From: Olaf Kirch Date: Thu, 13 Dec 2007 18:43:36 +0000 (-0600) Subject: [SCSI] iscsi_tcp: stop leaking r2t_info's when the incoming R2T is bad X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=03766a1d4e4520066d3ed2097bfdf6e606aba828;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git [SCSI] iscsi_tcp: stop leaking r2t_info's when the incoming R2T is bad iscsi_r2t_rsp checks the incoming R2T for sanity, and if it thinks it's fishy, it will drop it silently. In this case, we leaked an r2t_info object. If we do this often enough, we run into a BUG_ON some time later. Removed r2t wrappers and update patch by Mike Christie Signed-off-by: Olaf Kirch Signed-off-by: Mike Christie Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 7212fe95a66d..ecba606e6521 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -658,6 +658,8 @@ iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask) r2t->data_length = be32_to_cpu(rhdr->data_length); if (r2t->data_length == 0) { printk(KERN_ERR "iscsi_tcp: invalid R2T with zero data len\n"); + __kfifo_put(tcp_ctask->r2tpool.queue, (void*)&r2t, + sizeof(void*)); spin_unlock(&session->lock); return ISCSI_ERR_DATALEN; } @@ -669,10 +671,12 @@ iscsi_r2t_rsp(struct iscsi_conn *conn, struct iscsi_cmd_task *ctask) r2t->data_offset = be32_to_cpu(rhdr->data_offset); if (r2t->data_offset + r2t->data_length > scsi_bufflen(ctask->sc)) { - spin_unlock(&session->lock); printk(KERN_ERR "iscsi_tcp: invalid R2T with data len %u at " "offset %u and total length %d\n", r2t->data_length, r2t->data_offset, scsi_bufflen(ctask->sc)); + __kfifo_put(tcp_ctask->r2tpool.queue, (void*)&r2t, + sizeof(void*)); + spin_unlock(&session->lock); return ISCSI_ERR_DATALEN; }