From b4ba92094e44eda1171f1f05d123d44f30e65866 Mon Sep 17 00:00:00 2001 From: zhenwei pi Date: Wed, 26 Feb 2020 19:53:16 +0800 Subject: [PATCH] iser: fix segfault at iser_reg_mr Hit segfault at iser_reg_mr during attaching disk with backtrace: #0 0x000055ace9635b0f in iser_reg_mr (iser_conn=0x55aceca33820) at iser.c:1060 #1 iser_connected_handler (cma_id=) at iser.c:1300 #2 iser_cma_handler (event=0x7f29ef1f7950, cma_id=, iser_conn=0x55aceca33820) at iser.c:1326 #3 cm_thread (arg=0x55aceca33820) at iser.c:1380 #4 0x00007f2e2c31c4a4 in start_thread (arg=0x7f29ef1f8700) at pthread_create.c:456 #5 0x00007f2e2c05ed0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 (gdb) p *iser_conn->tx_desc Cannot access memory at address 0x20 This issue can be reproduced easily by attaching several disks of iser protocol: # virsh attach-device stretch iser0.xml # virsh attach-device stretch iser1.xml ... Initialize instances with zero to avoid random value pointer. Signed-off-by: zhenwei pi --- lib/iser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/iser.c b/lib/iser.c index 3e50489..95f95ec 100644 --- a/lib/iser.c +++ b/lib/iser.c @@ -1036,7 +1036,7 @@ iser_reg_mr(struct iser_conn *iser_conn) for (i = 0 ; i < NUM_MRS ; i++) { - tx_desc = iscsi_malloc(iscsi, sizeof(*tx_desc)); + tx_desc = iscsi_zmalloc(iscsi, sizeof(*tx_desc)); if (tx_desc == NULL) { iscsi_set_error(iscsi, "Out-Of-Memory, failed to allocate data buffer"); return -1; @@ -1478,7 +1478,7 @@ static iscsi_transport iscsi_transport_iser = { void iscsi_init_iser_transport(struct iscsi_context *iscsi) { iscsi->drv = &iscsi_transport_iser; - iscsi->opaque = iscsi_malloc(iscsi, sizeof(struct iser_conn)); + iscsi->opaque = iscsi_zmalloc(iscsi, sizeof(struct iser_conn)); iscsi->transport = ISER_TRANSPORT; /* Update iSCSI params as per iSER transport */ iscsi->initiator_max_recv_data_segment_length = ISCSI_DEF_MAX_RECV_SEG_LEN;