This is a note to let you know that I've just added the patch titled
iscsi-target: Avoid early conn_logout_comp for iser connections
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From f068fbc82e7696d67b1bb8189306865bedf368b6 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <[email protected]>
Date: Mon, 23 Feb 2015 00:57:51 -0800
Subject: iscsi-target: Avoid early conn_logout_comp for iser connections
From: Nicholas Bellinger <[email protected]>
commit f068fbc82e7696d67b1bb8189306865bedf368b6 upstream.
This patch fixes a iser specific logout bug where early complete()
of conn->conn_logout_comp in iscsit_close_connection() was causing
isert_wait4logout() to complete too soon, triggering a use after
free NULL pointer dereference of iscsi_conn memory.
The complete() was originally added for traditional iscsi-target
when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given
iser-target does not wait in logout failure, this special case needs
to be avoided.
Reported-by: Sagi Grimberg <[email protected]>
Cc: Sagi Grimberg <[email protected]>
Cc: Slava Shwartsman <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/target/iscsi/iscsi_target.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4136,11 +4136,17 @@ int iscsit_close_connection(
pr_debug("Closing iSCSI connection CID %hu on SID:"
" %u\n", conn->cid, sess->sid);
/*
- * Always up conn_logout_comp just in case the RX Thread is sleeping
- * and the logout response never got sent because the connection
- * failed.
+ * Always up conn_logout_comp for the traditional TCP case just in case
+ * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout
+ * response never got sent because the connection failed.
+ *
+ * However for iser-target, isert_wait4logout() is using
conn_logout_comp
+ * to signal logout response TX interrupt completion. Go ahead and skip
+ * this for iser since isert_rx_opcode() does not wait on logout
failure,
+ * and to avoid iscsi_conn pointer dereference in iser-target code.
*/
- complete(&conn->conn_logout_comp);
+ if (conn->conn_transport->transport_type == ISCSI_TCP)
+ complete(&conn->conn_logout_comp);
iscsi_release_thread_set(conn);
Patches currently in stable-queue which might be from [email protected] are
queue-3.10/iscsi-target-avoid-early-conn_logout_comp-for-iser-connections.patch
queue-3.10/target-pscsi-fix-null-pointer-dereference-in-get_device_type.patch
queue-3.10/target-allow-write-exclusive-non-reservation-holders-to-read.patch
queue-3.10/target-fix-reference-leak-in-target_get_sess_cmd-error-path.patch
queue-3.10/target-allow-allregistrants-to-re-reserve-existing-reservation.patch
queue-3.10/target-fix-r_holder-bit-usage-for-allregistrants.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
