IB/isert: Fix incorrect release of isert connection

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ib_isert module is releasing the isert connection both in
isert_wait_conn() handler as well as isert_free_conn() handler.
In isert_wait_conn() handler, it is expected to wait for iSCSI
session logout operation to complete. It should free the isert
connection only in isert_free_conn() handler.

When a bunch of iSER target is cleared, this issue can lead to
use-after-free memory issue as isert conn is twice released

Fixes: b02efbfc9a05 ("iser-target: Fix implicit termination of connections")
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://lore.kernel.org/r/20230606102531.162967-4-saravanan.vajravel@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>

authored by

Saravanan Vajravel and committed by

Leon Romanovsky 2 years ago 699826f4 7651e2d6

-2

1 changed file

expand all

drivers

infiniband

ulp

isert

ib_isert.c

-2

drivers/infiniband/ulp/isert/ib_isert.c

··· 2570 2570 isert_put_unsol_pending_cmds(conn); 2571 2571 isert_wait4cmds(conn); 2572 2572 isert_wait4logout(isert_conn); 2573 - 2574 - queue_work(isert_release_wq, &isert_conn->release_work); 2575 2573 } 2576 2574 2577 2575 static void isert_free_conn(struct iscsit_conn *conn)