| Message ID | 20170712230607.137389-1-khazhy@google.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
Hi Khazhismel,
[auto build test ERROR on mkp-scsi/for-next]
[also build test ERROR on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: i386-randconfig-x018-201728 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:23: error: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type [-Werror=incompatible-pointer-types]
iscsi_remove_session(session);
^~~~~~~
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Khazhismel,
[auto build test WARNING on mkp-scsi/for-next]
[also build test WARNING on v4.12 next-20170713]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Khazhismel-Kumykov/libiscsi-Fix-use-after-free-race-during-iscsi_session_teardown/20170713-231300
base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 4.9.0
reproduce:
wget https://raw.githubusercontent.com/01org/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All warnings (new ones prefixed by >>):
drivers//scsi/libiscsi.c: In function 'iscsi_session_teardown':
>> drivers//scsi/libiscsi.c:2863:2: warning: passing argument 1 of 'iscsi_remove_session' from incompatible pointer type
iscsi_remove_session(session);
^
In file included from drivers//scsi/libiscsi.c:41:0:
include/scsi/scsi_transport_iscsi.h:435:13: note: expected 'struct iscsi_cls_session *' but argument is of type 'struct iscsi_session *'
extern void iscsi_remove_session(struct iscsi_cls_session *session);
^
vim +/iscsi_remove_session +2863 drivers//scsi/libiscsi.c
2850
2851 /**
2852 * iscsi_session_teardown - destroy session, host, and cls_session
2853 * @cls_session: iscsi session
2854 */
2855 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
2856 {
2857 struct iscsi_session *session = cls_session->dd_data;
2858 struct module *owner = cls_session->transport->owner;
2859 struct Scsi_Host *shost = session->host;
2860
2861 iscsi_pool_free(&session->cmdpool);
2862
> 2863 iscsi_remove_session(session);
2864
2865 kfree(session->password);
2866 kfree(session->password_in);
2867 kfree(session->username);
2868 kfree(session->username_in);
2869 kfree(session->targetname);
2870 kfree(session->targetalias);
2871 kfree(session->initiatorname);
2872 kfree(session->boot_root);
2873 kfree(session->boot_nic);
2874 kfree(session->boot_target);
2875 kfree(session->ifacename);
2876 kfree(session->portal_type);
2877 kfree(session->discovery_parent_type);
2878
2879 iscsi_free_session(cls_session);
2880
2881 iscsi_host_dec_session_cnt(shost);
2882 module_put(owner);
2883 }
2884 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
2885
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 42381adf0769..f9199bebaec7 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -2851,9 +2851,6 @@ EXPORT_SYMBOL_GPL(iscsi_session_setup); /** * iscsi_session_teardown - destroy session, host, and cls_session * @cls_session: iscsi session - * - * The driver must have called iscsi_remove_session before - * calling this. */ void iscsi_session_teardown(struct iscsi_cls_session *cls_session) { @@ -2863,6 +2860,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session) iscsi_pool_free(&session->cmdpool); + iscsi_remove_session(session); + kfree(session->password); kfree(session->password_in); kfree(session->username); @@ -2877,7 +2876,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session) kfree(session->portal_type); kfree(session->discovery_parent_type); - iscsi_destroy_session(cls_session); + iscsi_free_session(cls_session); + iscsi_host_dec_session_cnt(shost); module_put(owner); }
Session attributes exposed through sysfs were freed before the device was destroyed, resulting in a potential use-after-free. Free these attributes after removing the device. Signed-off-by: Khazhismel Kumykov <khazhy@google.com> --- drivers/scsi/libiscsi.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)