[PATCH] iscsi: Don't send data to unbinded connection

[Gabriel Krisman Bertazi]

From: Anatol Pomazau <ana...@google.com>

If a faulty initiator fails to bind the socket to the iSCSI connection
before emitting a command, for instance, a subsequent send_pdu, it will
crash the kernel due to a null pointer dereference in sock_sendmsg(), as
shown in the log below. This make sure the bind succeeded before trying
to use the socket.

BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.4.0-rc2.iscsi+ #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 24.158246] Workqueue: iscsi_q_0 iscsi_xmitworker
[ 24.158883] RIP: 0010:apparmor_socket_sendmsg+0x5/0x20
[...]
[ 24.161739] RSP: 0018:ffffab6440043ca0 EFLAGS: 00010282
[ 24.162400] RAX: ffffffff891c1c00 RBX: ffffffff89d53968 RCX: 0000000000000001
[ 24.163253] RDX: 0000000000000030 RSI: ffffab6440043d00 RDI: 0000000000000000
[ 24.164104] RBP: 0000000000000030 R08: 0000000000000030 R09: 0000000000000030
[ 24.165166] R10: ffffffff893e66a0 R11: 0000000000000018 R12: ffffab6440043d00
[ 24.166038] R13: 0000000000000000 R14: 0000000000000000 R15: ffff9d5575a62e90
[ 24.166919] FS: 0000000000000000(0000) GS:ffff9d557db80000(0000) knlGS:0000000000000000
[ 24.167890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.168587] CR2: 0000000000000018 CR3: 000000007a838000 CR4: 00000000000006e0
[ 24.169451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.170320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.171214] Call Trace:
[ 24.171537] security_socket_sendmsg+0x3a/0x50
[ 24.172079] sock_sendmsg+0x16/0x60
[ 24.172506] iscsi_sw_tcp_xmit_segment+0x77/0x120
[ 24.173076] iscsi_sw_tcp_pdu_xmit+0x58/0x170
[ 24.173604] ? iscsi_dbg_trace+0x63/0x80
[ 24.174087] iscsi_tcp_task_xmit+0x101/0x280
[ 24.174666] iscsi_xmit_task+0x83/0x110
[ 24.175206] iscsi_xmitworker+0x57/0x380
[ 24.175757] ? __schedule+0x2a2/0x700
[ 24.176273] process_one_work+0x1b5/0x360
[ 24.176837] worker_thread+0x50/0x3c0
[ 24.177353] kthread+0xf9/0x130
[ 24.177799] ? process_one_work+0x360/0x360
[ 24.178401] ? kthread_park+0x90/0x90
[ 24.178915] ret_from_fork+0x35/0x40
[ 24.179421] Modules linked in:
[ 24.179856] CR2: 0000000000000018
[ 24.180327] ---[ end trace b4b7674b6df5f480 ]---

Co-developed-by: Frank Mayhar <fma...@google.com>
Signed-off-by: Frank Mayhar <fma...@google.com>
Co-developed-by: Bharath Ravi <rbha...@google.com>
Signed-off-by: Bharath Ravi <rbha...@google.com>
Co-developed-by: Khazhimsel Kumykov <kha...@google.com>
Signed-off-by: Khazhimsel Kumykov <kha...@google.com>
Signed-off-by: Anatol Pomazau <ana...@google.com>
Co-developed-by: Gabriel Krisman Bertazi <kri...@collabora.com>
Signed-off-by: Gabriel Krisman Bertazi <kri...@collabora.com>
---
drivers/scsi/iscsi_tcp.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index cea7fda1dd23..b5dd1caae5e9 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -369,8 +369,16 @@ static int iscsi_sw_tcp_pdu_xmit(struct iscsi_task *task)
{
struct iscsi_conn *conn = task->conn;
unsigned int noreclaim_flag;
+ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+ struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
int rc = 0;

+ if (!tcp_sw_conn->sock) {
+ iscsi_conn_printk(KERN_ERR, conn,
+ "Transport not bound to socket!\n");
+ return -EINVAL;
+ }
+
noreclaim_flag = memalloc_noreclaim_save();

while (iscsi_sw_tcp_xmit_qlen(conn)) {
--
2.24.0

[Lee Duncan]

Reviewed-by: Lee Duncan <ldu...@suse.com>

[Martin K. Petersen]

Gabriel,

> If a faulty initiator fails to bind the socket to the iSCSI connection
> before emitting a command, for instance, a subsequent send_pdu, it
> will crash the kernel due to a null pointer dereference in
> sock_sendmsg(), as shown in the log below. This make sure the bind
> succeeded before trying to use the socket.

Applied to 5.5/scsi-queue. But please make sure to send patch
submissions to linux...@vger.kernel.org.

--
Martin K. Petersen Oracle Linux Engineering

[Gabriel Krisman Bertazi]

"Martin K. Petersen" <martin....@oracle.com> writes:

> Applied to 5.5/scsi-queue. But please make sure to send patch
> submissions to linux...@vger.kernel.org.

Hi Martin,

Thanks for applying them. My apologies for not CC'ing
linux-scsi, I will be sending more fixes like this to iSCSI and I will
make sure to CC the right list in the future.

Although, looks like the MAINTAINERS file doesn't list linux-scsi as the
target for iscsi patches. Would you take the fix below to address that?

Thanks,

-- >8 --
From: Gabriel Krisman Bertazi <kri...@collabora.com>
Subject: [PATCH] MAINTAINERS: Add the linux-scsi mailing list to the ISCSI entry


Most people who review iSCSI are following linux-scsi, but some are not
in open-scsi. Make sure we are routing iSCSI patches to the right list.

There are precedents in the MAINTAINERS file for subsystems pointing to
two mailing lists, so this shouldn't be a problem, but maybe we want to
drop the open-iscsi reference?

Signed-off-by: Gabriel Krisman Bertazi <kri...@collabora.com>
---

MAINTAINERS | 1 +
1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index b3bbb1784913..a0ddc7f4ec1c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8668,6 +8668,7 @@ ISCSI
M: Lee Duncan <ldu...@suse.com>
M: Chris Leech <cle...@redhat.com>
L: open-...@googlegroups.com
+L: linux...@vger.kernel.org
W: www.open-iscsi.com
S: Maintained
F: drivers/scsi/*iscsi*
--
2.24.0

[Martin K. Petersen]

Gabriel,

> Although, looks like the MAINTAINERS file doesn't list linux-scsi as
> the target for iscsi patches. Would you take the fix below to address
> that?

Applied to 5.5/scsi-queue, thanks!