| Message ID | 20230602105613.95952-4-saravanan.vajravel@broadcom.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | IB/isert Bug fixes in ib_isert | expand |
> The ib_isert module is releasing the isert connection both in > isert_wait_conn() handler as well as isert_free_conn() handler. > In isert_wait_conn() handler, it is expected to wait for iSCSI > session logout operation to complete. It should free the isert > connection only in isert_free_conn() handler. > > When a bunch of iSER target is cleared, this issue can lead to > use-after-free memory issue as isert conn is twice released > > Fixes: 0fc4ea701fcf ("Target/iser: Don't put isert_conn inside disconnected handler") Doesn't seem quite right?
> > The ib_isert module is releasing the isert connection both in > > isert_wait_conn() handler as well as isert_free_conn() handler. > > In isert_wait_conn() handler, it is expected to wait for iSCSI session > > logout operation to complete. It should free the isert connection only > > in isert_free_conn() handler. > > > > When a bunch of iSER target is cleared, this issue can lead to > > use-after-free memory issue as isert conn is twice released > > > > Fixes: 0fc4ea701fcf ("Target/iser: Don't put isert_conn inside > > disconnected handler") > Doesn't seem quite right? Corrected Fixes tag. Sent v3 patch.
diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 7214a9bba524..c6b94a52afe2 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -2570,8 +2570,6 @@ static void isert_wait_conn(struct iscsit_conn *conn) isert_put_unsol_pending_cmds(conn); isert_wait4cmds(conn); isert_wait4logout(isert_conn); - - queue_work(isert_release_wq, &isert_conn->release_work); } static void isert_free_conn(struct iscsit_conn *conn)
The ib_isert module is releasing the isert connection both in isert_wait_conn() handler as well as isert_free_conn() handler. In isert_wait_conn() handler, it is expected to wait for iSCSI session logout operation to complete. It should free the isert connection only in isert_free_conn() handler. When a bunch of iSER target is cleared, this issue can lead to use-after-free memory issue as isert conn is twice released Fixes: 0fc4ea701fcf ("Target/iser: Don't put isert_conn inside disconnected handler") Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com> Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com> --- drivers/infiniband/ulp/isert/ib_isert.c | 2 -- 1 file changed, 2 deletions(-)