Re: [PATCH] scsi: target: copy iSCSI ISID before unmapping the PR OUT buffer

Next message: Eric Dumazet: "Re: [PATCH] net/sched: fq_codel: clamp flow deficit after quantum changes"
Previous message: kernel test robot: "[tip:master] BUILD SUCCESS c9668a110934b00231f9baf0ab4669d4b009fb97"
In reply to: John Garry: "Re: [PATCH] scsi: target: copy iSCSI ISID before unmapping the PR OUT buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas

Date: Mon Jun 08 2026 - 20:59:19 EST

On 06/06/2026, John Garry wrote:
> It's not so nice to re-assign the pointer like this or have it even
> pointing at a local array.
>
> Is it really messy for iscsi_parse_pr_out_transport_id() to do something
> like kstrdup and then the caller has the job of later free'ing it?

You are right -- v2 moves the copy into iscsi_parse_pr_out_transport_id()
so the parser returns an owned allocation via *port_nexus_ptr and callers
kfree() it.

We use kzalloc(PR_REG_ISID_LEN) + strscpy_pad() rather than plain kstrdup()
because __core_scsi3_do_alloc_registration() reads the ISID with a fixed
8-byte get_unaligned_be64(isid). A malformed TransportID with an ISID
shorter than 8 characters would give a kstrdup allocation smaller than 8
bytes, turning that read into a heap out-of-bounds. kzalloc zero-fills the
full PR_REG_ISID_LEN (16) bytes so the be64 read is always in-bounds and
returns a deterministic value; strscpy_pad() copies the lowercased ISID and
NUL-fills the tail.

core_scsi3_decode_spec_i_port() also receives the allocated pointer and
needs to kfree() it. The inner list_for_each_entry iterates over multiple
TPGs per TransportID, calling the parser at each; we kfree(iport_ptr) before
the reset at the top of each inner-loop iteration so a failed ACL match that
triggers a continue does not leak the previous parse's allocation.
kfree(iport_ptr) is also added at out_unmap: (error exit) and before
return 0 (success exit).

[PATCH v2] follows.