On 11/15/22 6:56 AM, Maurizio Lombardi wrote: > In case a malicious initiator sends some random data immediately after a > login PDU; the iscsi_target_sk_data_ready() callback will > schedule the login_work and, at the same time, > the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag > (because no additional PDU exchanges are required to complete the login). > > The login has been completed but the login_work function > will find the LOGIN_FLAGS_INITIAL_PDU flag set and will > never stop from rescheduling itself; > at this point, if the initiator drops the connection, the iscsit_conn > structure will be freed, login_work will dereference a released > socket structure and the kernel crashes. > > BUG: kernel NULL pointer dereference, address: 0000000000000230 > PF: supervisor write access in kernel mode > PF: error_code(0x0002) - not-present page > Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] > RIP: 0010:_raw_read_lock_bh+0x15/0x30 > Call trace: > iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] > process_one_work+0x1e8/0x3c0 > > Fix this bug by forcing login_work to stop after the login has been > completed and the socket callbacks have been restored. > > Add a comment to clearify the return values of iscsi_target_do_login() > > v3: cancel_delayed_work_sync() should be called by > iscsi_target_start_negotiation(), because the latter is only executed > in login_thread context > > V2: remove an unnecessary call to cancel_delayed_work(); > fix a potential race condition in iscsi_start_negotiation() and > in iscsi_target_do_login_rx()'s error paths > > Signed-off-by: Maurizio Lombardi <mlombard@xxxxxxxxxx> Reviewed-by: Mike Christie <michael.christie@xxxxxxxxxx>
