Re: [PATCH v2] scsi: target: copy iSCSI ISID before unmapping the PR OUT buffer
From: John Garry
Date: Tue Jun 09 2026 - 08:15:34 EST
On 09/06/2026 12:36, James Bottomley wrote:
On Tue, 2026-06-09 at 09:50 +0100, John Garry wrote:
@@ -1808,9 +1809,11 @@ core_scsi3_decode_spec_i_port(
core_scsi3_tpg_undepend_item(dest_tpg);
}
+ kfree(iport_ptr);
return 0;
out_unmap:
transport_kunmap_data_sg(cmd);
+ kfree(iport_ptr);
sorry for suggesting this change, but this is worse than what you had
originally, as we have so many paths to call kfree() [which means
more bugs possible]
it's hard to make good suggestions for this target code as the
functions are so large and complex.
Given that it's allocated in a function called by the routine but never
actually retained by anything what about defining it as
chat *iport_ptr __free(kfree) = NULL;
? That way we don't need to care about freeing it in the error legs.
It's not just freed in the error legs, as core_scsi3_decode_spec_i_port() calls target_parse_pr_out() in a loop
while (tpdl > 0) {
...
spin_lock(&dev->se_port_lock);
list_for_each_entry(tmp_lun, &dev->dev_sep_list, lun_dev_link) {
...
kfree(iport_ptr);
iport_ptr = NULL;
tid_found = target_parse_pr_out_transport_id(tmp_tpg,
ptr, &tid_len, &iport_ptr, i_str);
if (!tid_found)
continue;
....
kfree(iport_ptr);
out_unmap:
kfree(iport_ptr);
out:
...
If __free(kfree) attr can still handle this sort of flow, then ok.
I still think that it would be simpler to keep the mapping in place for longer (to avoid all of this), if possible.
Thanks,
John