From patchwork Fri Jul 24 02:51:19 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Nicholas A. Bellinger" X-Patchwork-Id: 6856871 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id DBEA7C05AC for ; Fri, 24 Jul 2015 02:56:12 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 07E982053C for ; Fri, 24 Jul 2015 02:56:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 12C542063D for ; Fri, 24 Jul 2015 02:56:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753482AbbGXC4K (ORCPT ); Thu, 23 Jul 2015 22:56:10 -0400 Received: from mail-ob0-f169.google.com ([209.85.214.169]:34861 "EHLO mail-ob0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753427AbbGXC4H (ORCPT ); Thu, 23 Jul 2015 22:56:07 -0400 Received: by obbop1 with SMTP id op1so8680392obb.2 for ; Thu, 23 Jul 2015 19:56:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fQjQT0JXhw3hXTJgDFI0yOoa86IEkYC1lQy8vsyXg60=; b=i/R6+V+SjhC9VXruAB8UL+iRwLLxnE/wATYfxj5Wa10ceZyAb4+OvucYT7pXvwAU97 r+088pSVkNevioveoTLFg2jPKhvNHF9zqHFW3UMbC5ki8tFKtU1m42SMxZ0TE7jVyJRU JRSq1kuELhVfLZXFOFa6yvcpPBXgaeUYU2+pJOJDpx4bEtpSb4XLQRaqo0LRsebCimiQ +l4YQMMSaor1sTsEZr9q6l8obRD/jYNso1xaQ12IRGtrsAz7VwMRrZSyfePu8EH1r1Kp beIpF171P/4UNJ+zX7lCjZyjp4J1C0XjQwJzPBbUpK181Ld77t7YZ6sE0kI7nwDgTO7h Q/hA== X-Gm-Message-State: ALoCoQlNQ5OV4ptBufyBW2ivxDPex1tnus7KMMiaok6hqfIbP9Miu3a0OogNRgdUKYbe9zmVLY8C X-Received: by 10.60.62.235 with SMTP id b11mr13292531oes.18.1437706567302; Thu, 23 Jul 2015 19:56:07 -0700 (PDT) Received: from localhost.localdomain (mail.linux-iscsi.org. [67.23.28.174]) by smtp.gmail.com with ESMTPSA id xp8sm4094706obc.10.2015.07.23.19.56.06 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 23 Jul 2015 19:56:06 -0700 (PDT) From: "Nicholas A. Bellinger" To: target-devel Cc: linux-scsi , Sagi Grimberg , Nicholas Bellinger , Sagi Grimberg Subject: [PATCH 4/4] iser-target: Fix REJECT CM event use-after-free OOPs Date: Fri, 24 Jul 2015 02:51:19 +0000 Message-Id: <1437706279-10580-5-git-send-email-nab@daterainc.com> X-Mailer: git-send-email 1.7.2.5 In-Reply-To: <1437706279-10580-1-git-send-email-nab@daterainc.com> References: <1437706279-10580-1-git-send-email-nab@daterainc.com> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Nicholas Bellinger This patch fixes a bug in iser-target code where the REJECT CM event handler code currently performs a isert_put_conn() for the final isert_conn->kref put, while iscsi_np process context is still blocked in isert_get_login_rx(). Once isert_get_login_rx() is awoking due to login timeout, iscsi_np process context will attempt to invoke iscsi_target_login_sess_out() to cleanup iscsi_conn as expected, and calls isert_wait_conn() + isert_free_conn() which triggers the use-after-free OOPs. To address this bug, move the kref_get_unless_zero() call from isert_connected_handler() into isert_connect_request() immediately preceeding isert_rdma_accept() to ensure the CM handler cleanup paths and isert_free_conn() are always operating with two refs. Cc: Sagi Grimberg Cc: # v3.10+ Signed-off-by: Nicholas Bellinger --- drivers/infiniband/ulp/isert/ib_isert.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c index 7717009..d851e18 100644 --- a/drivers/infiniband/ulp/isert/ib_isert.c +++ b/drivers/infiniband/ulp/isert/ib_isert.c @@ -775,6 +775,17 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event) ret = isert_rdma_post_recvl(isert_conn); if (ret) goto out_conn_dev; + /* + * Obtain the second reference now before isert_rdma_accept() to + * ensure that any initiator generated REJECT CM event that occurs + * asynchronously won't drop the last reference until the error path + * in iscsi_target_login_sess_out() does it's ->iscsit_free_conn() -> + * isert_free_conn() -> isert_put_conn() -> kref_put(). + */ + if (!kref_get_unless_zero(&isert_conn->kref)) { + isert_warn("conn %p connect_release is running\n", isert_conn); + goto out_conn_dev; + } ret = isert_rdma_accept(isert_conn); if (ret) @@ -836,11 +847,6 @@ isert_connected_handler(struct rdma_cm_id *cma_id) isert_info("conn %p\n", isert_conn); - if (!kref_get_unless_zero(&isert_conn->kref)) { - isert_warn("conn %p connect_release is running\n", isert_conn); - return; - } - mutex_lock(&isert_conn->mutex); if (isert_conn->state != ISER_CONN_FULL_FEATURE) isert_conn->state = ISER_CONN_UP;