Mike Christie
unread,Mar 19, 2024, 3:29:05 PMMar 19Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Khazhismel Kumykov, Lee Duncan, Chris Leech, James E . J . Bottomley, Martin K . Petersen, open-...@googlegroups.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, Khazhismel Kumykov
On 3/18/24 2:49 PM, Khazhismel Kumykov wrote:
> This attempts to avoid a situation where a misbehaving iscsi daemon
> passes a socket for a different iSCSI connection to BIND_CONN - which
> would result in infinite recursion and stack overflow. This will
> also prevent passing *other* sockets which had sk_user_data overridden,
> but that wouldn't have been safe anyways - since we throw away that
> pointer anyways. This does not cover all hypothetical scenarios where we
> pass bad sockets to BIND_CONN.
>
> This also papers over a different bug - we allow a daemon to call
> BIND_CONN twice for the same connection - which would result in, at the
> least, failing to uninitialize/teardown the previous socket, which will
> be addressed separately.
>
> Signed-off-by: Khazhismel Kumykov <
kha...@google.com>
> ---
> drivers/scsi/iscsi_tcp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
> index 8e14cea15f98..e8ed60b777c6 100644
> --- a/drivers/scsi/iscsi_tcp.c
> +++ b/drivers/scsi/iscsi_tcp.c
> @@ -725,7 +725,7 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session,
> }
>
> err = -EINVAL;
> - if (!sk_is_tcp(sock->sk))
> + if (!sk_is_tcp(sock->sk) || sock->sk->sk_user_data)
> goto free_socket;
>
> err = iscsi_conn_bind(cls_session, cls_conn, is_leading);
Reviewed-by: Mike Christie <
michael....@oracle.com>