[PATCH] use-after-free while iterating session->conn_list (two places)

[Anton Kovalenko <Anton.Kovalenko@acronis.com>]

[-- Attachment #1: Type: text/plain, Size: 508 bytes --]

​

Hi,
Please consider applying two patches in the attachment.
The problem (accessing session->conn_list after freeing session) was discovered using valgrind.

Note that while list_for_each_entry_safe is safe against current list element destruction, 
it is UNSAFE against the traversed list_head (third argument) becoming invalid during iteration.
That's exactly what happens when the last connection of a session goes away (conn_exit -> session_put -> use-after-free).

-- 
Best regards,
Anton Kovalenko

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-Avoid-dangling-session-reference-in-login_security_d.patch --]
[-- Type: text/x-patch; name="0002-Avoid-dangling-session-reference-in-login_security_d.patch", Size: 853 bytes --]

From 16e64b10cbe829d0b0d06d22a54efd79b161427a Mon Sep 17 00:00:00 2001
From: Anton Kovalenko <anton.kovalenko@acronis.com>
Date: Wed, 3 May 2017 14:46:38 +0300
Subject: [PATCH 2/3] Avoid dangling session reference in login_security_done

---
 usr/iscsi/iscsid.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
index 700e2af..d5fe6b3 100644
--- a/usr/iscsi/iscsid.c
+++ b/usr/iscsi/iscsid.c
@@ -267,11 +267,12 @@ static void login_security_done(struct iscsi_connection *conn)
 			struct iscsi_connection *ent, *next;
 
 			/* do session reinstatement */
-
+			session_get(session);
 			list_for_each_entry_safe(ent, next, &session->conn_list,
 						 clist) {
 				conn_close(ent);
 			}
+			session_put(session);
 
 			session = NULL;
 		} else if (req->tsih != session->tsih) {
-- 
2.11.0


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0003-Avoid-session-dangling-reference-on-forced-target-de.patch --]
[-- Type: text/x-patch; name="0003-Avoid-session-dangling-reference-on-forced-target-de.patch", Size: 1041 bytes --]

From 67f7b51e6eddc55736a0bb85cbb3af95e73b68d6 Mon Sep 17 00:00:00 2001
From: Anton Kovalenko <anton.kovalenko@acronis.com>
Date: Wed, 3 May 2017 12:46:53 +0300
Subject: [PATCH 3/3] Avoid session* dangling reference on forced target
 destroy.

Closing the last connection of a session also releases the session
itself, making session->conn_list inaccessible.

Wrapping conn_list iteration into session_get/session_put prevents
session destruction while its conn_list is being iterated.
---
 usr/iscsi/target.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr/iscsi/target.c b/usr/iscsi/target.c
index bf54190..7d71206 100644
--- a/usr/iscsi/target.c
+++ b/usr/iscsi/target.c
@@ -411,9 +411,11 @@ void iscsi_target_destroy(int tid, int force)
 	}
 
 	list_for_each_entry_safe(session, stmp, &target->sessions_list, slist) {
+		session_get(session);
 		list_for_each_entry_safe(conn, ctmp, &session->conn_list, clist) {
 			conn_close(conn);
 		}
+		session_put(session);
 	}
 
 	if (!list_empty(&target->sessions_list)) {
-- 
2.11.0