isert: Fix null dereference in isert_cmnd allocation code

In a state where the list isert_conn->tx_free_list is empty (mostly under traffic), we might fail to receive a command from the isert command pool. This will result in later null deref. In this case, busy-wait until a command will be available (will be freed by the receive context). [2158233.952087] BUG: unable to handle kernel NULL pointer dereference at (null) [2158233.956023] IP: [<ffffffffa04e14d0>] isert_pdu_send+0xc0/0x1f0 [isert_scst] .... [2158233.956023] [<ffffffffa04d98c8>] ? isert_cmnd_alloc+0x78/0x110 [isert_scst] [2158233.956023] [<ffffffffa045b5a0>] req_cmnd_release+0x50/0x130 [iscsi_scst] [2158233.956023] [<ffffffffa04622cb>] iscsi_send_nop_in+0x19b/0x370 [iscsi_scst] Signed-off-by: Ariel Nahum <arieln@mellanox.com> git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@6554 d57e44dd-8a1f-0410-8b47-8ef2f437770f
2026-05-17 02:31:27 +00:00 · 2015-10-28 16:55:48 +00:00
parent 64737849f8
commit 46202aa823
1 changed files with 5 additions and 0 deletions
--- a/iscsi-scst/kernel/isert-scst/iser_datamover.c
+++ b/iscsi-scst/kernel/isert-scst/iser_datamover.c
@@ -126,7 +126,12 @@ static struct iscsi_cmnd *isert_alloc_scsi_pdu(struct iscsi_conn *iscsi_conn,
 	struct isert_connection *isert_conn = (struct isert_connection *)iscsi_conn;
 	struct isert_cmnd *isert_pdu;

+again:
 	spin_lock(&isert_conn->tx_lock);
+	if (list_empty(&isert_conn->tx_free_list)) {
+		spin_unlock(&isert_conn->tx_lock);
+		goto again;
+	}
 	isert_pdu = list_first_entry(&isert_conn->tx_free_list,
 				     struct isert_cmnd, pool_node);
 	list_move(&isert_pdu->pool_node, &isert_conn->tx_busy_list);