[Stgt-devel] [PATCH] task data leak

Pete Wyckoff pw
Fri Dec 7 21:23:53 CET 2007


iscsi_scsi_cmd_rx_start always allocates a buffer of 4096 to accommodate
assumptions in spc, sbc, etc.  Even when a SCSI command asks for data
length of zero, task->data is allocated to 4096.  However this is never
assigned as in or out buf on scmd.  Thus never freed.

This works around that by freeing an orphaned task->data.  Again, though,
the better solution is to fix up all the little functions like inquiry
that cause this situation in the first place.

Signed-off-by: Pete Wyckoff <pw at osc.edu>
---
 usr/iscsi/iscsid.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
index 1e0172a..ab1999d 100644
--- a/usr/iscsi/iscsid.c
+++ b/usr/iscsi/iscsid.c
@@ -1024,6 +1024,17 @@ void iscsi_free_task(struct iscsi_task *task)
 {
 	struct iscsi_connection *conn = task->conn;
 
+	/*
+	 * Catch case when data_len is zero but pushed up to 4096
+	 * to work around spc allocation assumption, but then later
+	 * determined to be DATA_NONE and not used as either in or
+	 * out buffer.
+	 */
+	if (task->data &&
+	    task->data != scsi_get_in_buffer(&task->scmd) &&
+	    task->data != scsi_get_out_buffer(&task->scmd))
+		conn->tp->free_data_buf(conn, task->data);
+
 	conn->tp->free_data_buf(conn, scsi_get_in_buffer(&task->scmd));
 	conn->tp->free_data_buf(conn, scsi_get_out_buffer(&task->scmd));
 
-- 
1.5.3.4




More information about the stgt mailing list