On 11/15/19 4:47 PM, Gabriel Krisman Bertazi wrote: > From: Anatol Pomazau <[email protected]> > > If a faulty initiator fails to bind the socket to the iSCSI connection > before emitting a command, for instance, a subsequent send_pdu, it will > crash the kernel due to a null pointer dereference in sock_sendmsg(), as > shown in the log below. This make sure the bind succeeded before trying > to use the socket. > > BUG: kernel NULL pointer dereference, address: 0000000000000018 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] SMP PTI > CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.4.0-rc2.iscsi+ #13 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 > 04/01/2014 > [ 24.158246] Workqueue: iscsi_q_0 iscsi_xmitworker > [ 24.158883] RIP: 0010:apparmor_socket_sendmsg+0x5/0x20 > [...] > [ 24.161739] RSP: 0018:ffffab6440043ca0 EFLAGS: 00010282 > [ 24.162400] RAX: ffffffff891c1c00 RBX: ffffffff89d53968 RCX: > 0000000000000001 > [ 24.163253] RDX: 0000000000000030 RSI: ffffab6440043d00 RDI: > 0000000000000000 > [ 24.164104] RBP: 0000000000000030 R08: 0000000000000030 R09: > 0000000000000030 > [ 24.165166] R10: ffffffff893e66a0 R11: 0000000000000018 R12: > ffffab6440043d00 > [ 24.166038] R13: 0000000000000000 R14: 0000000000000000 R15: > ffff9d5575a62e90 > [ 24.166919] FS: 0000000000000000(0000) GS:ffff9d557db80000(0000) > knlGS:0000000000000000 > [ 24.167890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 24.168587] CR2: 0000000000000018 CR3: 000000007a838000 CR4: > 00000000000006e0 > [ 24.169451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: > 0000000000000000 > [ 24.170320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: > 0000000000000400 > [ 24.171214] Call Trace: > [ 24.171537] security_socket_sendmsg+0x3a/0x50 > [ 24.172079] sock_sendmsg+0x16/0x60 > [ 24.172506] iscsi_sw_tcp_xmit_segment+0x77/0x120 > [ 24.173076] iscsi_sw_tcp_pdu_xmit+0x58/0x170 > [ 24.173604] ? iscsi_dbg_trace+0x63/0x80 > [ 24.174087] iscsi_tcp_task_xmit+0x101/0x280 > [ 24.174666] iscsi_xmit_task+0x83/0x110 > [ 24.175206] iscsi_xmitworker+0x57/0x380 > [ 24.175757] ? __schedule+0x2a2/0x700 > [ 24.176273] process_one_work+0x1b5/0x360 > [ 24.176837] worker_thread+0x50/0x3c0 > [ 24.177353] kthread+0xf9/0x130 > [ 24.177799] ? process_one_work+0x360/0x360 > [ 24.178401] ? kthread_park+0x90/0x90 > [ 24.178915] ret_from_fork+0x35/0x40 > [ 24.179421] Modules linked in: > [ 24.179856] CR2: 0000000000000018 > [ 24.180327] ---[ end trace b4b7674b6df5f480 ]--- > > Co-developed-by: Frank Mayhar <[email protected]> > Signed-off-by: Frank Mayhar <[email protected]> > Co-developed-by: Bharath Ravi <[email protected]> > Signed-off-by: Bharath Ravi <[email protected]> > Co-developed-by: Khazhimsel Kumykov <[email protected]> > Signed-off-by: Khazhimsel Kumykov <[email protected]> > Signed-off-by: Anatol Pomazau <[email protected]> > Co-developed-by: Gabriel Krisman Bertazi <[email protected]> > Signed-off-by: Gabriel Krisman Bertazi <[email protected]> > --- > drivers/scsi/iscsi_tcp.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c > index cea7fda1dd23..b5dd1caae5e9 100644 > --- a/drivers/scsi/iscsi_tcp.c > +++ b/drivers/scsi/iscsi_tcp.c > @@ -369,8 +369,16 @@ static int iscsi_sw_tcp_pdu_xmit(struct iscsi_task *task) > { > struct iscsi_conn *conn = task->conn; > unsigned int noreclaim_flag; > + struct iscsi_tcp_conn *tcp_conn = conn->dd_data; > + struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; > int rc = 0; > > + if (!tcp_sw_conn->sock) { > + iscsi_conn_printk(KERN_ERR, conn, > + "Transport not bound to socket!\n"); > + return -EINVAL; > + } > + > noreclaim_flag = memalloc_noreclaim_save(); > > while (iscsi_sw_tcp_xmit_qlen(conn)) { >
Reviewed-by: Lee Duncan <[email protected]> -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/2b4a232e-add1-38a6-e86d-0192737f2fd9%40suse.com.
