Skip to content

SCST 3.7: possible NULL dereference of sess->acg in TM thread during iSCSI session/connection reinstatement #367

Open
Open
SCST 3.7: possible NULL dereference of sess->acg in TM thread during iSCSI session/connection reinstatement#367
@JakieGuo

Description

@JakieGuo
JakieGuo
opened on May 15, 2026

The system crashed with a NULL pointer dereference in the SCST TM thread:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000464
RIP: scst_tm_thread+0x208/0x1740 [scst]

Around the crash, the iSCSI logs also showed:
Duplicate IQN causes session/connection reinstatement
iscsi_restart_cmnd: Pending cmnd ..., because conn ... is reinstated
This indicates that iSCSI connection/session reinstatement was happening at the time of the crash.

Possible reason as the following code:
static int scst_mgmt_cmd_init(struct scst_mgmt_cmd *mcmd)
{
int res = 0, rc, t;

    t = mcmd->sess->acg->acg_black_hole_type;
    ...

}
static void scst_check_reassign_sess(struct scst_session sess)
{
...
old_acg = sess->acg;
sess->acg = NULL; / to catch implicit dependencies earlier */
...
sess->acg = acg;
...
}
This function is called while handling ACG / initiator changes, for example when adding, deleting, clearing or moving initiator names in sysfs. The reassignment path holds scst_mutex, but the TM thread does not hold scst_mutex while entering scst_mgmt_cmd_init().

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions