From 46202aa8239d225f82d3675f14b23939ffe4f8a0 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 28 Oct 2015 16:55:48 +0000 Subject: [PATCH] isert: Fix null dereference in isert_cmnd allocation code In a state where the list isert_conn->tx_free_list is empty (mostly under traffic), we might fail to receive a command from the isert command pool. This will result in later null deref. In this case, busy-wait until a command will be available (will be freed by the receive context). [2158233.952087] BUG: unable to handle kernel NULL pointer dereference at (null) [2158233.956023] IP: [] isert_pdu_send+0xc0/0x1f0 [isert_scst] .... [2158233.956023] [] ? isert_cmnd_alloc+0x78/0x110 [isert_scst] [2158233.956023] [] req_cmnd_release+0x50/0x130 [iscsi_scst] [2158233.956023] [] iscsi_send_nop_in+0x19b/0x370 [iscsi_scst] Signed-off-by: Ariel Nahum git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@6554 d57e44dd-8a1f-0410-8b47-8ef2f437770f --- iscsi-scst/kernel/isert-scst/iser_datamover.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/iscsi-scst/kernel/isert-scst/iser_datamover.c b/iscsi-scst/kernel/isert-scst/iser_datamover.c index 15c40713a..19fc58640 100644 --- a/iscsi-scst/kernel/isert-scst/iser_datamover.c +++ b/iscsi-scst/kernel/isert-scst/iser_datamover.c @@ -126,7 +126,12 @@ static struct iscsi_cmnd *isert_alloc_scsi_pdu(struct iscsi_conn *iscsi_conn, struct isert_connection *isert_conn = (struct isert_connection *)iscsi_conn; struct isert_cmnd *isert_pdu; +again: spin_lock(&isert_conn->tx_lock); + if (list_empty(&isert_conn->tx_free_list)) { + spin_unlock(&isert_conn->tx_lock); + goto again; + } isert_pdu = list_first_entry(&isert_conn->tx_free_list, struct isert_cmnd, pool_node); list_move(&isert_pdu->pool_node, &isert_conn->tx_busy_list);