From: Mike Christie <mchristi@redhat.com> To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>, Bart Van Assche <bart.vanassche@wdc.com>, Hannes Reinecke <hare@suse.com>, Kees Cook <keescook@chromium.org>, Varun Prakash <varun@chelsio.com>, Sagi Grimberg <sagi@grimberg.me>, Philippe Ombredanne <pombredanne@nexb.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Kate Stewart <kstewart@linuxfoundation.org>, Thomas Gleixner <tglx@linutronix.de>, "David S. Miller" <davem@davemloft.net>, Denys Vlasenko <dvlasenk@redhat.com>, linux-scsi@vger.kernel.org, target-devel@vger.kernel.org Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA Date: Thu, 26 Jul 2018 11:48:22 -0500 [thread overview] Message-ID: <5B59FB56.9090901@redhat.com> (raw) In-Reply-To: <20180621212835.5636-19-willy@infradead.org> On 06/21/2018 04:28 PM, Matthew Wilcox wrote: > @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn, > goto old_sess_out; > if (conn->sess->se_sess) > transport_free_session(conn->sess->se_sess); > - if (conn->sess->session_index != 0) { > - spin_lock_bh(&sess_idr_lock); > - idr_remove(&sess_idr, conn->sess->session_index); > - spin_unlock_bh(&sess_idr_lock); This code looks buggy. We will probably NULL pointer oops before we hit it. It looks like the session_index check was supposed to detect when login fails in the middle of doing login, so that code probably wanted to do: idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT); The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in iscsi_login_set_conn_values. If the function fails later like when we alloc the idr it does kfree(sess) and leaves the conn->sess pointer set. iscsi_login_zero_tsih_s1 then returns -Exyz and we then call iscsi_target_login_sess_out and access the freed memory above. So I am not sure what we want to do here for your patch since it is not adding any new bugs. Just merge your patch now and I can send a fix for the above bug over it? > - } > + /* Um, 0 is a valid ID. I suppose we never free it? */ > + if (conn->sess->session_index != 0) > + ida_free(&sess_ida, conn->sess->session_index); > kfree(conn->sess->sess_ops); > kfree(conn->sess); > conn->sess = NULL; >
WARNING: multiple messages have this Message-ID (diff)
From: Mike Christie <mchristi@redhat.com> To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>, Bart Van Assche <bart.vanassche@wdc.com>, Hannes Reinecke <hare@suse.com>, Kees Cook <keescook@chromium.org>, Varun Prakash <varun@chelsio.com>, Sagi Grimberg <sagi@grimberg.me>, Philippe Ombredanne <pombredanne@nexb.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Kate Stewart <kstewart@linuxfoundation.org>, Thomas Gleixner <tglx@linutronix.de>, "David S. Miller" <davem@davemloft.net>, Denys Vlasenko <dvlasenk@redhat.com>, linux-scsi@vger.kernel.org, target-devel@vger.kernel.org Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA Date: Thu, 26 Jul 2018 16:48:22 +0000 [thread overview] Message-ID: <5B59FB56.9090901@redhat.com> (raw) In-Reply-To: <20180621212835.5636-19-willy@infradead.org> On 06/21/2018 04:28 PM, Matthew Wilcox wrote: > @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn, > goto old_sess_out; > if (conn->sess->se_sess) > transport_free_session(conn->sess->se_sess); > - if (conn->sess->session_index != 0) { > - spin_lock_bh(&sess_idr_lock); > - idr_remove(&sess_idr, conn->sess->session_index); > - spin_unlock_bh(&sess_idr_lock); This code looks buggy. We will probably NULL pointer oops before we hit it. It looks like the session_index check was supposed to detect when login fails in the middle of doing login, so that code probably wanted to do: idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT); The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in iscsi_login_set_conn_values. If the function fails later like when we alloc the idr it does kfree(sess) and leaves the conn->sess pointer set. iscsi_login_zero_tsih_s1 then returns -Exyz and we then call iscsi_target_login_sess_out and access the freed memory above. So I am not sure what we want to do here for your patch since it is not adding any new bugs. Just merge your patch now and I can send a fix for the above bug over it? > - } > + /* Um, 0 is a valid ID. I suppose we never free it? */ > + if (conn->sess->session_index != 0) > + ida_free(&sess_ida, conn->sess->session_index); > kfree(conn->sess->sess_ops); > kfree(conn->sess); > conn->sess = NULL; >
next prev parent reply other threads:[~2018-07-26 16:48 UTC|newest] Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-06-21 21:28 [PATCH 00/26] New IDA API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 01/26] radix tree test suite: fix build Matthew Wilcox 2018-06-21 21:28 ` [PATCH 02/26] ida: Lock the IDA in ida_destroy Matthew Wilcox 2018-06-21 21:28 ` [PATCH 03/26] ida: Add new API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 04/26] mtip32xx: Convert to new IDA API Matthew Wilcox 2018-06-25 8:20 ` Johannes Thumshirn 2018-06-25 8:20 ` Johannes Thumshirn 2018-06-21 21:28 ` [PATCH 05/26] fs: Convert unnamed_dev_ida to new API Matthew Wilcox 2018-06-22 19:45 ` Randy Dunlap 2018-06-22 21:12 ` Matthew Wilcox 2018-06-21 21:28 ` [PATCH 06/26] fs: Convert namespace IDAs " Matthew Wilcox 2018-06-21 21:28 ` [PATCH 07/26] devpts: Convert to new IDA API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 08/26] sd: Convert to new IDA interface Matthew Wilcox 2018-06-21 21:28 ` [PATCH 09/26] osd: Convert to new IDA API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 10/26] rsxx: " Matthew Wilcox 2018-06-21 21:28 ` [PATCH 11/26] cb710: " Matthew Wilcox 2018-06-21 21:33 ` Michał Mirosław 2018-06-21 21:28 ` [PATCH 12/26] Convert net_namespace " Matthew Wilcox 2018-06-21 21:28 ` [PATCH 13/26] ppc: Convert mmu context allocation " Matthew Wilcox 2018-06-22 2:15 ` Nicholas Piggin 2018-06-22 4:38 ` Matthew Wilcox 2018-06-22 4:53 ` Nicholas Piggin 2018-06-22 5:47 ` Aneesh Kumar K.V 2018-06-22 5:47 ` Aneesh Kumar K.V 2018-06-21 21:28 ` [PATCH 14/26] media: Convert entity ID " Matthew Wilcox 2018-07-24 11:05 ` Sakari Ailus 2018-07-30 14:55 ` Mauro Carvalho Chehab 2018-07-31 18:16 ` Matthew Wilcox 2018-06-21 21:28 ` [PATCH 15/26] ppc: Convert vas " Matthew Wilcox 2018-07-05 12:17 ` Matthew Wilcox 2018-06-21 21:28 ` [PATCH 17/26] drm/vmwgfx: Convert " Matthew Wilcox 2018-06-21 21:28 ` [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA Matthew Wilcox 2018-06-21 21:28 ` Matthew Wilcox 2018-07-26 16:48 ` Mike Christie [this message] 2018-07-26 16:48 ` Mike Christie 2018-07-26 16:50 ` Mike Christie 2018-07-26 16:50 ` Mike Christie 2018-07-26 17:13 ` Mike Christie 2018-07-26 17:13 ` Mike Christie 2018-07-26 17:13 ` Mike Christie 2018-07-27 19:38 ` Matthew Wilcox 2018-07-27 19:38 ` Matthew Wilcox 2018-07-27 21:05 ` Mike Christie 2018-07-27 21:05 ` Mike Christie 2018-07-31 2:03 ` Martin K. Petersen 2018-07-31 2:03 ` Martin K. Petersen 2018-07-31 18:15 ` Matthew Wilcox 2018-07-31 18:15 ` Matthew Wilcox 2018-07-31 18:55 ` Mike Christie 2018-07-31 18:55 ` Mike Christie 2018-06-21 21:28 ` [PATCH 19/26] ida: Start new test_ida module Matthew Wilcox 2018-06-21 21:28 ` [PATCH 20/26] idr-test: Convert ida_check_nomem to new API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 21/26] test_ida: Move ida_check_leaf Matthew Wilcox 2018-06-21 21:28 ` [PATCH 22/26] test_ida: Move ida_check_max Matthew Wilcox 2018-06-21 21:28 ` [PATCH 23/26] test_ida: Convert check_ida_conv to new API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 24/26] test_ida: check_ida_destroy and check_ida_alloc Matthew Wilcox 2018-06-21 21:28 ` [PATCH 25/26] ida: Remove old API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 26/26] ida: Change ida_get_new_above to return the id Matthew Wilcox 2018-06-21 21:28 [16/26] dmaengine: Convert to new IDA API Matthew Wilcox 2018-06-21 21:28 ` [PATCH 16/26] " Matthew Wilcox 2018-06-23 12:30 [16/26] " Vinod Koul 2018-06-23 12:30 ` [PATCH 16/26] " Vinod 2018-06-23 23:06 [16/26] " Matthew Wilcox 2018-06-23 23:06 ` [PATCH 16/26] " Matthew Wilcox 2018-06-24 7:57 [16/26] " Lars-Peter Clausen 2018-06-24 7:57 ` [PATCH 16/26] " Lars-Peter Clausen 2018-06-26 23:00 [16/26] " Matthew Wilcox 2018-06-26 23:00 ` [PATCH 16/26] " Matthew Wilcox
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5B59FB56.9090901@redhat.com \ --to=mchristi@redhat.com \ --cc=bart.vanassche@wdc.com \ --cc=davem@davemloft.net \ --cc=dvlasenk@redhat.com \ --cc=gregkh@linuxfoundation.org \ --cc=hare@suse.com \ --cc=keescook@chromium.org \ --cc=kstewart@linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-scsi@vger.kernel.org \ --cc=nab@linux-iscsi.org \ --cc=pombredanne@nexb.com \ --cc=sagi@grimberg.me \ --cc=target-devel@vger.kernel.org \ --cc=tglx@linutronix.de \ --cc=varun@chelsio.com \ --cc=willy@infradead.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.