iscsi: do not leak acb->buf when commands are aborted

acb->buf is freed in the WRITE(16) callback, but this may not get called at all when commands are aborted. Add another free in the ABORT TASK callback, which requires setting acb->buf to NULL everywhere. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

iscsi: do not leak acb->buf when commands are aborted
acb->buf is freed in the WRITE(16) callback, but this may not get called at all when commands are aborted. Add another free in the ABORT TASK callback, which requires setting acb->buf to NULL everywhere. Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
4790b03d · Paolo Bonzini · 3f668b6c · 4790b03d
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

block/iscsi.c block/iscsi.c +7 -1

未找到文件。
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -77,6 +77,9 @@ iscsi_bh_cb(void *p)

    qemu_bh_delete(acb->bh);

+    g_free(acb->buf);
+    acb->buf = NULL;
+
    if (acb->canceled == 0) {
        acb->common.cb(acb->common.opaque, acb->status);
    }
@@ -198,6 +201,7 @@ iscsi_aio_write16_cb(struct iscsi_context *iscsi, int status,
    trace_iscsi_aio_write16_cb(iscsi, status, acb, acb->canceled);

    g_free(acb->buf);
+    acb->buf = NULL;

    if (acb->canceled != 0) {
        return;
@@ -241,6 +245,7 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num,
    acb->canceled   = 0;
    acb->bh         = NULL;
    acb->status     = -EINPROGRESS;
+    acb->buf        = NULL;

    /* XXX we should pass the iovec to write16 to avoid the extra copy */
    /* this will allow us to get rid of 'buf' completely */
@@ -249,7 +254,6 @@ iscsi_aio_writev(BlockDriverState *bs, int64_t sector_num,

    /* if the iovec only contains one buffer we can pass it directly */
    if (acb->qiov->niov == 1) {
-        acb->buf = NULL;
        data.data = acb->qiov->iov[0].iov_base;
    } else {
        acb->buf = g_malloc(data.size);
@@ -440,6 +444,7 @@ iscsi_aio_flush(BlockDriverState *bs,
    acb->canceled   = 0;
    acb->bh         = NULL;
    acb->status     = -EINPROGRESS;
+    acb->buf        = NULL;

    acb->task = iscsi_synchronizecache10_task(iscsi, iscsilun->lun,
                                         0, 0, 0, 0,
@@ -493,6 +498,7 @@ iscsi_aio_discard(BlockDriverState *bs,
    acb->canceled   = 0;
    acb->bh         = NULL;
    acb->status     = -EINPROGRESS;
+    acb->buf        = NULL;

    list[0].lba = sector_qemu2lun(sector_num, iscsilun);
    list[0].num = nb_sectors * BDRV_SECTOR_SIZE / iscsilun->block_size;