEAD(&conn->response_queue_list);
- init_completion(&conn->conn_post_wait_comp);
- init_completion(&conn->conn_wait_comp);
- init_completion(&conn->conn_wait_rcfr_comp);
- init_completion(&conn->conn_waiting_on_uc_comp);
- init_completion(&conn->conn_logout_comp);
- init_completion(&conn->rx_half_close_comp);
- init_completion(&conn->tx_half_close_comp);
- init_completion(&conn->rx_login_comp);
- spin_lock_init(&conn->cmd_lock);
- spin_lock_init(&conn->conn_usage_lock);
- spin_lock_init(&conn->immed_queue_lock);
- spin_lock_init(&conn->nopin_timer_lock);
- spin_lock_init(&conn->response_queue_lock);
- spin_lock_init(&conn->state_lock);
-
- if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) {
- pr_err("Unable to allocate conn->conn_cpumask\n");
- goto out_conn_ops;
- }
  conn->conn_login = login;
 
  return login;
 
-out_conn_ops:
- kfree(conn->conn_ops);
-out_rsp_buf:
- kfree(login->rsp_buf);
 out_req_buf:
  kfree(login->req_buf);
 out_login:
@@ -1155,6 +1120,75 @@ iscsit_conn_set_transport(struct iscsi_conn *conn, struct iscsit_transport *t)
  return 0;
 }
 
+static struct iscsi_conn *iscsit_alloc_conn(struct iscsi_np *np)
+{
+ struct iscsi_conn *conn;
+
+ conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL);
+ if (!conn) {
+ pr_err("Could not allocate memory for new connection\n");
+ return NULL;
+ }
+ pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
+ conn->conn_state = TARG_CONN_STATE_FREE;
+
+ init_waitqueue_head(&conn->queues_wq);
+ INIT_LIST_HEAD(&conn->conn_list);
+ INIT_LIST_HEAD(&conn->conn_cmd_list);
+ INIT_LIST_HEAD(&conn->immed_queue_list);
+ INIT_LIST_HEAD(&conn->response_queue_list);
+ init_completion(&conn->conn_post_wait_comp);
+ init_completion(&conn->conn_wait_comp);
+ init_completion(&conn->conn_wait_rcfr_comp);
+ init_completion(&conn->conn_waiting_on_uc_comp);
+ init_completion(&conn->conn_logout_comp);
+ init_completion(&conn->rx_half_close_comp);
+ init_completion(&conn->tx_half_close_comp);
+ init_completion(&conn->rx_login_comp);
+ spin_lock_init(&conn->cmd_lock);
+ spin_lock_init(&conn->conn_usage_lock);
+ spin_lock_init(&conn->immed_queue_lock);
+ spin_lock_init(&conn->nopin_timer_lock);
+ spin_lock_init(&conn->response_queue_lock);
+ spin_lock_init(&conn->state_lock);
+
+ timer_setup(&conn->nopin_response_timer,
+    iscsit_handle_nopin_response_timeout, 0);
+ timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0);
+
+ if (iscsit_conn_set_transport(conn, np->np_transport) < 0)
+ goto free_conn;
+
+ conn->conn_ops = kzalloc(sizeof(struct iscsi_conn_ops), GFP_KERNEL);
+ if (!conn->conn_ops) {
+ pr_err("Unable to allocate memory for struct iscsi_conn_ops.\n");
+ goto put_transport;
+ }
+
+ if (!zalloc_cpumask_var(&conn->conn_cpumask, GFP_KERNEL)) {
+ pr_err("Unable to allocate conn->conn_cpumask\n");
+ goto free_mask;
+ }
+
+ return conn;
+
+free_mask:
+ free_cpumask_var(conn->conn_cpumask);
+put_transport:
+ iscsit_put_transport(conn->conn_transport);
+free_conn:
+ kfree(conn);
+ return NULL;
+}
+
+void iscsit_free_conn(struct iscsi_conn *conn)
+{
+ free_cpumask_var(conn->conn_cpumask);
+ kfree(conn->conn_ops);
+ iscsit_put_transport(conn->conn_transport);
+ kfree(conn);
+}
+
 void iscsi_target_login_sess_out(struct iscsi_conn *conn,
  struct iscsi_np *np, bool zero_tsih, bool new_sess)
 {
@@ -1208,10 +1242,6 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
  crypto_free_ahash(tfm);
  }
 
- free_cpumask_var(conn->conn_cpumask);
-
- kfree(conn->conn_ops);
-
  if (conn->param_list) {
  iscsi_release_param_list(conn->param_list);
  conn->param_list = NULL;
@@ -1229,8 +1259,7 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
  if (conn->conn_transport->iscsit_free_conn)
  conn->conn_transport->iscsit_free_conn(conn);
 
- iscsit_put_transport(conn->conn_transport);
- kfree(conn);
+ iscsit_free_conn(conn);
 }
 
 static int __iscsi_target_login_thread(struct iscsi_np *np)
@@ -1260,31 +1289,16 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
  }
  spin_unlock_bh(&np->np_thread_lock);
 
- conn = kzalloc(sizeof(struct iscsi_conn), GFP_KERNEL);
+ conn = iscsit_alloc_conn(np);
  if (!conn) {
- pr_err("Could not allocate memory for"
- " new connection\n");
  /* Get another socket */
  return 1;
  }
- pr_debug("Moving to TARG_CONN_STATE_FREE.\n");
- conn->conn_state = TARG_CONN_STATE_FREE;
-
- timer_setup(&conn->nopin_response_timer,
-    iscsit_handle_nopin_response_timeout, 0);
- timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0);
-
- if (iscsit_conn_set_transport(conn, np->np_transport) < 0) {
- kfree(conn);
- return 1;
- }
 
  rc = np->np_transport->iscsit_accept_np(np, conn);
  if (rc == -ENOSYS) {
  complete(&np->np_restart_comp);
- iscsit_put_transport(conn->conn_transport);
- kfree(conn);
- conn = NULL;
+ iscsit_free_conn(conn);
  goto exit;
  } else if (rc < 0) {
  spin_lock_bh(&np->np_thread_lock);
@@ -1292,17 +1306,13 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
  np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
  spin_unlock_bh(&np->np_thread_lock);
  complete(&np->np_restart_comp);
- iscsit_put_transport(conn->conn_transport);
- kfree(conn);
- conn = NULL;
+ iscsit_free_conn(conn);
  /* Get another socket */
  return 1;
  }
  spin_unlock_bh(&np->np_thread_lock);
- iscsit_put_transport(conn->conn_transport);
- kfree(conn);
- conn = NULL;
- goto out;
+ iscsit_free_conn(conn);
+ return 1;
  }
  /*
  * Perform the remaining iSCSI connection initialization items..
@@ -1452,7 +1462,6 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
  tpg_np = NULL;
  }
 
-out:
  return 1;
 
 exit:
diff --git a/drivers/target/iscsi/iscsi_target_login.h b/drivers/target/iscsi/iscsi_target_login.h
index 74ac3abc44a0..3b8e3639ff5d 100644
--- a/drivers/target/iscsi/iscsi_target_login.h
+++ b/drivers/target/iscsi/iscsi_target_login.h
@@ -19,7 +19,7 @@ extern int iscsi_target_setup_login_socket(struct iscsi_np *,
 extern int iscsit_accept_np(struct iscsi_np *, struct iscsi_conn *);
 extern int iscsit_get_login_rx(struct iscsi_conn *, struct iscsi_login *);
 extern int iscsit_put_login_tx(struct iscsi_conn *, struct iscsi_login *, u32);
-extern void iscsit_free_conn(struct iscsi_np *, struct iscsi_conn *);
+extern void iscsit_free_conn(struct iscsi_conn *);
 extern int iscsit_start_kthreads(struct iscsi_conn *);
 extern void iscsi_post_login_handler(struct iscsi_np *, struct iscsi_conn *, u8);
 extern void iscsi_target_login_sess_out(struct iscsi_conn *, struct iscsi_np *,
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [SRU][Bionic][PATCH 0/3] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)

Stefan Bader-2
In reply to this post by Juerg Haefliger
On 17.01.19 12:59, Juerg Haefliger wrote:

> BugLink: https://bugs.launchpad.net/bugs/1812086
>
> Rebooting an iSCSI target while the initiator is writing to a LUN leads to the following trace:
>
> [   59.879202] ------------[ cut here ]------------
> [   59.879202] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
> [   59.880636] invalid opcode: 0000 [#1] SMP PTI
> [   59.881569] Modules linked in: iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_user uio target_core_mod nls_iso8859_1 kvm_intel isofs kvm irqbypass joydev input_leds serio_raw sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse virtio_blk virtio_net floppy
> [   59.891096] CPU: 0 PID: 1027 Comm: iscsi_np Not tainted 4.15.0-43-generic #46-Ubuntu
> [   59.892726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
> [   59.894606] RIP: 0010:kfree+0x16a/0x180
> [   59.895429] RSP: 0018:ffffac0d8050fe58 EFLAGS: 00010246
> [   59.896531] RAX: ffff9cf099475800 RBX: ffff9cf099475800 RCX: ffff9cf099475800
> [   59.898083] RDX: 0000000000011bbb RSI: ffff9cf09fc27140 RDI: ffff9cf09f002000
> [   59.899627] RBP: ffffac0d8050fe70 R08: 0000000000000000 R09: ffffffffc07a329b
> [   59.901186] R10: ffffe95780651d40 R11: ffffffffa511dc90 R12: ffff9cf099625600
> [   59.902769] R13: ffffffffc07a329b R14: ffff9cf09ee07600 R15: ffff9cf099475800
> [   59.904321] FS:  0000000000000000(0000) GS:ffff9cf09fc00000(0000) knlGS:0000000000000000
> [   59.906120] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   59.907806] CR2: 00007f7153b88470 CR3: 000000001babe000 CR4: 00000000000006f0
> [   59.909376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   59.910950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   59.913098] Call Trace:
> [   59.913783]  iscsi_target_login_sess_out+0x1fb/0x250 [iscsi_target_mod]
> [   59.915292]  iscsi_target_login_thread+0x44d/0x1060 [iscsi_target_mod]
> [   59.916775]  kthread+0x121/0x140
> [   59.917622]  ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
> [   59.919244]  ? kthread_create_worker_on_cpu+0x70/0x70
> [   59.920483]  ? do_syscall_64+0x73/0x130
> [   59.921460]  ? SyS_exit_group+0x14/0x20
> [   59.922583]  ret_from_fork+0x35/0x40
> [   59.923523] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c4 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00
> [   59.927778] RIP: kfree+0x16a/0x180 RSP: ffffac0d8050fe58
> [   59.929063] ---[ end trace 082da4d341633d3e ]---
>
> Clean cherry-pick of 3 upstream patches. Sucessfully tested, no more BUG trace
> in the log.
>
> Signed-off-by: Juerg Haefliger <[hidden email]>
>
>
> Mike Christie (2):
>   iscsi target: fix session creation failure handling
>   scsi: iscsi: target: Fix conn_ops double free
>
> Vincent Pelletier (1):
>   scsi: iscsi: target: Set conn->sess to NULL when
>     iscsi_login_set_conn_values fails
>
>  drivers/target/iscsi/iscsi_target.c       |   9 +-
>  drivers/target/iscsi/iscsi_target_login.c | 184 ++++++++++++----------
>  drivers/target/iscsi/iscsi_target_login.h |   2 +-
>  3 files changed, 101 insertions(+), 94 deletions(-)
>
Bug report needs SRU justification added. Otherwise testable.

Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Bionic][PATCH 0/3] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)

Kleber Souza
In reply to this post by Juerg Haefliger
On 1/17/19 12:59 PM, Juerg Haefliger wrote:

> BugLink: https://bugs.launchpad.net/bugs/1812086
>
> Rebooting an iSCSI target while the initiator is writing to a LUN leads to the following trace:
>
> [   59.879202] ------------[ cut here ]------------
> [   59.879202] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
> [   59.880636] invalid opcode: 0000 [#1] SMP PTI
> [   59.881569] Modules linked in: iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_user uio target_core_mod nls_iso8859_1 kvm_intel isofs kvm irqbypass joydev input_leds serio_raw sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse virtio_blk virtio_net floppy
> [   59.891096] CPU: 0 PID: 1027 Comm: iscsi_np Not tainted 4.15.0-43-generic #46-Ubuntu
> [   59.892726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
> [   59.894606] RIP: 0010:kfree+0x16a/0x180
> [   59.895429] RSP: 0018:ffffac0d8050fe58 EFLAGS: 00010246
> [   59.896531] RAX: ffff9cf099475800 RBX: ffff9cf099475800 RCX: ffff9cf099475800
> [   59.898083] RDX: 0000000000011bbb RSI: ffff9cf09fc27140 RDI: ffff9cf09f002000
> [   59.899627] RBP: ffffac0d8050fe70 R08: 0000000000000000 R09: ffffffffc07a329b
> [   59.901186] R10: ffffe95780651d40 R11: ffffffffa511dc90 R12: ffff9cf099625600
> [   59.902769] R13: ffffffffc07a329b R14: ffff9cf09ee07600 R15: ffff9cf099475800
> [   59.904321] FS:  0000000000000000(0000) GS:ffff9cf09fc00000(0000) knlGS:0000000000000000
> [   59.906120] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   59.907806] CR2: 00007f7153b88470 CR3: 000000001babe000 CR4: 00000000000006f0
> [   59.909376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   59.910950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   59.913098] Call Trace:
> [   59.913783]  iscsi_target_login_sess_out+0x1fb/0x250 [iscsi_target_mod]
> [   59.915292]  iscsi_target_login_thread+0x44d/0x1060 [iscsi_target_mod]
> [   59.916775]  kthread+0x121/0x140
> [   59.917622]  ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
> [   59.919244]  ? kthread_create_worker_on_cpu+0x70/0x70
> [   59.920483]  ? do_syscall_64+0x73/0x130
> [   59.921460]  ? SyS_exit_group+0x14/0x20
> [   59.922583]  ret_from_fork+0x35/0x40
> [   59.923523] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c4 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00
> [   59.927778] RIP: kfree+0x16a/0x180 RSP: ffffac0d8050fe58
> [   59.929063] ---[ end trace 082da4d341633d3e ]---
>
> Clean cherry-pick of 3 upstream patches. Sucessfully tested, no more BUG trace
> in the log.
>
> Signed-off-by: Juerg Haefliger <[hidden email]>
>
>
> Mike Christie (2):
>   iscsi target: fix session creation failure handling
>   scsi: iscsi: target: Fix conn_ops double free
>
> Vincent Pelletier (1):
>   scsi: iscsi: target: Set conn->sess to NULL when
>     iscsi_login_set_conn_values fails
>
>  drivers/target/iscsi/iscsi_target.c       |   9 +-
>  drivers/target/iscsi/iscsi_target_login.c | 184 ++++++++++++----------
>  drivers/target/iscsi/iscsi_target_login.h |   2 +-
>  3 files changed, 101 insertions(+), 94 deletions(-)
>
Acked-by: Kleber Sacilotto de Souza <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][Bionic][PATCH 0/3] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296! (LP: #1812086)

Khaled Elmously
In reply to this post by Juerg Haefliger
On 2019-01-17 12:59:02 , Juerg Haefliger wrote:

> BugLink: https://bugs.launchpad.net/bugs/1812086
>
> Rebooting an iSCSI target while the initiator is writing to a LUN leads to the following trace:
>
> [   59.879202] ------------[ cut here ]------------
> [   59.879202] kernel BUG at /build/linux-vxxS7y/linux-4.15.0/mm/slub.c:296!
> [   59.880636] invalid opcode: 0000 [#1] SMP PTI
> [   59.881569] Modules linked in: iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_user uio target_core_mod nls_iso8859_1 kvm_intel isofs kvm irqbypass joydev input_leds serio_raw sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse virtio_blk virtio_net floppy
> [   59.891096] CPU: 0 PID: 1027 Comm: iscsi_np Not tainted 4.15.0-43-generic #46-Ubuntu
> [   59.892726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1ubuntu1 04/01/2014
> [   59.894606] RIP: 0010:kfree+0x16a/0x180
> [   59.895429] RSP: 0018:ffffac0d8050fe58 EFLAGS: 00010246
> [   59.896531] RAX: ffff9cf099475800 RBX: ffff9cf099475800 RCX: ffff9cf099475800
> [   59.898083] RDX: 0000000000011bbb RSI: ffff9cf09fc27140 RDI: ffff9cf09f002000
> [   59.899627] RBP: ffffac0d8050fe70 R08: 0000000000000000 R09: ffffffffc07a329b
> [   59.901186] R10: ffffe95780651d40 R11: ffffffffa511dc90 R12: ffff9cf099625600
> [   59.902769] R13: ffffffffc07a329b R14: ffff9cf09ee07600 R15: ffff9cf099475800
> [   59.904321] FS:  0000000000000000(0000) GS:ffff9cf09fc00000(0000) knlGS:0000000000000000
> [   59.906120] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   59.907806] CR2: 00007f7153b88470 CR3: 000000001babe000 CR4: 00000000000006f0
> [   59.909376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   59.910950] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   59.913098] Call Trace:
> [   59.913783]  iscsi_target_login_sess_out+0x1fb/0x250 [iscsi_target_mod]
> [   59.915292]  iscsi_target_login_thread+0x44d/0x1060 [iscsi_target_mod]
> [   59.916775]  kthread+0x121/0x140
> [   59.917622]  ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
> [   59.919244]  ? kthread_create_worker_on_cpu+0x70/0x70
> [   59.920483]  ? do_syscall_64+0x73/0x130
> [   59.921460]  ? SyS_exit_group+0x14/0x20
> [   59.922583]  ret_from_fork+0x35/0x40
> [   59.923523] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c4 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00
> [   59.927778] RIP: kfree+0x16a/0x180 RSP: ffffac0d8050fe58
> [   59.929063] ---[ end trace 082da4d341633d3e ]---
>
> Clean cherry-pick of 3 upstream patches. Sucessfully tested, no more BUG trace
> in the log.
>
> Signed-off-by: Juerg Haefliger <[hidden email]>
>
>
> Mike Christie (2):
>   iscsi target: fix session creation failure handling
>   scsi: iscsi: target: Fix conn_ops double free
>
> Vincent Pelletier (1):
>   scsi: iscsi: target: Set conn->sess to NULL when
>     iscsi_login_set_conn_values fails
>
>  drivers/target/iscsi/iscsi_target.c       |   9 +-
>  drivers/target/iscsi/iscsi_target_login.c | 184 ++++++++++++----------
>  drivers/target/iscsi/iscsi_target_login.h |   2 +-
>  3 files changed, 101 insertions(+), 94 deletions(-)
>
> --
> 2.19.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team