Patch "IB/isert: Fix incorrect release of isert connection" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 18 Jun 2023 10:24:25 -0400

This is a note to let you know that I've just added the patch titled

    IB/isert: Fix incorrect release of isert connection

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ib-isert-fix-incorrect-release-of-isert-connection.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d690a319e92265fa5f471a97dba25e2c3865abc4
Author: Saravanan Vajravel <saravanan.vajravel@xxxxxxxxxxxx>
Date:   Tue Jun 6 03:25:31 2023 -0700

    IB/isert: Fix incorrect release of isert connection
    
    [ Upstream commit 699826f4e30ab76a62c238c86fbef7e826639c8d ]
    
    The ib_isert module is releasing the isert connection both in
    isert_wait_conn() handler as well as isert_free_conn() handler.
    In isert_wait_conn() handler, it is expected to wait for iSCSI
    session logout operation to complete. It should free the isert
    connection only in isert_free_conn() handler.
    
    When a bunch of iSER target is cleared, this issue can lead to
    use-after-free memory issue as isert conn is twice released
    
    Fixes: b02efbfc9a05 ("iser-target: Fix implicit termination of connections")
    Reviewed-by: Sagi Grimberg <sagi@xxxxxxxxxxx>
    Signed-off-by: Saravanan Vajravel <saravanan.vajravel@xxxxxxxxxxxx>
    Signed-off-by: Selvin Xavier <selvin.xavier@xxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230606102531.162967-4-saravanan.vajravel@xxxxxxxxxxxx
    Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
index 0d9b53c6e2654..598e2bb005c8c 100644
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2652,8 +2652,6 @@ static void isert_wait_conn(struct iscsi_conn *conn)
 	isert_put_unsol_pending_cmds(conn);
 	isert_wait4cmds(conn);
 	isert_wait4logout(isert_conn);
-
-	queue_work(isert_release_wq, &isert_conn->release_work);
 }
 
 static void isert_free_conn(struct iscsi_conn *conn)






