Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1619690pxb; Mon, 11 Oct 2021 09:36:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJ0WEiLZK3hfSqVa16LO88+zFDEe13xI6dL238oAMi4/aho7yR9XDFXru4r0L6kt08Qagc X-Received: by 2002:a17:90a:4801:: with SMTP id a1mr15595pjh.156.1633970201437; Mon, 11 Oct 2021 09:36:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633970201; cv=none; d=google.com; s=arc-20160816; b=ohqR7hOEIq1u7Owi1cn47f03UXvs5zb9xRTmQciaJro+E1mqXL194Ffu/j68yCbYFM m2+loWxSaUY5n7qCNL68p9LdQ/xKiczM+mBMWMaSZTG+kbL1wZcNneR8xZSluZIqGNOe DkPeZnT9TRL3Dxhyv57GFvXW6NH8Jvk2q3RGpa9Wt+ysVzJKx8zbLJ5MISdg5qgE96XG iRdbWAcSJCNmWiYg+enWYCWNWVmQX3u0sc+v5r7TEWdNqWZ/SEIhLVCu2/taiZ8NBomI JhW4sgg51jHhOrMKVZSMQdqmcxFPlsF+GPxFYeYQMwMEwQw9bP3U0ATkz5uB5kAAwEzv nwKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6lrp+9henanmngesRKtBYTNwOc1v6WSUYz5FJSybuoc=; b=1HNCWIw+rcpvyN3Xd3M++6+8v+QI8tLdsSb3ttBsreiuTEVaHJ9yQkw2NkfNFr2Y4f ibIUFqdbx1aE8p9XA+rwLJq+4v6r/kEk3qw/8mRW/tN96Z041whFqYQyOr8MOgg1C6KM Ly21iA35AZJJm9ElkLV9RhG5mWrx61ZaF3mjSnWSQQ4uajAbJUNNyzQcve8n4hQ8hB+X Tx3p6Yvo7KjaM6UFJuER29v/DflkKG3pOKlfaShDmZHrIvbUXsVfjpqFHzyp2Sf9XHCb V6O9U/VxQkLq6oi00PidNZrcMUGeqfQk8yfJZo2IjKidU/dEWOA5TNC070coqzAqBb/L pY/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=L8k7B83o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s4si11133196plq.25.2021.10.11.09.36.28; Mon, 11 Oct 2021 09:36:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=L8k7B83o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238670AbhJKOOD (ORCPT + 99 others); Mon, 11 Oct 2021 10:14:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:35276 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243363AbhJKOLP (ORCPT ); Mon, 11 Oct 2021 10:11:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 873A761167; Mon, 11 Oct 2021 14:02:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633960979; bh=tylNBaavHTGJxRQcOsHD4fN9b4EwM6+jOO0m7Z2pCno=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L8k7B83oIxStjzXL8qJxPw0yyefGOaDjlb05n2Eg/5NxElgk4yvkKl6jvlzTDyNHd tLNUlgI1O6LySUR8q4ab4e0OoCrUE/5tXaduJYTnc8GMKSy3svOCZSHytEzYNyAltg FwaRoxvCYo7vngFFSyY+MV+Wi9hyD93+iP6CRQPk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mike Christie , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.14 130/151] scsi: iscsi: Fix iscsi_task use after free Date: Mon, 11 Oct 2021 15:46:42 +0200 Message-Id: <20211011134522.008274880@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211011134517.833565002@linuxfoundation.org> References: <20211011134517.833565002@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mike Christie [ Upstream commit 258aad75c62146453d03028a44f2f1590d58e1f6 ] Commit d39df158518c ("scsi: iscsi: Have abort handler get ref to conn") added iscsi_get_conn()/iscsi_put_conn() calls during abort handling but then also changed the handling of the case where we detect an already completed task where we now end up doing a goto to the common put/cleanup code. This results in a iscsi_task use after free, because the common cleanup code will do a put on the iscsi_task. This reverts the goto and moves the iscsi_get_conn() to after we've checked if the iscsi_task is valid. Link: https://lore.kernel.org/r/20211004210608.9962-1-michael.christie@oracle.com Fixes: d39df158518c ("scsi: iscsi: Have abort handler get ref to conn") Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/libiscsi.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 4683c183e9d4..5bc91d34df63 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -2281,11 +2281,6 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) return FAILED; } - conn = session->leadconn; - iscsi_get_conn(conn->cls_conn); - conn->eh_abort_cnt++; - age = session->age; - spin_lock(&session->back_lock); task = (struct iscsi_task *)sc->SCp.ptr; if (!task || !task->sc) { @@ -2293,8 +2288,16 @@ int iscsi_eh_abort(struct scsi_cmnd *sc) ISCSI_DBG_EH(session, "sc completed while abort in progress\n"); spin_unlock(&session->back_lock); - goto success; + spin_unlock_bh(&session->frwd_lock); + mutex_unlock(&session->eh_mutex); + return SUCCESS; } + + conn = session->leadconn; + iscsi_get_conn(conn->cls_conn); + conn->eh_abort_cnt++; + age = session->age; + ISCSI_DBG_EH(session, "aborting [sc %p itt 0x%x]\n", sc, task->itt); __iscsi_get_task(task); spin_unlock(&session->back_lock); -- 2.33.0