Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1828501imm; Mon, 3 Sep 2018 10:29:15 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZuNXyqIJazyAnKdU0qY4cB5ReddZf3FA8s9F/h+KFC3CaOcESO5+bV1AxM57880xV+OArw X-Received: by 2002:a62:6711:: with SMTP id b17-v6mr30818655pfc.243.1535995755780; Mon, 03 Sep 2018 10:29:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535995755; cv=none; d=google.com; s=arc-20160816; b=Z01HtkcB2dh+0q2l6EqtylDdZIx/5Eq+9ppIfAQIzUtMI2bnnp10a617tg3rEOzNoh LqcMWO8lmL45Sszzl8qx3N/wGwwG09RiN23vtK9c2AaDLmJqXMwoS44naOQHipovr1NY msBvj45ytyffm4sB5qZMXp4xwu0BMJ3T1/lyUnG2rhMGK/ZGXxmAk1GgvzZTa0gr1aM/ +T9+eHUNISUz2HNY7Vxgc1H5md75gV0tck2332cr3JkkEZqalUHs3mhhe0iB332maaIw mekZ2BKC8CyE54vE5T8QjmWXYn2fjWdgQ1lW8ktSJvep51oeSU/FjvbzHEPtsTZq9kje W6Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=OW8ahHSL9qLRL5uMN/k0GC4N4JLax/lTpvCd5DAKaG4=; b=z/P90ka55J+oaqAC8lgzfzBQ/HCeQW7CvHWCW5FyfumpfgoyyJrTTgdVzTiwFUzQY3 K4yYdBFJ+A5Q5F0Hi8NuSnq7zZFokzBBiKpeYkOJ1qUfudldck/FzSZRoGwKZwr+MDJr G7vsbW4ANby2RsAStuqiPIBBJrMFOxrhyUWPCiRSnU+eB87Z5Y5fo+W5zUzm9phy1G/2 BEdxW+UxApFRFOKfnQcShnQXOHCU+D+XzKt1qy1Tqwhlzqw/B5kmwu0j1WvaQhn78jOX KdoNr9BetbbK+4LrpT1D5jFd6MNjOFaQfpp26irNf4CUsXkrCcoV6TB1hGx8jf8vL3gv wPMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e5-v6si18283934pfg.258.2018.09.03.10.29.00; Mon, 03 Sep 2018 10:29:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730630AbeICVtC (ORCPT + 99 others); Mon, 3 Sep 2018 17:49:02 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46348 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728175AbeICVtB (ORCPT ); Mon, 3 Sep 2018 17:49:01 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id BECE9CF4; Mon, 3 Sep 2018 17:27:52 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mike Christie , "Martin K. Petersen" , Matthew Wilcox Subject: [PATCH 4.14 157/165] iscsi target: fix session creation failure handling Date: Mon, 3 Sep 2018 18:57:23 +0200 Message-Id: <20180903165704.962049614@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180903165655.003605184@linuxfoundation.org> References: <20180903165655.003605184@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mike Christie commit 26abc916a898d34c5ad159315a2f683def3c5555 upstream. The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in iscsi_login_set_conn_values. If the function fails later like when we alloc the idr it does kfree(sess) and leaves the conn->sess pointer set. iscsi_login_zero_tsih_s1 then returns -Exyz and we then call iscsi_target_login_sess_out and access the freed memory. This patch has iscsi_login_zero_tsih_s1 either completely setup the session or completely tear it down, so later in iscsi_target_login_sess_out we can just check for it being set to the connection. Cc: stable@vger.kernel.org Fixes: 0957627a9960 ("iscsi-target: Fix sess allocation leak in...") Signed-off-by: Mike Christie Acked-by: Martin K. Petersen Signed-off-by: Matthew Wilcox Signed-off-by: Greg Kroah-Hartman --- drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++------------ 1 file changed, 21 insertions(+), 14 deletions(-) --- a/drivers/target/iscsi/iscsi_target_login.c +++ b/drivers/target/iscsi/iscsi_target_login.c @@ -345,8 +345,7 @@ static int iscsi_login_zero_tsih_s1( pr_err("idr_alloc() for sess_idr failed\n"); iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, ISCSI_LOGIN_STATUS_NO_RESOURCES); - kfree(sess); - return -ENOMEM; + goto free_sess; } sess->creation_time = get_jiffies_64(); @@ -362,20 +361,28 @@ static int iscsi_login_zero_tsih_s1( ISCSI_LOGIN_STATUS_NO_RESOURCES); pr_err("Unable to allocate memory for" " struct iscsi_sess_ops.\n"); - kfree(sess); - return -ENOMEM; + goto remove_idr; } sess->se_sess = transport_init_session(TARGET_PROT_NORMAL); if (IS_ERR(sess->se_sess)) { iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, ISCSI_LOGIN_STATUS_NO_RESOURCES); - kfree(sess->sess_ops); - kfree(sess); - return -ENOMEM; + goto free_ops; } return 0; + +free_ops: + kfree(sess->sess_ops); +remove_idr: + spin_lock_bh(&sess_idr_lock); + idr_remove(&sess_idr, sess->session_index); + spin_unlock_bh(&sess_idr_lock); +free_sess: + kfree(sess); + conn->sess = NULL; + return -ENOMEM; } static int iscsi_login_zero_tsih_s2( @@ -1162,13 +1169,13 @@ void iscsi_target_login_sess_out(struct ISCSI_LOGIN_STATUS_INIT_ERR); if (!zero_tsih || !conn->sess) goto old_sess_out; - if (conn->sess->se_sess) - transport_free_session(conn->sess->se_sess); - if (conn->sess->session_index != 0) { - spin_lock_bh(&sess_idr_lock); - idr_remove(&sess_idr, conn->sess->session_index); - spin_unlock_bh(&sess_idr_lock); - } + + transport_free_session(conn->sess->se_sess); + + spin_lock_bh(&sess_idr_lock); + idr_remove(&sess_idr, conn->sess->session_index); + spin_unlock_bh(&sess_idr_lock); + kfree(conn->sess->sess_ops); kfree(conn->sess); conn->sess = NULL;