[stgt] [PATCH] Fix leak of task->data

[Andy Grover]

Steps to reproduce: In initiator, dd to the volume and bring the initiator
interface up and down repeatedly. Valgrind of tgtd confirms the leak and
the fix.

If a connection is terminated while tasks are not yet fully received,
task->data will have been allocated but not referred to by a cmd in-
or out-buffer, which happens in iscsi_target_cmd_queue only after the
entire command is received. When freeing tasks for a closed connection,
ensure task->data is freed if it isn't already freed by the pointer
having been copied to scmd in or out buffer.

It might be nicer set task->data to NULL when its reference is copied,
and then we could unconditionally call free() on it in iscsi_free_task,
but task->data is referred to in many other places in iscsid.c. Maybe
those places should refer to the in/out buffers instead?

Reported-by: Tomoaki Nishimura <t-nishimura at hf.jp.nec.com>
Signed-off-by: Andy Grover <agrover at redhat.com>
---
 usr/iscsi/iscsid.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
index 005bac5..9bae331 100644
--- a/usr/iscsi/iscsid.c
+++ b/usr/iscsi/iscsid.c
@@ -1227,6 +1227,10 @@ void iscsi_free_task(struct iscsi_task *task)
 	conn->tp->free_data_buf(conn, scsi_get_in_buffer(&task->scmd));
 	conn->tp->free_data_buf(conn, scsi_get_out_buffer(&task->scmd));
 
+	if ((task->data != scsi_get_in_buffer(&task->scmd)) ||
+	    (task->data != scsi_get_out_buffer(&task->scmd)))
+		conn->tp->free_data_buf(conn, task->data);
+
 	conn->tp->free_task(task);
 	conn_put(conn);
 }
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe stgt" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html