* [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown
@ 2017-07-12 23:06 Khazhismel Kumykov
2017-07-13 15:56 ` kbuild test robot
2017-07-13 16:31 ` kbuild test robot
0 siblings, 2 replies; 5+ messages in thread
From: Khazhismel Kumykov @ 2017-07-12 23:06 UTC (permalink / raw)
To: lduncan, cleech; +Cc: linux-scsi, linux-kernel, open-iscsi, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 1394 bytes --]
Session attributes exposed through sysfs were freed before the device
was destroyed, resulting in a potential use-after-free. Free these
attributes after removing the device.
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
---
drivers/scsi/libiscsi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 42381adf0769..f9199bebaec7 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2851,9 +2851,6 @@ EXPORT_SYMBOL_GPL(iscsi_session_setup);
/**
* iscsi_session_teardown - destroy session, host, and cls_session
* @cls_session: iscsi session
- *
- * The driver must have called iscsi_remove_session before
- * calling this.
*/
void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
{
@@ -2863,6 +2860,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
iscsi_pool_free(&session->cmdpool);
+ iscsi_remove_session(session);
+
kfree(session->password);
kfree(session->password_in);
kfree(session->username);
@@ -2877,7 +2876,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
kfree(session->portal_type);
kfree(session->discovery_parent_type);
- iscsi_destroy_session(cls_session);
+ iscsi_free_session(cls_session);
+
iscsi_host_dec_session_cnt(shost);
module_put(owner);
}
--
2.13.2.932.g7449e964c-goog
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4843 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown
2017-07-12 23:06 [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown Khazhismel Kumykov
@ 2017-07-13 15:56 ` kbuild test robot
2017-07-13 16:31 ` kbuild test robot
1 sibling, 0 replies; 5+ messages in thread
From: kbuild test robot @ 2017-07-13 15:56 UTC (permalink / raw)
To: Khazhismel Kumykov
Cc: kbuild-all, lduncan, cleech, linux-scsi, linux-kernel,
open-iscsi, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 2715 bytes --]
Hi Khazhismel,
[auto build test ERROR on mkp-scsi/for-next]
[also build test ERROR on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: i386-randconfig-x018-201728 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:23: error: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type [-Werror=incompatible-pointer-types]
iscsi_remove_session(session);
^~~~~~~
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 32998 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown
@ 2017-07-13 15:56 ` kbuild test robot
0 siblings, 0 replies; 5+ messages in thread
From: kbuild test robot @ 2017-07-13 15:56 UTC (permalink / raw)
Cc: kbuild-all, lduncan, cleech, linux-scsi, linux-kernel,
open-iscsi, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 2715 bytes --]
Hi Khazhismel,
[auto build test ERROR on mkp-scsi/for-next]
[also build test ERROR on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: i386-randconfig-x018-201728 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:23: error: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type [-Werror=incompatible-pointer-types]
iscsi_remove_session(session);
^~~~~~~
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 32998 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown
@ 2017-07-13 16:31 ` kbuild test robot
0 siblings, 0 replies; 5+ messages in thread
From: kbuild test robot @ 2017-07-13 16:31 UTC (permalink / raw)
To: Khazhismel Kumykov
Cc: kbuild-all, lduncan, cleech, linux-scsi, linux-kernel,
open-iscsi, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 2724 bytes --]
Hi Khazhismel,
[auto build test WARNING on mkp-scsi/for-next]
[also build test WARNING on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 4.9.0
reproduce:
wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All warnings (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:2: warning: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type
iscsi_remove_session(session);
^
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 50282 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown
@ 2017-07-13 16:31 ` kbuild test robot
0 siblings, 0 replies; 5+ messages in thread
From: kbuild test robot @ 2017-07-13 16:31 UTC (permalink / raw)
Cc: kbuild-all-JC7UmRfGjtg, lduncan-IBi9RG/b67k,
cleech-H+wXaHxf7aLQT0dZR+AlfA, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
open-iscsi-/JYPxA39Uh5TLH3MbocFFw, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 3201 bytes --]
Hi Khazhismel,
[auto build test WARNING on mkp-scsi/for-next]
[also build test WARNING on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 4.9.0
reproduce:
wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All warnings (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:2: warning: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type
iscsi_remove_session(session);
^
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
--
You received this message because you are subscribed to the Google Groups "open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to open-iscsi-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 50282 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-07-13 16:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-12 23:06 [PATCH] libiscsi: Fix use-after-free race during iscsi_session_teardown Khazhismel Kumykov
2017-07-13 15:56 ` kbuild test robot
2017-07-13 15:56 ` kbuild test robot
2017-07-13 16:31 ` kbuild test robot
2017-07-13 16:31 ` kbuild test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.