Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3325759imm; Sun, 30 Sep 2018 17:53:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV63ame080b9k8ySTl9adGRqnwV0D1KWwwBRAHimqRoMTF8L0uBNH8wDdQmK7pjIWY2xI5UzA X-Received: by 2002:a17:902:9893:: with SMTP id s19-v6mr9266078plp.130.1538355200902; Sun, 30 Sep 2018 17:53:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538355200; cv=none; d=google.com; s=arc-20160816; b=BPGdZG2D1LuxUUbZ0vZZ9ZOgoYH5pVV0yYYxJBQ9nUKERCEcZp9a0yGPrVLVHO1ugt Zrs+FHYftIYTGlSOCPojEpviPIb+uadKbC+i5Y1I4xUq/zvoUtUdEsPX3vUiUlzqrnrs M+/dDC0B3Qdj7PcbfEssVAenCkV6PlEFuqSposZ0SPgnEaNjE4HiEmjf5MhV1SlWFnGL AAVjcmM15YurrwUO0z1ncuI8EeCBRmgl0gmLBcIBhEUF5b1405AlLw3S16sJ6NFmsQ9Y aq2xnWVsHqXYfIC1D4x39svJav/H/PWwC82/KZT/PFezsdCUachX5Frg+U2fxy6+7Wvd vnSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature; bh=gDGtWSsz1uKwUJKbWsfaPdQnlXibaF+rVTyH8OtmPJk=; b=OokgnAWuEhw5abo2JwBR5KfII96pZOShit1yBNsv1h2XndYZ5fR64s/jt2Y+A9ge62 /fCa0XB5t8mAFfxkj+xfCtvIJFAEwpY/Mmo17GE5p4ubLpGhdh74fNx6RlErq0pbo9kr XK5Mt93QV3OkWDoV+hieGlD/5+6vA8WphLf8zbsvrocB+n0s2Ec7M8LHUkiD8WwPax6i N9q85wYKRq6cFgSO49eNaBWWWoq6Bawu2gISWwY8P0SjPPItbDfW4FgZ8ZJtcrtBVcmO 5Y9ERo8XZQ5/IdgDjEE5/+WoN1YpvveGqiCyqCCHZMtAUxot9ECxXAlVvJ9ULidrWlkk pq8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b="ctCi/AtE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l22-v6si3588111pgh.593.2018.09.30.17.53.06; Sun, 30 Sep 2018 17:53:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b="ctCi/AtE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728810AbeJAHN1 (ORCPT + 99 others); Mon, 1 Oct 2018 03:13:27 -0400 Received: from mail-sn1nam02on0116.outbound.protection.outlook.com ([104.47.36.116]:27216 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726726AbeJAHNY (ORCPT ); Mon, 1 Oct 2018 03:13:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gDGtWSsz1uKwUJKbWsfaPdQnlXibaF+rVTyH8OtmPJk=; b=ctCi/AtETeH1myfBavWSMgw92t40KEv7bvFEAbnjFLCfN3CySZdvurqhNI+MTqoGi1sGYa8u2ZtogjRK/BXRKKQoquDcINenFBiVM21wSCMPKl+pxUTOTxlf/LgaoFnIPuyrEPNzTaUhEv3ill6lc0MoaOmCo9Pmr4pxu7Nc4P4= Received: from CY4PR21MB0776.namprd21.prod.outlook.com (10.173.192.22) by CY4PR21MB0469.namprd21.prod.outlook.com (10.172.121.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.3; Mon, 1 Oct 2018 00:38:07 +0000 Received: from CY4PR21MB0776.namprd21.prod.outlook.com ([fe80::54e2:88e0:b622:b36]) by CY4PR21MB0776.namprd21.prod.outlook.com ([fe80::54e2:88e0:b622:b36%5]) with mapi id 15.20.1228.006; Mon, 1 Oct 2018 00:38:07 +0000 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Vincent Pelletier , Mike Christie , Matthew Wilcox , "Martin K . Petersen" , Sasha Levin Subject: [PATCH AUTOSEL 4.18 08/65] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails Thread-Topic: [PATCH AUTOSEL 4.18 08/65] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails Thread-Index: AQHUWR8FJ3vE9+f22UOxFpKpoOR/xQ== Date: Mon, 1 Oct 2018 00:38:07 +0000 Message-ID: <20181001003754.146961-8-alexander.levin@microsoft.com> References: <20181001003754.146961-1-alexander.levin@microsoft.com> In-Reply-To: <20181001003754.146961-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;CY4PR21MB0469;6:8i6BWZxt5P+926LZX2JnqhdZ9W3/vwLhyAz3pP9QpWEIcgING4+L1vMBvkV1/vKpdua3esxaP+yMsVYGqzGZPHgv+LNIRL7znuJVzO8zw0g7lyvNmmxP962nBGU2w7DxP0fboLkL4mAaT5/4Y+O96zha9anLJHCYpFstz+ryilqgMecjggKwj4CblwDgGrN5Bwzg9q6LKxrS/DZIo74GT7syARJI7qQT/e3192R+ySy4uaEZ/g3K/ejJ8XcI6lf1uEZ7zm51j+tBfQ+qflUuyvUcg+EPQ0UJXVjYFSkuTWxG58r1MQ8Eh7g/5fTeTQNfrMPDKQ9fccsXDUdKB+qrfhIclqjlQBREbE/sPyVT7LAImU5DoIApYBqdcYKEeZzbcMG8gT/Kb52qmEPqdEM3tQmZagabi3LpbY21u7x1F1q3c7F1IQd91NcV9h7RdV/ndUUTNpIm0IhdwfjNMeLumg==;5:TTEFXDRJy6AZTG7fUPGVkSsxsa7SUdLbWGTbtXiF0fQX0NCMDQEKxSDlr4PsKyvw3CUpGok4DUfO1lvfNfbiloB7PRouICoPKWFvnIlM886DkcMVbPFLTaMXbxm4PYwjhcefFRB6B1bW7mLFNZm6O3qXASXrBVtMvh+x9Qh3DCI=;7:aCC575DW0YsdSyGlK4xohv+NOLLs+HyYaJH047na/Na3VeHvESJi1xz48eIwTegX2oHIVGdkDcoJKKZi6pFDU1Q8ymFq+RYAjz0rAxCb5708XliOwX+/CBhhB15wmHu3v/bwUfcp9iV7jlEzvm3QN+B0dNqCfBAq1wLXkK0K9dAVu8DI7s+1DFUrYxtR3xYzFD7uQb4hgqRQfr3XhWMrX5cgWPL1DYlSJ/O4zAm1WcI74l3+XZHxsDkaxQbhXB2d x-ms-office365-filtering-correlation-id: 725408d0-76b0-4ecf-fdba-08d627362810 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7193020);SRVR:CY4PR21MB0469; x-ms-traffictypediagnostic: CY4PR21MB0469: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(275809806118684)(17755550239193)(85827821059158)(146099531331640)(28532068793085)(89211679590171); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231355)(944501410)(52105095)(2018427008)(3002001)(10201501046)(6055026)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991041);SRVR:CY4PR21MB0469;BCL:0;PCL:0;RULEID:;SRVR:CY4PR21MB0469; x-forefront-prvs: 0812095267 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(39860400002)(366004)(136003)(199004)(189003)(5250100002)(106356001)(81166006)(14454004)(10290500003)(316002)(54906003)(22452003)(110136005)(25786009)(305945005)(2501003)(217873002)(256004)(72206003)(68736007)(14444005)(478600001)(34290500001)(6506007)(2906002)(7736002)(86612001)(1076002)(86362001)(4326008)(99286004)(97736004)(3846002)(6116002)(76176011)(8936002)(81156014)(105586002)(8676002)(71200400001)(5660300001)(71190400001)(10090500001)(36756003)(6512007)(107886003)(2900100001)(102836004)(6486002)(39060400002)(6436002)(53936002)(11346002)(446003)(26005)(66066001)(2616005)(476003)(486006)(186003)(505234006);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR21MB0469;H:CY4PR21MB0776.namprd21.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: P0m6NB5nrvq0qfEty/t4i0Gszp/zxO5tpbHQKKeMVLgOHPR2VQCxPCtx6ycfPHHZJ0ZIhsJjPz8fS5XIOUwiID8dorEKGcHAvWMWgmgyNolqRsu1rL7nL9RJAsZVVZLamQGCeEv3i7cjNtdbs5zxkVqaneiVl70Mu2p3Er/u7wcCCkPySDeOQZJmWYs6mqssSGy4gbblRAvbAfVEs/Kg68pvz8L9b9Uzz2aP1I9zzbuJHykMAprbfSzQpfFqIUf77mtIin9dE0MqqrU7FRSfTZW8nUvLQ/TJiE4MUvenvEVrq3R6rMeT7LBhp7V+DaapOlfG7PnCdTdskXkbBu9E/74aNhsSSZ0CfYg1eO+aTUw= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 725408d0-76b0-4ecf-fdba-08d627362810 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2018 00:38:07.2442 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0469 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vincent Pelletier [ Upstream commit 7915919bb94e12460c58e27c708472e6f85f6699 ] Fixes a use-after-free reported by KASAN when later iscsi_target_login_sess_out gets called and it tries to access conn->sess->se_sess: Disabling lock debugging due to kernel taint iSCSI Login timeout on Network Portal [::]:3260 iSCSI Login negotiation failed. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] Read of size 8 at addr ffff880109d070c8 by task iscsi_np/980 CPU: 1 PID: 980 Comm: iscsi_np Tainted: G O 4.17.8kasan.sess.connops+ #4 Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014 Call Trace: dump_stack+0x71/0xac print_address_description+0x65/0x22e ? iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] kasan_report.cold.6+0x241/0x2fd iscsi_target_login_sess_out.cold.12+0x58/0xff [iscsi_target_mod] iscsi_target_login_thread+0x1086/0x1710 [iscsi_target_mod] ? __sched_text_start+0x8/0x8 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod] ? __kthread_parkme+0xcc/0x100 ? parse_args.cold.14+0xd3/0xd3 ? iscsi_target_login_sess_out+0x250/0x250 [iscsi_target_mod] kthread+0x1a0/0x1c0 ? kthread_bind+0x30/0x30 ret_from_fork+0x35/0x40 Allocated by task 980: kasan_kmalloc+0xbf/0xe0 kmem_cache_alloc_trace+0x112/0x210 iscsi_target_login_thread+0x816/0x1710 [iscsi_target_mod] kthread+0x1a0/0x1c0 ret_from_fork+0x35/0x40 Freed by task 980: __kasan_slab_free+0x125/0x170 kfree+0x90/0x1d0 iscsi_target_login_thread+0x1577/0x1710 [iscsi_target_mod] kthread+0x1a0/0x1c0 ret_from_fork+0x35/0x40 The buggy address belongs to the object at ffff880109d06f00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 456 bytes inside of 512-byte region [ffff880109d06f00, ffff880109d07100) The buggy address belongs to the page: page:ffffea0004274180 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 flags: 0x17fffc000008100(slab|head) raw: 017fffc000008100 0000000000000000 0000000000000000 00000001000c000c raw: dead000000000100 dead000000000200 ffff88011b002e00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880109d06f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880109d07000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880109d07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880109d07100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880109d07180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Signed-off-by: Vincent Pelletier [rebased against idr/ida changes and to handle ret review comments from Mat= thew] Signed-off-by: Mike Christie Cc: Matthew Wilcox Reviewed-by: Matthew Wilcox Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/target/iscsi/iscsi_target_login.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/isc= si/iscsi_target_login.c index 68b3eb00a9d0..c8bc99727e85 100644 --- a/drivers/target/iscsi/iscsi_target_login.c +++ b/drivers/target/iscsi/iscsi_target_login.c @@ -310,11 +310,9 @@ static int iscsi_login_zero_tsih_s1( return -ENOMEM; } =20 - ret =3D iscsi_login_set_conn_values(sess, conn, pdu->cid); - if (unlikely(ret)) { - kfree(sess); - return ret; - } + if (iscsi_login_set_conn_values(sess, conn, pdu->cid)) + goto free_sess; + sess->init_task_tag =3D pdu->itt; memcpy(&sess->isid, pdu->isid, 6); sess->exp_cmd_sn =3D be32_to_cpu(pdu->cmdsn); --=20 2.17.1