On Mon, Aug 3, 2009 at 10:36 PM, Roland Dreier<[email protected]> wrote:
> How do we end up in srp_reset_device() with req->scmnd->device == NULL?
> Presumably req->scmnd should match scmnd if I am understanding the code
> properly -- and then scmnd->device == NULL??
An update: apparently it is possible to trigger scmnd->device == NULL even
without triggering a prior IB CM disconnect. The following shell commands
are sufficient to trigger the WARN_ON statement in the patch below:
rmmod ib_srp
modprobe ib_srp
ibsrpdm -c | while read target_info; do echo "${target_info}"; echo
"${target_info}" >/sys/class/infiniband_srp/srp-mlx4_0-1/add_target;
done
sg_reset -d ${srp_device}
So it should be analyzed why scmnd->device can be NULL before applying any
patches to fix the NULL pointer dereference.
Bart.
--- linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp-orig.c 2009-08-03
12:13:11.000000000 +0200
+++ linux-2.6.30.4/drivers/infiniband/ulp/srp/ib_srp.c 2009-08-04
17:25:27.000000000 +0200
@@ -1330,6 +1330,8 @@ static int srp_send_tsk_mgmt(struct srp_
struct srp_iu *iu;
struct srp_tsk_mgmt *tsk_mgmt;
+ BUG_ON(!req->scmnd->device);
+
spin_lock_irq(target->scsi_host->host_lock);
if (target->state == SRP_TARGET_DEAD ||
@@ -1425,6 +1427,8 @@ static int srp_reset_device(struct scsi_
return FAILED;
if (srp_find_req(target, scmnd, &req))
return FAILED;
+ if (WARN_ON(!req->scmnd->device))
+ return FAILED;
if (srp_send_tsk_mgmt(target, req, SRP_TSK_LUN_RESET))
return FAILED;
if (req->tsk_status)
_______________________________________________
general mailing list
[email protected]
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
