From: Mike Christie <mchristi@redhat.com>
To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
Bart Van Assche <bart.vanassche@wdc.com>,
Hannes Reinecke <hare@suse.com>,
Kees Cook <keescook@chromium.org>,
Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>,
Philippe Ombredanne <pombredanne@nexb.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
Date: Thu, 26 Jul 2018 11:48:22 -0500 [thread overview]
Message-ID: <5B59FB56.9090901@redhat.com> (raw)
In-Reply-To: <20180621212835.5636-19-willy@infradead.org>
On 06/21/2018 04:28 PM, Matthew Wilcox wrote:
> @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
> goto old_sess_out;
> if (conn->sess->se_sess)
> transport_free_session(conn->sess->se_sess);
> - if (conn->sess->session_index != 0) {
> - spin_lock_bh(&sess_idr_lock);
> - idr_remove(&sess_idr, conn->sess->session_index);
> - spin_unlock_bh(&sess_idr_lock);
This code looks buggy. We will probably NULL pointer oops before we hit it.
It looks like the session_index check was supposed to detect when login
fails in the middle of doing login, so that code probably wanted to do:
idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT);
The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory above.
So I am not sure what we want to do here for your patch since it is not
adding any new bugs. Just merge your patch now and I can send a fix for
the above bug over it?
> - }
> + /* Um, 0 is a valid ID. I suppose we never free it? */
> + if (conn->sess->session_index != 0)
> + ida_free(&sess_ida, conn->sess->session_index);
> kfree(conn->sess->sess_ops);
> kfree(conn->sess);
> conn->sess = NULL;
>
WARNING: multiple messages have this Message-ID (diff)
From: Mike Christie <mchristi@redhat.com>
To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
Bart Van Assche <bart.vanassche@wdc.com>,
Hannes Reinecke <hare@suse.com>,
Kees Cook <keescook@chromium.org>,
Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>,
Philippe Ombredanne <pombredanne@nexb.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
Date: Thu, 26 Jul 2018 16:48:22 +0000 [thread overview]
Message-ID: <5B59FB56.9090901@redhat.com> (raw)
In-Reply-To: <20180621212835.5636-19-willy@infradead.org>
On 06/21/2018 04:28 PM, Matthew Wilcox wrote:
> @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
> goto old_sess_out;
> if (conn->sess->se_sess)
> transport_free_session(conn->sess->se_sess);
> - if (conn->sess->session_index != 0) {
> - spin_lock_bh(&sess_idr_lock);
> - idr_remove(&sess_idr, conn->sess->session_index);
> - spin_unlock_bh(&sess_idr_lock);
This code looks buggy. We will probably NULL pointer oops before we hit it.
It looks like the session_index check was supposed to detect when login
fails in the middle of doing login, so that code probably wanted to do:
idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT);
The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory above.
So I am not sure what we want to do here for your patch since it is not
adding any new bugs. Just merge your patch now and I can send a fix for
the above bug over it?
> - }
> + /* Um, 0 is a valid ID. I suppose we never free it? */
> + if (conn->sess->session_index != 0)
> + ida_free(&sess_ida, conn->sess->session_index);
> kfree(conn->sess->sess_ops);
> kfree(conn->sess);
> conn->sess = NULL;
>
next prev parent reply other threads:[~2018-07-26 16:48 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 21:28 [PATCH 00/26] New IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 01/26] radix tree test suite: fix build Matthew Wilcox
2018-06-21 21:28 ` [PATCH 02/26] ida: Lock the IDA in ida_destroy Matthew Wilcox
2018-06-21 21:28 ` [PATCH 03/26] ida: Add new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 04/26] mtip32xx: Convert to new IDA API Matthew Wilcox
2018-06-25 8:20 ` Johannes Thumshirn
2018-06-25 8:20 ` Johannes Thumshirn
2018-06-21 21:28 ` [PATCH 05/26] fs: Convert unnamed_dev_ida to new API Matthew Wilcox
2018-06-22 19:45 ` Randy Dunlap
2018-06-22 21:12 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 06/26] fs: Convert namespace IDAs " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 07/26] devpts: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 08/26] sd: Convert to new IDA interface Matthew Wilcox
2018-06-21 21:28 ` [PATCH 09/26] osd: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 10/26] rsxx: " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 11/26] cb710: " Matthew Wilcox
2018-06-21 21:33 ` Michał Mirosław
2018-06-21 21:28 ` [PATCH 12/26] Convert net_namespace " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 13/26] ppc: Convert mmu context allocation " Matthew Wilcox
2018-06-22 2:15 ` Nicholas Piggin
2018-06-22 4:38 ` Matthew Wilcox
2018-06-22 4:53 ` Nicholas Piggin
2018-06-22 5:47 ` Aneesh Kumar K.V
2018-06-22 5:47 ` Aneesh Kumar K.V
2018-06-21 21:28 ` [PATCH 14/26] media: Convert entity ID " Matthew Wilcox
2018-07-24 11:05 ` Sakari Ailus
2018-07-30 14:55 ` Mauro Carvalho Chehab
2018-07-31 18:16 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 15/26] ppc: Convert vas " Matthew Wilcox
2018-07-05 12:17 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 17/26] drm/vmwgfx: Convert " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA Matthew Wilcox
2018-06-21 21:28 ` Matthew Wilcox
2018-07-26 16:48 ` Mike Christie [this message]
2018-07-26 16:48 ` Mike Christie
2018-07-26 16:50 ` Mike Christie
2018-07-26 16:50 ` Mike Christie
2018-07-26 17:13 ` Mike Christie
2018-07-26 17:13 ` Mike Christie
2018-07-26 17:13 ` Mike Christie
2018-07-27 19:38 ` Matthew Wilcox
2018-07-27 19:38 ` Matthew Wilcox
2018-07-27 21:05 ` Mike Christie
2018-07-27 21:05 ` Mike Christie
2018-07-31 2:03 ` Martin K. Petersen
2018-07-31 2:03 ` Martin K. Petersen
2018-07-31 18:15 ` Matthew Wilcox
2018-07-31 18:15 ` Matthew Wilcox
2018-07-31 18:55 ` Mike Christie
2018-07-31 18:55 ` Mike Christie
2018-06-21 21:28 ` [PATCH 19/26] ida: Start new test_ida module Matthew Wilcox
2018-06-21 21:28 ` [PATCH 20/26] idr-test: Convert ida_check_nomem to new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 21/26] test_ida: Move ida_check_leaf Matthew Wilcox
2018-06-21 21:28 ` [PATCH 22/26] test_ida: Move ida_check_max Matthew Wilcox
2018-06-21 21:28 ` [PATCH 23/26] test_ida: Convert check_ida_conv to new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 24/26] test_ida: check_ida_destroy and check_ida_alloc Matthew Wilcox
2018-06-21 21:28 ` [PATCH 25/26] ida: Remove old API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 26/26] ida: Change ida_get_new_above to return the id Matthew Wilcox
2018-06-21 21:28 [16/26] dmaengine: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 16/26] " Matthew Wilcox
2018-06-23 12:30 [16/26] " Vinod Koul
2018-06-23 12:30 ` [PATCH 16/26] " Vinod
2018-06-23 23:06 [16/26] " Matthew Wilcox
2018-06-23 23:06 ` [PATCH 16/26] " Matthew Wilcox
2018-06-24 7:57 [16/26] " Lars-Peter Clausen
2018-06-24 7:57 ` [PATCH 16/26] " Lars-Peter Clausen
2018-06-26 23:00 [16/26] " Matthew Wilcox
2018-06-26 23:00 ` [PATCH 16/26] " Matthew Wilcox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5B59FB56.9090901@redhat.com \
--to=mchristi@redhat.com \
--cc=bart.vanassche@wdc.com \
--cc=davem@davemloft.net \
--cc=dvlasenk@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.com \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=pombredanne@nexb.com \
--cc=sagi@grimberg.me \
--cc=target-devel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=varun@chelsio.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.