From: Anton Kovalenko <Anton.Kovalenko@acronis.com>
To: "stgt@vger.kernel.org" <stgt@vger.kernel.org>
Subject: [PATCH] use-after-free while iterating session->conn_list (two places)
Date: Wed, 3 May 2017 16:35:45 +0000 [thread overview]
Message-ID: <1493829345850.48512@acronis.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 508 bytes --]
Hi,
Please consider applying two patches in the attachment.
The problem (accessing session->conn_list after freeing session) was discovered using valgrind.
Note that while list_for_each_entry_safe is safe against current list element destruction,
it is UNSAFE against the traversed list_head (third argument) becoming invalid during iteration.
That's exactly what happens when the last connection of a session goes away (conn_exit -> session_put -> use-after-free).
--
Best regards,
Anton Kovalenko
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-Avoid-dangling-session-reference-in-login_security_d.patch --]
[-- Type: text/x-patch; name="0002-Avoid-dangling-session-reference-in-login_security_d.patch", Size: 853 bytes --]
From 16e64b10cbe829d0b0d06d22a54efd79b161427a Mon Sep 17 00:00:00 2001
From: Anton Kovalenko <anton.kovalenko@acronis.com>
Date: Wed, 3 May 2017 14:46:38 +0300
Subject: [PATCH 2/3] Avoid dangling session reference in login_security_done
---
usr/iscsi/iscsid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/usr/iscsi/iscsid.c b/usr/iscsi/iscsid.c
index 700e2af..d5fe6b3 100644
--- a/usr/iscsi/iscsid.c
+++ b/usr/iscsi/iscsid.c
@@ -267,11 +267,12 @@ static void login_security_done(struct iscsi_connection *conn)
struct iscsi_connection *ent, *next;
/* do session reinstatement */
-
+ session_get(session);
list_for_each_entry_safe(ent, next, &session->conn_list,
clist) {
conn_close(ent);
}
+ session_put(session);
session = NULL;
} else if (req->tsih != session->tsih) {
--
2.11.0
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0003-Avoid-session-dangling-reference-on-forced-target-de.patch --]
[-- Type: text/x-patch; name="0003-Avoid-session-dangling-reference-on-forced-target-de.patch", Size: 1041 bytes --]
From 67f7b51e6eddc55736a0bb85cbb3af95e73b68d6 Mon Sep 17 00:00:00 2001
From: Anton Kovalenko <anton.kovalenko@acronis.com>
Date: Wed, 3 May 2017 12:46:53 +0300
Subject: [PATCH 3/3] Avoid session* dangling reference on forced target
destroy.
Closing the last connection of a session also releases the session
itself, making session->conn_list inaccessible.
Wrapping conn_list iteration into session_get/session_put prevents
session destruction while its conn_list is being iterated.
---
usr/iscsi/target.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/usr/iscsi/target.c b/usr/iscsi/target.c
index bf54190..7d71206 100644
--- a/usr/iscsi/target.c
+++ b/usr/iscsi/target.c
@@ -411,9 +411,11 @@ void iscsi_target_destroy(int tid, int force)
}
list_for_each_entry_safe(session, stmp, &target->sessions_list, slist) {
+ session_get(session);
list_for_each_entry_safe(conn, ctmp, &session->conn_list, clist) {
conn_close(conn);
}
+ session_put(session);
}
if (!list_empty(&target->sessions_list)) {
--
2.11.0
next reply other threads:[~2017-05-03 16:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-03 16:35 Anton Kovalenko [this message]
2017-05-10 1:34 ` [PATCH] use-after-free while iterating session->conn_list (two places) FUJITA Tomonori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493829345850.48512@acronis.com \
--to=anton.kovalenko@acronis.com \
--cc=stgt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).