From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Vincent Pelletier <plr.vincent@gmail.com>,
Mike Christie <mchristi@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.14 06/37] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails
Date: Mon, 1 Oct 2018 00:38:56 +0000 [thread overview]
Message-ID: <20181001003850.147107-6-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20181001003850.147107-1-alexander.levin@microsoft.com>
From: Vincent Pelletier <plr.vincent@gmail.com>
[ Upstream commit 7915919bb94e12460c58e27c708472e6f85f6699 ]
Fixes a use-after-free reported by KASAN when later
iscsi_target_login_sess_out gets called and it tries to access
conn->sess->se_sess:
Disabling lock debugging due to kernel taint
iSCSI Login timeout on Network Portal [::]:3260
iSCSI Login negotiation failed.
==================================================================
BUG: KASAN: use-after-free in
iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
Read of size 8 at addr ffff880109d070c8 by task iscsi_np/980
CPU: 1 PID: 980 Comm: iscsi_np Tainted: G O
4.17.8kasan.sess.connops+ #4
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB,
BIOS 5.6.5 05/19/2014
Call Trace:
dump_stack+0x71/0xac
print_address_description+0x65/0x22e
? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
kasan_report.cold.6+0x241/0x2fd
iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod]
iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod]
? __sched_text_start+0x8/0x8
? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
? __kthread_parkme+0xcc/0x100
? parse_args.cold.14+0xd3/0xd3
? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod]
kthread+0x1a0/0x1c0
? kthread_bind+0x30/0x30
ret_from_fork+0x35/0x40
Allocated by task 980:
kasan_kmalloc+0xbf/0xe0
kmem_cache_alloc_trace+0x112/0x210
iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod]
kthread+0x1a0/0x1c0
ret_from_fork+0x35/0x40
Freed by task 980:
__kasan_slab_free+0x125/0x170
kfree+0x90/0x1d0
iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod]
kthread+0x1a0/0x1c0
ret_from_fork+0x35/0x40
The buggy address belongs to the object at ffff880109d06f00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 456 bytes inside of
512-byte region [ffff880109d06f00, ffff880109d07100)
The buggy address belongs to the page:
page:ffffea0004274180 count:1 mapcount:0 mapping:0000000000000000
index:0x0 compound_mapcount: 0
flags: 0x17fffc000008100(slab|head)
raw: 017fffc000008100 0000000000000000 0000000000000000 00000001000c000c
raw: dead000000000100 dead000000000200 ffff88011b002e00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
[rebased against idr/ida changes and to handle ret review comments from Matthew]
Signed-off-by: Mike Christie <mchristi@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Reviewed-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/target/iscsi/iscsi_target_login.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 98e27da34f3c..27893d90c4ef 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1(
return -ENOMEM;
}
- ret = iscsi_login_set_conn_values(sess, conn, pdu->cid);
- if (unlikely(ret)) {
- kfree(sess);
- return ret;
- }
+ if (iscsi_login_set_conn_values(sess, conn, pdu->cid))
+ goto free_sess;
+
sess->init_task_tag = pdu->itt;
memcpy(&sess->isid, pdu->isid, 6);
sess->exp_cmd_sn = be32_to_cpu(pdu->cmdsn);
--
2.17.1
next prev parent reply other threads:[~2018-10-01 0:48 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-01 0:38 [PATCH AUTOSEL 4.14 01/37] netfilter: xt_cluster: add dependency on conntrack module Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 02/37] HID: add support for Apple Magic Keyboards Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 03/37] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 05/37] HID: hid-saitek: Add device ID for RAT 7 Contagion Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 04/37] pinctrl: msm: Really mask level interrupts to prevent latching Sasha Levin
2018-10-01 0:38 ` Sasha Levin [this message]
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 07/37] scsi: qedi: Add the CRC size within iSCSI NVM image Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 08/37] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 10/37] perf probe powerpc: Ignore SyS symbols irrespective of endianness Sasha Levin
2018-10-01 0:38 ` [PATCH AUTOSEL 4.14 09/37] perf util: Fix bad memory access in trace info Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 11/37] netfilter: nf_tables: release chain in flushing set Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 12/37] Revert "iio: temperature: maxim_thermocouple: add MAX31856 part" Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 13/37] RDMA/ucma: check fd type in ucma_migrate_id() Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 14/37] HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 15/37] USB: yurex: Check for truncation in yurex_read() Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 16/37] nvmet-rdma: fix possible bogus dereference under heavy load Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 17/37] net/mlx5: Consider PCI domain in search for next dev Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 18/37] drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 20/37] dm raid: fix rebuild of specific devices by updating superblock Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 19/37] drm/nouveau/disp: fix DP disable race Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 22/37] net: ena: fix driver when PAGE_SIZE == 64kB Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 21/37] fs/cifs: suppress a string overflow warning Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 23/37] net: ena: fix missing calls to READ_ONCE Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 25/37] dm thin metadata: try to avoid ever aborting transactions Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 24/37] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 26/37] netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 28/37] hexagon: modify ffs() and fls() to return int Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 27/37] arch/hexagon: fix kernel/dma.c build warning Sasha Levin
2018-10-01 0:39 ` Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 29/37] arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 30/37] drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 31/37] r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 32/37] s390/qeth: use vzalloc for QUERY OAT buffer Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 33/37] s390/qeth: don't dump past end of unknown HW header Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 34/37] cifs: read overflow in is_valid_oplock_break() Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 35/37] xen/manage: don't complain about an empty value in control/sysrq node Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 37/37] xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage Sasha Levin
2018-10-01 0:39 ` [PATCH AUTOSEL 4.14 36/37] xen: avoid crash in disable_hotplug_cpu Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181001003850.147107-6-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.