Re: [PATCH 02/16] target: fix memory corruption

["Nicholas A. Bellinger" <nab@xxxxxxxxxxxxxxx>]

On Tue, 2014-09-02 at 17:49 -0400, Joern Engel wrote:
> Found by coverity.  l_conn cannot possible be NULL.  It can very well
> not match any connection, which is the logical equivalent of NULL.  At
> that point we would happily dereference the pointer and do heck knows
> what with the random values we find.  A NULL pointer dereference would
> have been much better.
> 
> Signed-off-by: Joern Engel <joern@xxxxxxxxx>
> ---
>  drivers/target/iscsi/iscsi_target.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
> index 30f4a7d42e32..dcaebe712259 100644
> --- a/drivers/target/iscsi/iscsi_target.c
> +++ b/drivers/target/iscsi/iscsi_target.c
> @@ -4549,7 +4549,7 @@ static void iscsit_logout_post_handler_diffcid(
>  	}
>  	spin_unlock_bh(&sess->conn_lock);
>  
> -	if (!l_conn)
> +	if (WARN_ON_ONCE(&l_conn->conn_list == &sess->sess_conn_list))
>  		return;
>  
>  	if (l_conn->sock)

This doesn't look quite right, as it depends upon the ordering of the
connection within sess_conn_list to ascertain when no matching
connection ID has been found. 

How about the following instead..?

--nab

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 30f4a7d..b19e432 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4536,6 +4536,7 @@ static void iscsit_logout_post_handler_diffcid(
 {
        struct iscsi_conn *l_conn;
        struct iscsi_session *sess = conn->sess;
+       bool conn_found = false;
 
        if (!sess)
                return;
@@ -4544,12 +4545,13 @@ static void iscsit_logout_post_handler_diffcid(
        list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) {
                if (l_conn->cid == cid) {
                        iscsit_inc_conn_usage_count(l_conn);
+                       conn_found = true;
                        break;
                }
        }
        spin_unlock_bh(&sess->conn_lock);
 
-       if (!l_conn)
+       if (!conn_found)
                return;
 
        if (l_conn->sock)


--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html