From patchwork Thu Jul 13 16:11:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khazhy Kumykov <khazhy@google.com>
X-Patchwork-Id: 9839247
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D9AAE602A0 for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 13 Jul 2017 16:11:42 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CA1952853D
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 13 Jul 2017 16:11:42 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BE6B728589; Thu, 13 Jul 2017 16:11:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, MIME_HEADER_CTYPE_ONLY, MIME_NO_TEXT,
	RCVD_IN_DNSWL_HI,
	T_TVD_MIME_NO_HEADERS autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 64E052853D
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 13 Jul 2017 16:11:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752545AbdGMQLl (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Thu, 13 Jul 2017 12:11:41 -0400
Received: from mail-pg0-f42.google.com ([74.125.83.42]:34346 "EHLO
	mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752541AbdGMQLl (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Thu, 13 Jul 2017 12:11:41 -0400
Received: by mail-pg0-f42.google.com with SMTP id t186so32002364pgb.1
	for <linux-scsi@vger.kernel.org>;
	Thu, 13 Jul 2017 09:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=7rJn4GArEyJSgdUJ4plZE4M9oNJ0Z5eyB1OP/0EI0J0=;
	b=IDNxbY32nZka1bRdRl/22m1T4gMhR93G5RtPtTUXI2Q2ZZurX/Gxby+iJI452Noc3x
	DPLXX4mc9oFdCZ4wScD1ovQN26hSWphh6H3XIwoxn3xSZ/bEJjoFw5TQxHKZiY5J5Al7
	UmlBZ1Gc3fKVQoFlThlfK+/fFRD7eNs5SA1+gftPyptzB+qsHxefxOLXqV3n/xYJqusJ
	a60b7GfSpu49NGgS+2o5vvCLaVTWwCsGCD1d/DKBeQ9ywhPpX82sH3KIZqViTIfVQRsX
	fiWPc0fpdunpDxQSrSt1+pXblCDxDVqpEA5872335e7FE9LH6BkA/br9KwhpL4R3GbY6
	nAjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=7rJn4GArEyJSgdUJ4plZE4M9oNJ0Z5eyB1OP/0EI0J0=;
	b=nGz4pkrvOh5FWCPE4sbSrxiwY9Kf3ZxiOodd0k1srbqBZLK+4TIb8xlSnupcAxIMVJ
	6T5FKN9JHIn0VBAvlNJV0KfOkooIJY78PYwPs0igoCOX1DqvYV3j3rjVMyZxYfe5NUfP
	2PuCkHcsJ6rGwzLU2rCsQ6wI5Y/pAI8VGjmAcWdv00/FPmzq4nabMjVSiSxRbvxxl3ds
	1GkvtGurAnt9t7jagEpDGqjlB5hiRHo4kc6ijwqE0HKwKGXk+xesgnI4IYx1H7C0r+45
	YJvT92xAdxkt2pzoa48utyzDQ1+VrCGJxsQFOGeHz/kbb36aSaEhl4cejXd1xymEo7IW
	3zpg==
X-Gm-Message-State: AIVw111nn8F4wAVfQzf28feGeNV0nNe/lHqg1J6nDsjyNu7iSrhTcfWH
	ZhCqrcFxXVwY5S6GJtga6g==
X-Received: by 10.98.197.130 with SMTP id j124mr335548pfg.117.1499962299961;
	Thu, 13 Jul 2017 09:11:39 -0700 (PDT)
Received: from khazhy.svl.corp.google.com ([100.123.228.94])
	by smtp.gmail.com with ESMTPSA id
	t70sm14244305pfk.111.2017.07.13.09.11.39
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 13 Jul 2017 09:11:39 -0700 (PDT)
From: Khazhismel Kumykov <khazhy@google.com>
To: lduncan@suse.com, cleech@redhat.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
	open-iscsi@googlegroups.com, Khazhismel Kumykov <khazhy@google.com>
Subject: [Patch v2 1/2] libiscsi: Fix use-after-free race during
	iscsi_session_teardown
Date: Thu, 13 Jul 2017 09:11:21 -0700
Message-Id: <20170713161122.89375-1-khazhy@google.com>
X-Mailer: git-send-email 2.13.2.932.g7449e964c-goog
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Session attributes exposed through sysfs were freed before the device
was destroyed, resulting in a potential use-after-free. Free these
attributes after removing the device.

Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Acked-by: Chris Leech <cleech@redhat.com>
---
 drivers/scsi/libiscsi.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 42381adf0769..8696a51a5a0c 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2851,9 +2851,6 @@ EXPORT_SYMBOL_GPL(iscsi_session_setup);
 /**
  * iscsi_session_teardown - destroy session, host, and cls_session
  * @cls_session: iscsi session
- *
- * The driver must have called iscsi_remove_session before
- * calling this.
  */
 void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
 {
@@ -2863,6 +2860,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
 
 	iscsi_pool_free(&session->cmdpool);
 
+	iscsi_remove_session(cls_session);
+
 	kfree(session->password);
 	kfree(session->password_in);
 	kfree(session->username);
@@ -2877,7 +2876,8 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
 	kfree(session->portal_type);
 	kfree(session->discovery_parent_type);
 
-	iscsi_destroy_session(cls_session);
+	iscsi_free_session(cls_session);
+
 	iscsi_host_dec_session_cnt(shost);
 	module_put(owner);
 }