map_sg not reset in loop

[Shivaram U]

Greetings Nathan,

In iscsi_intiator.c:iscsi_initiator_tx_thread the map_sg variable
needs to be reset to zero everytime the loop is executed. I remember
facing a problem when the datasize was 128k. I couldnt debug for what
exact reasons then. But below is a trace of the output i had

Apr 12 22:33:43 scache kernel: ISTATE_SEND_DATAOUT
Apr 12 22:33:43 scache kernel: map_sg 1
Apr 12 22:33:43 scache kernel: cmd->scsi_cmnd use_sg 0
Apr 12 22:33:43 scache kernel: OFMarker 0
Apr 12 22:33:43 scache kernel: ISTATE_SEND_DATAOUT
Apr 12 22:33:43 scache kernel: map_sg 1
Apr 12 22:33:43 scache kernel: cmd->scsi_cmnd use_sg 0
Apr 12 22:33:43 scache kernel: OFMarker 0
Apr 12 22:33:43 scache kernel: ISTATE_SEND_IMMEDIATE_NOPOUT
Apr 12 22:33:43 scache kernel: ------------[ cut here ]------------
Apr 12 22:33:43 scache kernel: kernel BUG at /home/scache/new/core-
iscsi-v1.6.2.9/iscsi_initiator.c:2775! (this wont match with the
source code)

>From the above ,state was ISTATE_SEND_DATAOUT in the previous
interation and in the current iteration its
ISTATE_SEND_IMMEDIATE_NOPOUT. However this results in a NULL pointer
exception at 2758 below

2757
2758 if (map_sg && cmd->scsi_cmnd->use_sg && !
CONN_OPS(conn)->OFM arker) {
2759 #if 0
2760 if (iscsi_sendpage_sg(&unmap_sg, conn) < 0) {
2761 #else
2762 if (iscsi_send_tx_data(cmd, conn, use_misc) <
0) {
2763 #endif

In the current iteration map_sg is still one from the previous
iteration (in the previous iteration its seems that cmd->scsi_cmnd-
>use_sg is zero and so the code that resets map_sg to zero wasnt
executed), but in the current iteration scsi_cmnd is NULL. So a null
deref exists for md->scsi_cmnd->use_sg

Below patch should fix the problem. Similar changes for scsi_task
although i didnt face any problems in that piece of code

Best Regards,
Shivram

--
http://www.scache.com
Intelligent VTL Solutions

diff -pNarU5 core-iscsi-v1.6.2.9/iscsi_initiator.c core-iscsi-
v1.6.2.9.new/iscsi_initiator.c
--- core-iscsi-v1.6.2.9/iscsi_initiator.c 2006-06-29
02:17:09.000000000 +0530
+++ core-iscsi-v1.6.2.9.new/iscsi_initiator.c 2007-05-15
23:31:29.000000000 +0530
@@ -2753,30 +2753,21 @@ check_state:
cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
conn->tx_immediate_queue = 0;
goto transport_err;
}

+ if (iscsi_send_tx_data(cmd, conn, use_misc) < 0) {
+ cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
+ conn->tx_immediate_queue = 0;
+ goto transport_err;
+ }
+
if (map_sg && cmd->scsi_cmnd->use_sg && !CONN_OPS(conn)->OFMarker)
{
-#if 0
- if (iscsi_sendpage_sg(&unmap_sg, conn) < 0) {
-#else
- if (iscsi_send_tx_data(cmd, conn, use_misc) < 0) {
-#endif
- cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
- conn->tx_immediate_queue = 0;
- goto transport_err;
- }

iscsi_unmap_scatterlists((void *)&unmap_sg);
- map_sg = 0;
- } else {
- if (iscsi_send_tx_data(cmd, conn, use_misc) < 0) {
- cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
- conn->tx_immediate_queue = 0;
- goto transport_err;
- }
}
+ map_sg = 0;

spin_lock_bh(&cmd->state_lock);
switch (state) {
case ISTATE_SEND_DATAOUT:
if (!eos)
@@ -2936,18 +2927,18 @@ get_command:
cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
cmd->cmd_flags &= ~ICF_CMD_NONIMMEDIATE_ACTIVE;
goto transport_err;
}
iscsi_check_scsi_cmnd_unmap(&unmap_sg);
- scsi_task = 0;
} else {
if (iscsi_send_tx_data(cmd, conn, 0) < 0) {
cmd->cmd_flags &= ~ICF_CMD_STATE_ACTIVE;
cmd->cmd_flags &= ~ICF_CMD_NONIMMEDIATE_ACTIVE;
goto transport_err;
}
}
+ scsi_task = 0;

spin_lock_bh(&cmd->state_lock);
switch (cmd->state) {
case ISTATE_SEND_SCSI_CMD:
if (!cmd->unsolicited_data_out) {