* Patch "iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done" has been added to the 4.9-stable tree
@ 2017-07-25 4:30 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-07-25 4:30 UTC (permalink / raw)
To: nab, gregkh, righi.andrea, sagi, sagig; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From fce50a2fa4e9c6e103915c351b6d4a98661341d6 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Thu, 29 Jun 2017 22:21:31 -0700
Subject: iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit fce50a2fa4e9c6e103915c351b6d4a98661341d6 upstream.
This patch fixes a NULL pointer dereference in isert_login_recv_done()
of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
resetting isert_conn->cm_id = NULL during a failed login attempt.
As per Sagi, we will always see the completion of all recv wrs posted
on the qp (given that we assigned a ->done handler), this is a FLUSH
error completion, we just don't get to verify that because we deref
NULL before.
The issue here, was the assumption that dereferencing the connection
cm_id is always safe, which is not true since:
commit 4a579da2586bd3b79b025947ea24ede2bbfede62
Author: Sagi Grimberg <sagig@mellanox.com>
Date: Sun Mar 29 15:52:04 2015 +0300
iser-target: Fix possible deadlock in RDMA_CM connection error
As I see it, we have a direct reference to the isert_device from
isert_conn which is the one-liner fix that we actually need like
we do in isert_rdma_read_done() and isert_rdma_write_done().
Reported-by: Andrea Righi <righi.andrea@gmail.com>
Tested-by: Andrea Righi <righi.andrea@gmail.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1447,7 +1447,7 @@ static void
isert_login_recv_done(struct ib_cq *cq, struct ib_wc *wc)
{
struct isert_conn *isert_conn = wc->qp->qp_context;
- struct ib_device *ib_dev = isert_conn->cm_id->device;
+ struct ib_device *ib_dev = isert_conn->device->ib_device;
if (unlikely(wc->status != IB_WC_SUCCESS)) {
isert_print_wc(wc, "login recv");
Patches currently in stable-queue which might be from nab@linux-iscsi.org are
queue-4.9/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch
queue-4.9/xen-scsiback-fix-a-tmr-related-use-after-free.patch
queue-4.9/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch
queue-4.9/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-07-25 4:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-25 4:30 Patch "iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done" has been added to the 4.9-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).