Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Dec 2021 19:56:09 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 260449] incorrect PRIV_REQUEST() uses in iscsi target code
Message-ID:  <bug-260449-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260449

            Bug ID: 260449
           Summary: incorrect PRIV_REQUEST() uses in iscsi target code
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #230154 text/plain
         mime type:

Created attachment 230154
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D230154&action=
=3Dedit
Cause iscsi target to crash due to incorrect PRIV_REQUEST() uses.

I suspect this line in cfiscsi_done():

  cs =3D PRIV_REQUEST(io);

should be

  request =3D PRIV_REQUEST(io);
  cs =3D PDU_SESSION(request);

And this line in cfiscsi_session_terminate_tasks() looks odd:

  PRIV_REQUEST(io) =3D cs;

I'd expect ... =3D request, not ... =3D cs.

I've attached a program that (on my machine) produces panic from the
first problem, and (once the first is fixed) a kernel page fault due to
the second.

panic: refcount 0xffffffd0023eb7b4 wraparound
panic() at panic+0x2a
_refcount_update_saturated() at _refcount_update_saturated+0x16
refcount_releasen() at refcount_releasen+0x4c
refcount_release() at refcount_release+0xc
cfiscsi_done() at cfiscsi_done+0x3e
ctl_process_done() at ctl_process_done+0x460
ctl_work_thread() at ctl_work_thread+0x13e
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

panic: Fatal page fault at 0xffffffc0000468c4: 0x000000000000ba
--- exception 15, tval =3D 0xba
cfiscsi_done() at cfiscsi_done+0x5e
ctl_process_done() at ctl_process_done+0x460
ctl_work_thread() at ctl_work_thread+0x13e
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa

FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #160
main-n250912-e4746deeda02-dirty: Wed Dec 15 14:36:14 EST 2021=20=20=20=20
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260449-227>