Re: [PATCH 1/2] target: iscs: reject cmd in closed session

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/25/23 02:33, Dmitry Bogdanov wrote:
> Do not handle incoming commands if the session is already closed.
> 
> That patch fixes the following stacktrace:
> 
>  Decremented iSCSI connection count to 0 from node: iqn.1996-04.com.local:3
>  TARGET_CORE[iSCSI]: Deregistered fabric_sess
>  Moving to TARG_SESS_STATE_FREE.
>  Released iSCSI session from node: iqn.1996-04.com.local:3
>  Decremented number of active iSCSI Sessions on iSCSI TPG: 0 to 1
>  rx_loop: 48, total_rx: 48, data: 48
>  Got SCSI Command, ITT: 0x2000005d, CmdSN: 0x4a020000, ExpXferLen: 0, Length: 0, CID: 0
> BUG: Kernel NULL pointer dereference on read at 0x00000000
>   Faulting instruction address: 0xc008000000a9b574
>   Oops: Kernel access of bad area, sig: 11 [#1]
>   NIP [c008000000a9b574] transport_lookup_cmd_lun+0x37c/0x470 [target_core_mod]
>   LR [c008000001017318] iscsit_setup_scsi_cmd+0x520/0x780 [iscsi_target_mod]
> Call Trace:
>  [c000000059e4fae0] [c000000059e4fb70] 0xc000000059e4fb70 (unreliable)
>  [c000000059e4fb70] [c008000001017318] iscsit_setup_scsi_cmd+0x520/0x780 [iscsi_target_mod]
>  [c000000059e4fc30] [c00800000101c448] iscsit_get_rx_pdu+0x720/0x11d0 [iscsi_target_mod]
>  [c000000059e4fd60] [c00800000101ebc8] iscsi_target_rx_thread+0xb0/0x190 [iscsi_target_mod]
>  [c000000059e4fdb0] [c00000000018c50c] kthread+0x19c/0x1b0
> 
> Signed-off-by: Dmitry Bogdanov <d.bogdanov@xxxxxxxxx>
> ---
>  drivers/target/iscsi/iscsi_target.c | 8 ++++++--
>  include/scsi/iscsi_proto.h          | 1 +
>  2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
> index baf4da7bb3b4..f6008675dd3f 100644
> --- a/drivers/target/iscsi/iscsi_target.c
> +++ b/drivers/target/iscsi/iscsi_target.c
> @@ -1199,7 +1199,9 @@ int iscsit_setup_scsi_cmd(struct iscsit_conn *conn, struct iscsit_cmd *cmd,
>  		hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length,
>  		conn->cid);
>  
> -	target_get_sess_cmd(&cmd->se_cmd, true);
> +	if (target_get_sess_cmd(&cmd->se_cmd, true) < 0)
> +		return iscsit_add_reject_cmd(cmd,
> +				ISCSI_REASON_WAITING_FOR_LOGOUT, buf);
> 
Did this require target_stop_session somewhere? I think this is a possible
use after free.

It seems like if we have logged the message:

>  Moving to TARG_SESS_STATE_FREE.

then we called:

transport_deregister_session -> transport_free_session

and freed the se_session.

So above if target_get_sess_cmd returns failure then we have run:

transport_free_session ->transport_uninit_session -> percpu_ref_exit

and transport_free_session could have done:

kmem_cache_free(se_sess_cache, se_sess)

by the time we run the code above and we are now accessing a freed
se_session and iscsit_session.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux