Re: [PATCH for-rc] scsi: libiscsi: initialize iscsi_conn->dd_data only if memory is allocated

[Chris Leech <cleech@redhat.com>]

On Fri, Jun 27, 2025 at 04:53:29PM +0530, Showrya M N wrote:
> In case of an ib_fast_reg_mr allocation failure during iSER setup,
> the machine hits a panic because iscsi_conn->dd_data is initialized
> unconditionally, even when no memory is allocated (dd_size == 0).
> This leads invalid pointer dereference during connection teardown.
> 
> Fix by setting iscsi_conn->dd_data only if memory is actually allocated.

iser is allocating the iser_conn along with the endpoint, and
dynamically updating iscsi_conn->dd_data to track that allocation.
That's different from all the other libiscsi drivers which allocate a
fixed sized driver area with every iscsi_conn.

I don't see any problem with conditionally setting iscsi_conn->dd_data,
and it makes sense to not have an invalid pointer for a 0 size request.

iscsi_iser_conn_stop already has the checks for a NULL dd_data for this
case of a bind failure, so that looks OK.

Signed-off-by: Chris Leech <cleech@redhat.com>

> Panic trace:
> ------------
>  iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
>  iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
>  BUG: unable to handle page fault for address: fffffffffffffff8
>  RIP: 0010:swake_up_locked.part.5+0xa/0x40
>  Call Trace:
>   complete+0x31/0x40
>   iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
>   iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
>   iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
>   iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
>   ? netlink_lookup+0x12f/0x1b0
>   ? netlink_deliver_tap+0x2c/0x200
>   netlink_unicast+0x1ab/0x280
>   netlink_sendmsg+0x257/0x4f0
>   ? _copy_from_user+0x29/0x60
>   sock_sendmsg+0x5f/0x70
> 
> Signed-off-by: Showrya M N <showrya@chelsio.com>
> Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
> ---
>  drivers/scsi/libiscsi.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
> index 392d57e054db..c9f410c50978 100644
> --- a/drivers/scsi/libiscsi.c
> +++ b/drivers/scsi/libiscsi.c
> @@ -3185,7 +3185,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size,
>  		return NULL;
>  	conn = cls_conn->dd_data;
>  
> -	conn->dd_data = cls_conn->dd_data + sizeof(*conn);
> +	if (dd_size)
> +		conn->dd_data = cls_conn->dd_data + sizeof(*conn);
>  	conn->session = session;
>  	conn->cls_conn = cls_conn;
>  	conn->c_stage = ISCSI_CONN_INITIAL_STAGE;
> -- 
> 2.39.3
>