From a327b6e700f54a128bbb22354cfe907685b95236 Mon Sep 17 00:00:00 2001
From: Vladislav Bolkhovitin <vst@vlnb.net>
Date: Thu, 14 Feb 2013 02:42:35 +0000
Subject: [PATCH] scst: Avoid that INQUIRY of a non-existing LUN can trigger a
 NULL pointer dereference

This patch fixes the following kernel oops:

[7781]: scst: scst_translate_lun:3935:tgt_dev for LUN 1 not found, command to unexisting LU (initiator local3, target local3)?
BUG: unable to handle kernel NULL pointer dereference at 0000000000000500
IP: [<ffffffffa027662e>] scst_set_resp_data_len+0x17e/0x1c0 [scst]
PGD 2de7a067 PUD 2dd4d067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: scst_local(O) iscsi_scst(O) scst_vdisk(O) scst(O) brd netconsole configfs ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi joydev aesni_intel ablk_helper hid_generic cryptd lrw aes_x86_64 xts usbhid hid gf128mul intel_agp i2c_piix4 intel_gtt agpgart processor psmouse microcode button binfmt_misc lp parport ext4 mbcache jbd2 floppy ata_piix zlib_deflate libcrc32c [last unloaded: scst]
CPU 3
Pid: 7781, comm: kworker/u:5 Tainted: G           O 3.8.0-rc7-debug+ #1 Bochs Bochs
RIP: 0010:[<ffffffffa027662e>]  [<ffffffffa027662e>] scst_set_resp_data_len+0x17e/0x1c0 [scst]
Process kworker/u:5 (pid: 7781, threadinfo ffff88002dc18000, task ffff88003d306450)
Call Trace:
 [<ffffffffa027aa10>] scst_set_lun_not_supported_inquiry+0x140/0x400 [scst]
 [<ffffffffa027adbf>] scst_set_cmd_error+0xef/0x210 [scst]
 [<ffffffffa026aaa1>] __scst_init_cmd+0x1c1/0x250 [scst]
 [<ffffffffa026aefb>] scst_init_cmd+0x6b/0x320 [scst]
 [<ffffffffa026e914>] scst_cmd_init_done+0x124/0x5b0 [scst]
 [<ffffffffa0340a9e>] scst_local_queuecommand+0x1ae/0x3c0 [scst_local]
 [<ffffffff81323cd0>] scsi_dispatch_cmd+0x150/0x4b0
 [<ffffffff8132b091>] scsi_request_fn+0x361/0x530
 [<ffffffff812157b7>] __blk_run_queue+0x37/0x50
 [<ffffffff81221e01>] blk_execute_rq_nowait+0x81/0x100
 [<ffffffff81221fd2>] blk_execute_rq+0x152/0x200
 [<ffffffff8132a75e>] scsi_execute+0xee/0x180
 [<ffffffff8132b92d>] scsi_execute_req+0xbd/0x130
 [<ffffffff8132d647>] scsi_probe_and_add_lun+0x257/0xe10
 [<ffffffff8132ea73>] __scsi_scan_target+0x2a3/0x790
 [<ffffffff8132f0ee>] scsi_scan_target+0xfe/0x110
 [<ffffffffa033f81c>] scst_process_aens+0xcc/0x210 [scst_local]
 [<ffffffffa033fb39>] scst_aen_work_fn+0x79/0x140 [scst_local]
 [<ffffffff810630c8>] process_one_work+0x1a8/0x6e0
 [<ffffffff81063a3f>] worker_thread+0x15f/0x3e0
 [<ffffffff8106a17d>] kthread+0xed/0x100
 [<ffffffff815252ac>] ret_from_fork+0x7c/0xb0
---[ end trace b2eb71a8ecb7acf3 ]---

Signed-off-by: Bart Van Assche <bvanassche@acm.org>



git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@4758 d57e44dd-8a1f-0410-8b47-8ef2f437770f
---
 scst/src/scst_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scst/src/scst_lib.c b/scst/src/scst_lib.c
index f8964e382..fd34772de 100644
--- a/scst/src/scst_lib.c
+++ b/scst/src/scst_lib.c
@@ -2870,7 +2870,7 @@ void scst_set_resp_data_len(struct scst_cmd *cmd, int resp_data_len)
 	if (unlikely(resp_data_len > cmd->bufflen)) {
 		PRINT_ERROR("Too big response data len %d (max %d), limiting "
 			"it to the max (dev %s)", resp_data_len, cmd->bufflen,
-			cmd->dev->virt_name);
+			cmd->dev ? cmd->dev->virt_name : "(no LUN)");
 		cmd->resp_data_len = cmd->bufflen;
 		goto out;
 	}