From: Mike Christie <mchristi@redhat.com>
To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
Bart Van Assche <bart.vanassche@wdc.com>,
Hannes Reinecke <hare@suse.com>,
Kees Cook <keescook@chromium.org>,
Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>,
Philippe Ombredanne <pombredanne@nexb.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
Date: Thu, 26 Jul 2018 12:13:49 -0500 [thread overview]
Message-ID: <5B5A014D.9060901@redhat.com> (raw)
In-Reply-To: <5B59FB56.9090901@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 304 bytes --]
On 07/26/2018 11:48 AM, Mike Christie wrote:
> So I am not sure what we want to do here for your patch since it is not
> adding any new bugs. Just merge your patch now and I can send a fix for
> the above bug over it?
If we want to fix the bug first, then I made the attached patch and I
can submit it.
[-- Attachment #2: 0001-iscsi-target-fix-session-creation-failure-handling.patch --]
[-- Type: text/x-patch, Size: 2884 bytes --]
>From 80c495c3d7f4487c1b6f52f70e8ddc74dcb70794 Mon Sep 17 00:00:00 2001
From: Mike Christie <mchristi@redhat.com>
Date: Thu, 26 Jul 2018 12:06:07 -0500
Subject: [PATCH] iscsi target: fix session creation failure handling
The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory.
This patch has iscsi_login_zero_tsih_s1 either completely setup the
session or completely tear it down, so later in
iscsi_target_login_sess_out we can just check for it being set to the
connection.
---
drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++-------------
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 9950178..e20d811 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -348,8 +348,7 @@ static int iscsi_login_zero_tsih_s1(
pr_err("idr_alloc() for sess_idr failed\n");
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess);
- return -ENOMEM;
+ goto free_sess;
}
sess->creation_time = get_jiffies_64();
@@ -365,20 +364,28 @@ static int iscsi_login_zero_tsih_s1(
ISCSI_LOGIN_STATUS_NO_RESOURCES);
pr_err("Unable to allocate memory for"
" struct iscsi_sess_ops.\n");
- kfree(sess);
- return -ENOMEM;
+ goto remove_idr;
}
sess->se_sess = transport_init_session(TARGET_PROT_NORMAL);
if (IS_ERR(sess->se_sess)) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess->sess_ops);
- kfree(sess);
- return -ENOMEM;
+ goto free_ops;
}
return 0;
+
+free_ops:
+ kfree(sess->sess_ops);
+remove_idr:
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+free_sess:
+ kfree(sess);
+ conn->sess = NULL;
+ return -ENOMEM;
}
static int iscsi_login_zero_tsih_s2(
@@ -1161,13 +1168,13 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
ISCSI_LOGIN_STATUS_INIT_ERR);
if (!zero_tsih || !conn->sess)
goto old_sess_out;
- if (conn->sess->se_sess)
- transport_free_session(conn->sess->se_sess);
- if (conn->sess->session_index != 0) {
- spin_lock_bh(&sess_idr_lock);
- idr_remove(&sess_idr, conn->sess->session_index);
- spin_unlock_bh(&sess_idr_lock);
- }
+
+ transport_free_session(conn->sess->se_sess);
+
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, conn->sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+
kfree(conn->sess->sess_ops);
kfree(conn->sess);
conn->sess = NULL;
--
1.8.3.1
WARNING: multiple messages have this Message-ID (diff)
From: Mike Christie <mchristi@redhat.com>
To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
Bart Van Assche <bart.vanassche@wdc.com>,
Hannes Reinecke <hare@suse.com>,
Kees Cook <keescook@chromium.org>,
Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>,
Philippe Ombredanne <pombredanne@nexb.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
Date: Thu, 26 Jul 2018 17:13:49 +0000 [thread overview]
Message-ID: <5B5A014D.9060901@redhat.com> (raw)
In-Reply-To: <5B59FB56.9090901@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 304 bytes --]
On 07/26/2018 11:48 AM, Mike Christie wrote:
> So I am not sure what we want to do here for your patch since it is not
> adding any new bugs. Just merge your patch now and I can send a fix for
> the above bug over it?
If we want to fix the bug first, then I made the attached patch and I
can submit it.
[-- Attachment #2: 0001-iscsi-target-fix-session-creation-failure-handling.patch --]
[-- Type: text/x-patch, Size: 2883 bytes --]
From 80c495c3d7f4487c1b6f52f70e8ddc74dcb70794 Mon Sep 17 00:00:00 2001
From: Mike Christie <mchristi@redhat.com>
Date: Thu, 26 Jul 2018 12:06:07 -0500
Subject: [PATCH] iscsi target: fix session creation failure handling
The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory.
This patch has iscsi_login_zero_tsih_s1 either completely setup the
session or completely tear it down, so later in
iscsi_target_login_sess_out we can just check for it being set to the
connection.
---
drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++-------------
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 9950178..e20d811 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -348,8 +348,7 @@ static int iscsi_login_zero_tsih_s1(
pr_err("idr_alloc() for sess_idr failed\n");
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess);
- return -ENOMEM;
+ goto free_sess;
}
sess->creation_time = get_jiffies_64();
@@ -365,20 +364,28 @@ static int iscsi_login_zero_tsih_s1(
ISCSI_LOGIN_STATUS_NO_RESOURCES);
pr_err("Unable to allocate memory for"
" struct iscsi_sess_ops.\n");
- kfree(sess);
- return -ENOMEM;
+ goto remove_idr;
}
sess->se_sess = transport_init_session(TARGET_PROT_NORMAL);
if (IS_ERR(sess->se_sess)) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess->sess_ops);
- kfree(sess);
- return -ENOMEM;
+ goto free_ops;
}
return 0;
+
+free_ops:
+ kfree(sess->sess_ops);
+remove_idr:
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+free_sess:
+ kfree(sess);
+ conn->sess = NULL;
+ return -ENOMEM;
}
static int iscsi_login_zero_tsih_s2(
@@ -1161,13 +1168,13 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
ISCSI_LOGIN_STATUS_INIT_ERR);
if (!zero_tsih || !conn->sess)
goto old_sess_out;
- if (conn->sess->se_sess)
- transport_free_session(conn->sess->se_sess);
- if (conn->sess->session_index != 0) {
- spin_lock_bh(&sess_idr_lock);
- idr_remove(&sess_idr, conn->sess->session_index);
- spin_unlock_bh(&sess_idr_lock);
- }
+
+ transport_free_session(conn->sess->se_sess);
+
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, conn->sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+
kfree(conn->sess->sess_ops);
kfree(conn->sess);
conn->sess = NULL;
--
1.8.3.1
WARNING: multiple messages have this Message-ID (diff)
From: Mike Christie <mchristi@redhat.com>
To: Matthew Wilcox <willy@infradead.org>, linux-kernel@vger.kernel.org
Cc: "Nicholas A. Bellinger" <nab@linux-iscsi.org>,
Bart Van Assche <bart.vanassche@wdc.com>,
Hannes Reinecke <hare@suse.com>,
Kees Cook <keescook@chromium.org>,
Varun Prakash <varun@chelsio.com>,
Sagi Grimberg <sagi@grimberg.me>,
Philippe Ombredanne <pombredanne@nexb.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"David S. Miller" <davem@davemloft.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
Date: Thu, 26 Jul 2018 12:13:49 -0500 [thread overview]
Message-ID: <5B5A014D.9060901@redhat.com> (raw)
In-Reply-To: <5B59FB56.9090901@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 304 bytes --]
On 07/26/2018 11:48 AM, Mike Christie wrote:
> So I am not sure what we want to do here for your patch since it is not
> adding any new bugs. Just merge your patch now and I can send a fix for
> the above bug over it?
If we want to fix the bug first, then I made the attached patch and I
can submit it.
[-- Attachment #2: 0001-iscsi-target-fix-session-creation-failure-handling.patch --]
[-- Type: text/x-patch, Size: 2883 bytes --]
From 80c495c3d7f4487c1b6f52f70e8ddc74dcb70794 Mon Sep 17 00:00:00 2001
From: Mike Christie <mchristi@redhat.com>
Date: Thu, 26 Jul 2018 12:06:07 -0500
Subject: [PATCH] iscsi target: fix session creation failure handling
The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory.
This patch has iscsi_login_zero_tsih_s1 either completely setup the
session or completely tear it down, so later in
iscsi_target_login_sess_out we can just check for it being set to the
connection.
---
drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++-------------
1 file changed, 21 insertions(+), 14 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index 9950178..e20d811 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -348,8 +348,7 @@ static int iscsi_login_zero_tsih_s1(
pr_err("idr_alloc() for sess_idr failed\n");
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess);
- return -ENOMEM;
+ goto free_sess;
}
sess->creation_time = get_jiffies_64();
@@ -365,20 +364,28 @@ static int iscsi_login_zero_tsih_s1(
ISCSI_LOGIN_STATUS_NO_RESOURCES);
pr_err("Unable to allocate memory for"
" struct iscsi_sess_ops.\n");
- kfree(sess);
- return -ENOMEM;
+ goto remove_idr;
}
sess->se_sess = transport_init_session(TARGET_PROT_NORMAL);
if (IS_ERR(sess->se_sess)) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
ISCSI_LOGIN_STATUS_NO_RESOURCES);
- kfree(sess->sess_ops);
- kfree(sess);
- return -ENOMEM;
+ goto free_ops;
}
return 0;
+
+free_ops:
+ kfree(sess->sess_ops);
+remove_idr:
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+free_sess:
+ kfree(sess);
+ conn->sess = NULL;
+ return -ENOMEM;
}
static int iscsi_login_zero_tsih_s2(
@@ -1161,13 +1168,13 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
ISCSI_LOGIN_STATUS_INIT_ERR);
if (!zero_tsih || !conn->sess)
goto old_sess_out;
- if (conn->sess->se_sess)
- transport_free_session(conn->sess->se_sess);
- if (conn->sess->session_index != 0) {
- spin_lock_bh(&sess_idr_lock);
- idr_remove(&sess_idr, conn->sess->session_index);
- spin_unlock_bh(&sess_idr_lock);
- }
+
+ transport_free_session(conn->sess->se_sess);
+
+ spin_lock_bh(&sess_idr_lock);
+ idr_remove(&sess_idr, conn->sess->session_index);
+ spin_unlock_bh(&sess_idr_lock);
+
kfree(conn->sess->sess_ops);
kfree(conn->sess);
conn->sess = NULL;
--
1.8.3.1
next prev parent reply other threads:[~2018-07-26 17:13 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-21 21:28 [PATCH 00/26] New IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 01/26] radix tree test suite: fix build Matthew Wilcox
2018-06-21 21:28 ` [PATCH 02/26] ida: Lock the IDA in ida_destroy Matthew Wilcox
2018-06-21 21:28 ` [PATCH 03/26] ida: Add new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 04/26] mtip32xx: Convert to new IDA API Matthew Wilcox
2018-06-25 8:20 ` Johannes Thumshirn
2018-06-25 8:20 ` Johannes Thumshirn
2018-06-21 21:28 ` [PATCH 05/26] fs: Convert unnamed_dev_ida to new API Matthew Wilcox
2018-06-22 19:45 ` Randy Dunlap
2018-06-22 21:12 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 06/26] fs: Convert namespace IDAs " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 07/26] devpts: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 08/26] sd: Convert to new IDA interface Matthew Wilcox
2018-06-21 21:28 ` [PATCH 09/26] osd: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 10/26] rsxx: " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 11/26] cb710: " Matthew Wilcox
2018-06-21 21:33 ` Michał Mirosław
2018-06-21 21:28 ` [PATCH 12/26] Convert net_namespace " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 13/26] ppc: Convert mmu context allocation " Matthew Wilcox
2018-06-22 2:15 ` Nicholas Piggin
2018-06-22 4:38 ` Matthew Wilcox
2018-06-22 4:53 ` Nicholas Piggin
2018-06-22 5:47 ` Aneesh Kumar K.V
2018-06-22 5:47 ` Aneesh Kumar K.V
2018-06-21 21:28 ` [PATCH 14/26] media: Convert entity ID " Matthew Wilcox
2018-07-24 11:05 ` Sakari Ailus
2018-07-30 14:55 ` Mauro Carvalho Chehab
2018-07-31 18:16 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 15/26] ppc: Convert vas " Matthew Wilcox
2018-07-05 12:17 ` Matthew Wilcox
2018-06-21 21:28 ` [PATCH 17/26] drm/vmwgfx: Convert " Matthew Wilcox
2018-06-21 21:28 ` [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA Matthew Wilcox
2018-06-21 21:28 ` Matthew Wilcox
2018-07-26 16:48 ` Mike Christie
2018-07-26 16:48 ` Mike Christie
2018-07-26 16:50 ` Mike Christie
2018-07-26 16:50 ` Mike Christie
2018-07-26 17:13 ` Mike Christie [this message]
2018-07-26 17:13 ` Mike Christie
2018-07-26 17:13 ` Mike Christie
2018-07-27 19:38 ` Matthew Wilcox
2018-07-27 19:38 ` Matthew Wilcox
2018-07-27 21:05 ` Mike Christie
2018-07-27 21:05 ` Mike Christie
2018-07-31 2:03 ` Martin K. Petersen
2018-07-31 2:03 ` Martin K. Petersen
2018-07-31 18:15 ` Matthew Wilcox
2018-07-31 18:15 ` Matthew Wilcox
2018-07-31 18:55 ` Mike Christie
2018-07-31 18:55 ` Mike Christie
2018-06-21 21:28 ` [PATCH 19/26] ida: Start new test_ida module Matthew Wilcox
2018-06-21 21:28 ` [PATCH 20/26] idr-test: Convert ida_check_nomem to new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 21/26] test_ida: Move ida_check_leaf Matthew Wilcox
2018-06-21 21:28 ` [PATCH 22/26] test_ida: Move ida_check_max Matthew Wilcox
2018-06-21 21:28 ` [PATCH 23/26] test_ida: Convert check_ida_conv to new API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 24/26] test_ida: check_ida_destroy and check_ida_alloc Matthew Wilcox
2018-06-21 21:28 ` [PATCH 25/26] ida: Remove old API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 26/26] ida: Change ida_get_new_above to return the id Matthew Wilcox
-- strict thread matches above, loose matches on Subject: below --
2018-06-21 21:28 [16/26] dmaengine: Convert to new IDA API Matthew Wilcox
2018-06-21 21:28 ` [PATCH 16/26] " Matthew Wilcox
2018-06-23 12:30 [16/26] " Vinod Koul
2018-06-23 12:30 ` [PATCH 16/26] " Vinod
2018-06-23 23:06 [16/26] " Matthew Wilcox
2018-06-23 23:06 ` [PATCH 16/26] " Matthew Wilcox
2018-06-24 7:57 [16/26] " Lars-Peter Clausen
2018-06-24 7:57 ` [PATCH 16/26] " Lars-Peter Clausen
2018-06-26 23:00 [16/26] " Matthew Wilcox
2018-06-26 23:00 ` [PATCH 16/26] " Matthew Wilcox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5B5A014D.9060901@redhat.com \
--to=mchristi@redhat.com \
--cc=bart.vanassche@wdc.com \
--cc=davem@davemloft.net \
--cc=dvlasenk@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.com \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=pombredanne@nexb.com \
--cc=sagi@grimberg.me \
--cc=target-devel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=varun@chelsio.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.