* [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown
@ 2017-07-13 16:11 Khazhismel Kumykov
[not found] ` <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-08-29 18:29 ` Chris Leech
0 siblings, 2 replies; 10+ messages in thread
From: Khazhismel Kumykov @ 2017-07-13 16:11 UTC (permalink / raw)
To: lduncan, cleech; +Cc: linux-scsi, linux-kernel, open-iscsi, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]
Session attributes exposed through sysfs were freed before the device
was destroyed, resulting in a potential use-after-free. Free these
attributes after removing the device.
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
---
drivers/scsi/libiscsi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 42381adf0769..8696a51a5a0c 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2851,9 +2851,6 @@ EXPORT_SYMBOL_GPL(iscsi_session_setup);
/**
* iscsi_session_teardown - destroy session, host, and cls_session
* @cls_session: iscsi session
- *
- * The driver must have called iscsi_remove_session before
- * calling this.
*/
void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
{
@@ -2863,6 +2860,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
iscsi_pool_free(&session->cmdpool);
+ iscsi_remove_session(cls_session);
+
kfree(session->password);
kfree(session->password_in);
kfree(session->username);
@@ -2877,7 +2876,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
kfree(session->portal_type);
kfree(session->discovery_parent_type);
- iscsi_destroy_session(cls_session);
+ iscsi_free_session(cls_session);
+
iscsi_host_dec_session_cnt(shost);
module_put(owner);
}
--
2.13.2.932.g7449e964c-goog
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4843 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread[parent not found: <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>]
* [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session
[not found] ` <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
@ 2017-07-13 16:11 ` 'Khazhismel Kumykov' via open-iscsi
[not found] ` <20170713161122.89375-2-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-09-14 0:09 ` Lee Duncan
2017-08-24 17:33 ` [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown 'Khazhismel Kumykov' via open-iscsi
1 sibling, 2 replies; 10+ messages in thread
From: 'Khazhismel Kumykov' via open-iscsi @ 2017-07-13 16:11 UTC (permalink / raw)
To: lduncan-IBi9RG/b67k, cleech-H+wXaHxf7aLQT0dZR+AlfA
Cc: linux-scsi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
open-iscsi-/JYPxA39Uh5TLH3MbocFFw, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 2476 bytes --]
iscsi_session_teardown was the only user of this function. Function
currently is just short for iscsi_remove_session + iscsi_free_session.
Signed-off-by: Khazhismel Kumykov <khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
---
drivers/scsi/scsi_transport_iscsi.c | 16 ----------------
include/scsi/scsi_transport_iscsi.h | 1 -
2 files changed, 17 deletions(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index a424eaeafeb0..924ac408d8a9 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -2210,22 +2210,6 @@ void iscsi_free_session(struct iscsi_cls_session *session)
}
EXPORT_SYMBOL_GPL(iscsi_free_session);
-/**
- * iscsi_destroy_session - destroy iscsi session
- * @session: iscsi_session
- *
- * Can be called by a LLD or iscsi_transport. There must not be
- * any running connections.
- */
-int iscsi_destroy_session(struct iscsi_cls_session *session)
-{
- iscsi_remove_session(session);
- ISCSI_DBG_TRANS_SESSION(session, "Completing session destruction\n");
- iscsi_free_session(session);
- return 0;
-}
-EXPORT_SYMBOL_GPL(iscsi_destroy_session);
-
/**
* iscsi_create_conn - create iscsi class connection
* @session: iscsi cls session
diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
index 6183d20a01fb..b266d2a3bcb1 100644
--- a/include/scsi/scsi_transport_iscsi.h
+++ b/include/scsi/scsi_transport_iscsi.h
@@ -434,7 +434,6 @@ extern struct iscsi_cls_session *iscsi_create_session(struct Scsi_Host *shost,
unsigned int target_id);
extern void iscsi_remove_session(struct iscsi_cls_session *session);
extern void iscsi_free_session(struct iscsi_cls_session *session);
-extern int iscsi_destroy_session(struct iscsi_cls_session *session);
extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess,
int dd_size, uint32_t cid);
extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn);
--
2.13.2.932.g7449e964c-goog
--
You received this message because you are subscribed to the Google Groups "open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to open-iscsi-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4843 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread[parent not found: <20170713161122.89375-2-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>]
* Re: [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session
[not found] ` <20170713161122.89375-2-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
@ 2017-08-29 18:30 ` Chris Leech
0 siblings, 0 replies; 10+ messages in thread
From: Chris Leech @ 2017-08-29 18:30 UTC (permalink / raw)
To: 'Khazhismel Kumykov' via open-iscsi
Cc: lduncan-IBi9RG/b67k, linux-scsi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA, Khazhismel Kumykov
Thanks.
Acked-by: Chris Leech <cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Thu, Jul 13, 2017 at 09:11:22AM -0700, 'Khazhismel Kumykov' via open-iscsi wrote:
> iscsi_session_teardown was the only user of this function. Function
> currently is just short for iscsi_remove_session + iscsi_free_session.
>
> Signed-off-by: Khazhismel Kumykov <khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> ---
> drivers/scsi/scsi_transport_iscsi.c | 16 ----------------
> include/scsi/scsi_transport_iscsi.h | 1 -
> 2 files changed, 17 deletions(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index a424eaeafeb0..924ac408d8a9 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -2210,22 +2210,6 @@ void iscsi_free_session(struct iscsi_cls_session *session)
> }
> EXPORT_SYMBOL_GPL(iscsi_free_session);
>
> -/**
> - * iscsi_destroy_session - destroy iscsi session
> - * @session: iscsi_session
> - *
> - * Can be called by a LLD or iscsi_transport. There must not be
> - * any running connections.
> - */
> -int iscsi_destroy_session(struct iscsi_cls_session *session)
> -{
> - iscsi_remove_session(session);
> - ISCSI_DBG_TRANS_SESSION(session, "Completing session destruction\n");
> - iscsi_free_session(session);
> - return 0;
> -}
> -EXPORT_SYMBOL_GPL(iscsi_destroy_session);
> -
> /**
> * iscsi_create_conn - create iscsi class connection
> * @session: iscsi cls session
> diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
> index 6183d20a01fb..b266d2a3bcb1 100644
> --- a/include/scsi/scsi_transport_iscsi.h
> +++ b/include/scsi/scsi_transport_iscsi.h
> @@ -434,7 +434,6 @@ extern struct iscsi_cls_session *iscsi_create_session(struct Scsi_Host *shost,
> unsigned int target_id);
> extern void iscsi_remove_session(struct iscsi_cls_session *session);
> extern void iscsi_free_session(struct iscsi_cls_session *session);
> -extern int iscsi_destroy_session(struct iscsi_cls_session *session);
> extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess,
> int dd_size, uint32_t cid);
> extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn);
> --
> 2.13.2.932.g7449e964c-goog
>
> --
> You received this message because you are subscribed to the Google Groups "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To post to this group, send email to open-iscsi-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> Visit this group at https://groups.google.com/group/open-iscsi.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to open-iscsi-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session
2017-07-13 16:11 ` [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session 'Khazhismel Kumykov' via open-iscsi
[not found] ` <20170713161122.89375-2-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
@ 2017-09-14 0:09 ` Lee Duncan
[not found] ` <9be07c2e-71ef-cab4-7b04-94d33a191d03-IBi9RG/b67k@public.gmane.org>
1 sibling, 1 reply; 10+ messages in thread
From: Lee Duncan @ 2017-09-14 0:09 UTC (permalink / raw)
To: Khazhismel Kumykov, cleech; +Cc: linux-scsi, linux-kernel, open-iscsi
On 07/13/2017 09:11 AM, Khazhismel Kumykov wrote:
> iscsi_session_teardown was the only user of this function. Function
> currently is just short for iscsi_remove_session + iscsi_free_session.
>
> Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Why is this needed? I dislike changes that don't fix anything.
> ---
> drivers/scsi/scsi_transport_iscsi.c | 16 ----------------
> include/scsi/scsi_transport_iscsi.h | 1 -
> 2 files changed, 17 deletions(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index a424eaeafeb0..924ac408d8a9 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -2210,22 +2210,6 @@ void iscsi_free_session(struct iscsi_cls_session *session)
> }
> EXPORT_SYMBOL_GPL(iscsi_free_session);
>
> -/**
> - * iscsi_destroy_session - destroy iscsi session
> - * @session: iscsi_session
> - *
> - * Can be called by a LLD or iscsi_transport. There must not be
> - * any running connections.
> - */
> -int iscsi_destroy_session(struct iscsi_cls_session *session)
> -{
> - iscsi_remove_session(session);
> - ISCSI_DBG_TRANS_SESSION(session, "Completing session destruction\n");
> - iscsi_free_session(session);
> - return 0;
> -}
> -EXPORT_SYMBOL_GPL(iscsi_destroy_session);
> -
> /**
> * iscsi_create_conn - create iscsi class connection
> * @session: iscsi cls session
> diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
> index 6183d20a01fb..b266d2a3bcb1 100644
> --- a/include/scsi/scsi_transport_iscsi.h
> +++ b/include/scsi/scsi_transport_iscsi.h
> @@ -434,7 +434,6 @@ extern struct iscsi_cls_session *iscsi_create_session(struct Scsi_Host *shost,
> unsigned int target_id);
> extern void iscsi_remove_session(struct iscsi_cls_session *session);
> extern void iscsi_free_session(struct iscsi_cls_session *session);
> -extern int iscsi_destroy_session(struct iscsi_cls_session *session);
> extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess,
> int dd_size, uint32_t cid);
> extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn);
>
--
Lee Duncan
SUSE Labs
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown
[not found] ` <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-07-13 16:11 ` [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session 'Khazhismel Kumykov' via open-iscsi
@ 2017-08-24 17:33 ` 'Khazhismel Kumykov' via open-iscsi
1 sibling, 0 replies; 10+ messages in thread
From: 'Khazhismel Kumykov' via open-iscsi @ 2017-08-24 17:33 UTC (permalink / raw)
To: lduncan-IBi9RG/b67k, cleech-H+wXaHxf7aLQT0dZR+AlfA
Cc: linux-scsi-u79uwXL29TY76Z2rM5mHXA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
open-iscsi-/JYPxA39Uh5TLH3MbocFFw, Khazhismel Kumykov
[-- Attachment #1: Type: text/plain, Size: 614 bytes --]
On Thu, Jul 13, 2017 at 9:11 AM, Khazhismel Kumykov <khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> wrote:
Ping in case this was missed
--
You received this message because you are subscribed to the Google Groups "open-iscsi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to open-iscsi-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
Visit this group at https://groups.google.com/group/open-iscsi.
For more options, visit https://groups.google.com/d/optout.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4843 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown
2017-07-13 16:11 [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown Khazhismel Kumykov
[not found] ` <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
@ 2017-08-29 18:29 ` Chris Leech
[not found] ` <20170829182914.5oza32ohjj4lua6j-r8IHplWLGbA5tHQWs+pTeqPFFGjUI2lm2LY78lusg7I@public.gmane.org>
1 sibling, 1 reply; 10+ messages in thread
From: Chris Leech @ 2017-08-29 18:29 UTC (permalink / raw)
To: 'Khazhismel Kumykov' via open-iscsi
Cc: lduncan, linux-scsi, linux-kernel, Khazhismel Kumykov
Looks good to me, fixes up the code given that the comment there about
calling iscsi_remove_session wasn't being followed.
Thanks
Acked-by: Chris Leech <cleech@redhat.com>
On Thu, Jul 13, 2017 at 09:11:21AM -0700, 'Khazhismel Kumykov' via open-iscsi wrote:
> Session attributes exposed through sysfs were freed before the device
> was destroyed, resulting in a potential use-after-free. Free these
> attributes after removing the device.
>
> Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
> ---
> drivers/scsi/libiscsi.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
> index 42381adf0769..8696a51a5a0c 100644
> --- a/drivers/scsi/libiscsi.c
> +++ b/drivers/scsi/libiscsi.c
> @@ -2851,9 +2851,6 @@ EXPORT_SYMBOL_GPL(iscsi_session_setup);
> /**
> * iscsi_session_teardown - destroy session, host, and cls_session
> * @cls_session: iscsi session
> - *
> - * The driver must have called iscsi_remove_session before
> - * calling this.
> */
> void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
> {
> @@ -2863,6 +2860,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
>
> iscsi_pool_free(&session->cmdpool);
>
> + iscsi_remove_session(cls_session);
> +
> kfree(session->password);
> kfree(session->password_in);
> kfree(session->username);
> @@ -2877,7 +2876,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
> kfree(session->portal_type);
> kfree(session->discovery_parent_type);
>
> - iscsi_destroy_session(cls_session);
> + iscsi_free_session(cls_session);
> +
> iscsi_host_dec_session_cnt(shost);
> module_put(owner);
> }
> --
> 2.13.2.932.g7449e964c-goog
>
> --
> You received this message because you are subscribed to the Google Groups "open-iscsi" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscribe@googlegroups.com.
> To post to this group, send email to open-iscsi@googlegroups.com.
> Visit this group at https://groups.google.com/group/open-iscsi.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-10-03 2:28 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-13 16:11 [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown Khazhismel Kumykov
[not found] ` <20170713161122.89375-1-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-07-13 16:11 ` [Patch v2 2/2] libiscsi: Remove iscsi_destroy_session 'Khazhismel Kumykov' via open-iscsi
[not found] ` <20170713161122.89375-2-khazhy-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-08-29 18:30 ` Chris Leech
2017-09-14 0:09 ` Lee Duncan
[not found] ` <9be07c2e-71ef-cab4-7b04-94d33a191d03-IBi9RG/b67k@public.gmane.org>
2017-09-14 7:57 ` Johannes Thumshirn
2017-08-24 17:33 ` [Patch v2 1/2] libiscsi: Fix use-after-free race during iscsi_session_teardown 'Khazhismel Kumykov' via open-iscsi
2017-08-29 18:29 ` Chris Leech
[not found] ` <20170829182914.5oza32ohjj4lua6j-r8IHplWLGbA5tHQWs+pTeqPFFGjUI2lm2LY78lusg7I@public.gmane.org>
2017-08-30 1:45 ` Martin K. Petersen
[not found] ` <yq1r2vtzv3p.fsf-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2017-09-29 22:54 ` 'Khazhismel Kumykov' via open-iscsi
[not found] ` <CACGdZYJ-jF8KTdHQHhmgHmFTszAUhpijby0vFA2pkysbQzeYjw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-03 2:28 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).