[Stgt-devel] [Patch] Segmentation fault in conn_close

[Tomas Henzl]

Hi,

I noticed a segfault which is probably caused by the patch 
"iscsi: needs to call iscsi_free_cmd_task for commands in tx_clist"
b723430058dcbe3b201a2a2c38ce114217dc5273

it looks like that for some reason iscsi_free_cmd_task(task); gets called  with
appropriate scmd zeroed out (not initialized ?) and then it causes a segfault
in list_del.

I don't know how could it happen that this structure (scmd) is empty. The patch 
below solves my problem - it restores the old behaviour if the scmd is empty
as it was before the patch mentioned above.

Tomas

Signed-off-by: Tomas Henzl <thenzl at redhat.com>
---
diff -Naurp tgt2/usr/iscsi/conn.c tgt/usr/iscsi/conn.c
--- tgt2/usr/iscsi/conn.c	2008-06-13 14:14:37.000000000 +0200
+++ tgt/usr/iscsi/conn.c	2008-07-24 14:04:30.000000000 +0200
@@ -109,7 +109,12 @@ void conn_close(struct iscsi_connection 
 	list_for_each_entry_safe(task, tmp, &conn->tx_clist, c_list) {
 		dprintf("Forcing release of tx task %" PRIx64 "\n",
 			task->tag);
-		iscsi_free_cmd_task(task);
+		if (task->scmd.c_target)
+			iscsi_free_cmd_task(task);
+		else {
+			list_del(&task->c_list);
+			iscsi_free_task(task);
+		}	
 	}
 
 	if (conn->rx_task) {
--