[Bug 260449] incorrect PRIV_REQUEST() uses in iscsi target code
Date: Wed, 15 Dec 2021 19:56:09 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260449
Bug ID: 260449
Summary: incorrect PRIV_REQUEST() uses in iscsi target code
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #230154 text/plain
mime type:
Created attachment 230154
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=230154&action=edit
Cause iscsi target to crash due to incorrect PRIV_REQUEST() uses.
I suspect this line in cfiscsi_done():
cs = PRIV_REQUEST(io);
should be
request = PRIV_REQUEST(io);
cs = PDU_SESSION(request);
And this line in cfiscsi_session_terminate_tasks() looks odd:
PRIV_REQUEST(io) = cs;
I'd expect ... = request, not ... = cs.
I've attached a program that (on my machine) produces panic from the
first problem, and (once the first is fixed) a kernel page fault due to
the second.
panic: refcount 0xffffffd0023eb7b4 wraparound
panic() at panic+0x2a
_refcount_update_saturated() at _refcount_update_saturated+0x16
refcount_releasen() at refcount_releasen+0x4c
refcount_release() at refcount_release+0xc
cfiscsi_done() at cfiscsi_done+0x3e
ctl_process_done() at ctl_process_done+0x460
ctl_work_thread() at ctl_work_thread+0x13e
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
panic: Fatal page fault at 0xffffffc0000468c4: 0x000000000000ba
--- exception 15, tval = 0xba
cfiscsi_done() at cfiscsi_done+0x5e
ctl_process_done() at ctl_process_done+0x460
ctl_work_thread() at ctl_work_thread+0x13e
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #160
main-n250912-e4746deeda02-dirty: Wed Dec 15 14:36:14 EST 2021
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
--
You are receiving this mail because:
You are the assignee for the bug.