On 2022/12/13 1:00, Mike Christie wrote:
On 12/11/22 8:32 AM, Wenchao Hao wrote:
On Sun, Dec 11, 2022 at 6:07 AM Mike Christie
wrote:
On 12/9/22 2:22 AM, Ding Hui wrote:
During iscsi session logout, if another task accessing shost ipaddress
attr at this time, we can get a KASAN UAF report
st_remove|
|- iscsi_host_free |
Since shost hold a pointer to session which is belong to cls_session by its
priv tcp_sw_host, so we should get a ref of cls_session, and after
iscsi_host_remove() the sysfs is cleared, then we can drop the ref.
Signed-off-by: Ding Hui
---
dri
ent reinit by mistake,
also in case we can handle multiple conns in the future.
Fixes: ec29d0ac29be ("scsi: iscsi: Fix conn use after free during resets")
Signed-off-by: Ding Hui
---
v2:
update commit log
drivers/scsi/libiscsi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff
On 2021/9/11 12:38 上午, Mike Christie wrote:
On 9/9/21 8:02 PM, Ding Hui wrote:
like commit 5db6dd14b313 ("scsi: libiscsi: Fix NULL pointer dereference in
iscsi_eh_session_reset"), access conn->persistent_address here is not safe
too.
The persistent_address is independent of conn
On 2021/9/11 12:25 上午, Mike Christie wrote:
On 9/9/21 8:02 PM, Ding Hui wrote:
commit ec29d0ac29be ("scsi: iscsi: Fix conn use after free during
resets") move member ehwait from conn to session, but left init ehwait
in iscsi_conn_setup().
Due to one session can be binded by m
count of conn
above, the conn pointer may be invalid.
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 712a45368385..69b3b2148328 100644
--- a/drivers/scsi/libiscsi.c
like commit fda290c5ae98 ("scsi: iscsi: Get ref to conn during reset
handling"), because in iscsi_exec_task_mgmt_fn(), the eh_mutex and
frwd_lock will be unlock, the conn also can be released if we not
hold ref.
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 10 --
1 fi
Ding Hui (3):
scsi: libiscsi: move init ehwait to iscsi_session_setup()
scsi: libiscsi: fix invalid pointer dereference in
iscsi_eh_session_reset
scsi: libiscsi: get ref to conn in iscsi_eh_device/target_reset()
drivers/scsi/libiscsi.c | 17 +++--
1 file changed, 11
e init ehwait to
iscsi_session_setup() to fix it.
Fixes: ec29d0ac29be ("scsi: iscsi: Fix conn use after free during resets")
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libisc
e init ehwait to
iscsi_session_setup() to fix it.
Fixes: ec29d0ac29be ("scsi: iscsi: Fix conn use after free during resets")
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libisc
like commit fda290c5ae98 ("scsi: iscsi: Get ref to conn during reset
handling"), because in iscsi_exec_task_mgmt_fn(), the eh_mutex and
frwd_lock will be unlock, the conn also can be released if we not
hold ref.
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 10 --
1 fi
count of conn
above, the conn pointer may be invalid.
Signed-off-by: Ding Hui
---
drivers/scsi/libiscsi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 712a45368385..69b3b2148328 100644
--- a/drivers/scsi/libiscsi.c
12 matches
Mail list logo
