Re: [PATCH] scsi: iscsi: fix inappropriate use of put_device
13 views
Skip to first unread message
Mike Christie
Dec 2, 2020, 2:35:25 PM12/2/20
to Qinglang Miao, Lee Duncan, Chris Leech, James E.J. Bottomley, Martin K. Petersen, open-...@googlegroups.com, linux...@vger.kernel.org, linux-...@vger.kernel.org
On 11/20/20 1:48 AM, Qinglang Miao wrote:
> kfree(conn) is called inside put_device(&conn->dev) so that
> another one would cause use-after-free. Besides, device_unregister
> should be used here rather than put_device.
>
> Fixes: f3c893e3dbb5 ("scsi: iscsi: Fail session and connection on transport registration failure")
> Reported-by: Hulk Robot <hul...@huawei.com>
> Signed-off-by: Qinglang Miao <miaoqi...@huawei.com>
> ---
> drivers/scsi/scsi_transport_iscsi.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index 2eb3e4f93..2e68c0a87 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -2313,7 +2313,9 @@ iscsi_create_conn(struct iscsi_cls_session *session, int dd_size, uint32_t cid)
> return conn;
>
> release_conn_ref:
> - put_device(&conn->dev);
> + device_unregister(&conn->dev);
> + put_device(&session->dev);
> + return NULL;
> release_parent_ref:
> put_device(&session->dev);
> free_conn:
>
Reviewed-by: Mike Christie <michael....@oracle.com>
> kfree(conn) is called inside put_device(&conn->dev) so that
> another one would cause use-after-free. Besides, device_unregister
> should be used here rather than put_device.
>
> Fixes: f3c893e3dbb5 ("scsi: iscsi: Fail session and connection on transport registration failure")
> Reported-by: Hulk Robot <hul...@huawei.com>
> Signed-off-by: Qinglang Miao <miaoqi...@huawei.com>
> ---
> drivers/scsi/scsi_transport_iscsi.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index 2eb3e4f93..2e68c0a87 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -2313,7 +2313,9 @@ iscsi_create_conn(struct iscsi_cls_session *session, int dd_size, uint32_t cid)
> return conn;
>
> release_conn_ref:
> - put_device(&conn->dev);
> + device_unregister(&conn->dev);
> + put_device(&session->dev);
> + return NULL;
> release_parent_ref:
> put_device(&session->dev);
> free_conn:
>
Reviewed-by: Mike Christie <michael....@oracle.com>
Martin K. Petersen
Dec 9, 2020, 12:24:00 PM12/9/20
to Chris Leech, James E.J. Bottomley, Qinglang Miao, Lee Duncan, Martin K . Petersen, linux...@vger.kernel.org, linux-...@vger.kernel.org, open-...@googlegroups.com
On Fri, 20 Nov 2020 15:48:52 +0800, Qinglang Miao wrote:
> kfree(conn) is called inside put_device(&conn->dev) so that
> another one would cause use-after-free. Besides, device_unregister
> should be used here rather than put_device.
Applied to 5.11/scsi-queue, thanks!
> kfree(conn) is called inside put_device(&conn->dev) so that
> another one would cause use-after-free. Besides, device_unregister
> should be used here rather than put_device.
[1/1] scsi: iscsi: fix inappropriate use of put_device
https://git.kernel.org/mkp/scsi/c/6dc1c7ab6f04
--
Martin K. Petersen Oracle Linux Engineering
Reply all
Reply to author
Forward
0 new messages