From patchwork Tue Jun  6 10:25:31 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
X-Patchwork-Id: 13268914
Return-Path: <linux-rdma-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DDAB8C77B73
	for <linux-rdma@archiver.kernel.org>; Tue,  6 Jun 2023 10:26:06 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235747AbjFFK0D (ORCPT <rfc822;linux-rdma@archiver.kernel.org>);
        Tue, 6 Jun 2023 06:26:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48758 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234997AbjFFK0A (ORCPT
        <rfc822;linux-rdma@vger.kernel.org>); Tue, 6 Jun 2023 06:26:00 -0400
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com
 [IPv6:2607:f8b0:4864:20::72a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7179BE42
        for <linux-rdma@vger.kernel.org>;
 Tue,  6 Jun 2023 03:25:59 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id
 af79cd13be357-75ea05150b3so183856885a.0
        for <linux-rdma@vger.kernel.org>;
 Tue, 06 Jun 2023 03:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google; t=1686047158; x=1688639158;
        h=mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=PlDogrO11buMFwP150NlUeWdzRI9UKbN9mAUGugXKOA=;
        b=bcEdqunpIsnx5ptJ8fe6up7h+/SsegknPFKgQw7EqSs+oC0ZjVv3uFvuxCbKrOtC0S
         rIHPi2GD+8aovYeFU6N2N+Rl02muu4UDrZuoCRKh73Q8SuMHi79Q9S82V6D5mWoa01+i
         U4kooPU4Yl8pBmYMrXEJtmBXtYH+WoQVEl/Cw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1686047158; x=1688639158;
        h=mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=PlDogrO11buMFwP150NlUeWdzRI9UKbN9mAUGugXKOA=;
        b=i9CXZ/cCIcSkzsu7x+HnzfSsrFYpEI9Xdzfbes9k2ixg8O88m+YLdIdIcmWb4Jxuoo
         uLROIF1ldd76LScI7KCWHGDZ0FbPtWqte4jBbCI4DRn+kgvBS5+sGVfejoLMPaFzRNoT
         mLZ0ZXYbID4Qu3qjZ7u7CloGh+SXa1kuWk10064NMR+aZg+OL1dYpbx2Gf+eJlX2rC8t
         UsBc3sBF1HZbmsM94hFuyoirDjfnWMPqF6KUyp6N85Jo04AK6I8qmXG0S3iuGUOfa8wK
         swP1h7EE/fCcBPTsp1CXGw0Cbeny2fC0/ZsaMgcpdfGBgTloJTNAWYlCctwk8z8XDFyX
         4cOw==
X-Gm-Message-State: AC+VfDxK8LlqsT75QIPGyTfVlXb4oWCw1eMZ/i0oEFtnne7753oNAifO
        I+IPTUpb/yZB/QbmATaizWweqg==
X-Google-Smtp-Source: 
 ACHHUZ6N97xJiS847WRnhJYNgg5tiPHfN4Mg+C5EwZjPznl3mqEAu2Tk3pTGsg6AWedf5PUngXh0QQ==
X-Received: by 2002:a05:620a:24d4:b0:75b:23a1:830d with SMTP id
 m20-20020a05620a24d400b0075b23a1830dmr2170561qkn.8.1686047158361;
        Tue, 06 Jun 2023 03:25:58 -0700 (PDT)
Received: from localhost.localdomain ([192.19.234.250])
        by smtp.gmail.com with ESMTPSA id
 i12-20020a17090a2a0c00b0024c1ac09394sm7881770pjd.19.2023.06.06.03.25.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 06 Jun 2023 03:25:57 -0700 (PDT)
From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
To: selvin.xavier@broadcom.com, jgg@ziepe.ca, leon@kernel.org,
        sagi@grimberg.me
Cc: linux-rdma@vger.kernel.org,
        Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Subject: [PATCH v3 for-rc 3/3] IB/isert: Fix incorrect release of isert
 connection
Date: Tue,  6 Jun 2023 03:25:31 -0700
Message-Id: <20230606102531.162967-4-saravanan.vajravel@broadcom.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20230606102531.162967-1-saravanan.vajravel@broadcom.com>
References: <20230606102531.162967-1-saravanan.vajravel@broadcom.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org

The ib_isert module is releasing the isert connection both in
isert_wait_conn() handler as well as isert_free_conn() handler.
In isert_wait_conn() handler, it is expected to wait for iSCSI
session logout operation to complete. It should free the isert
connection only in isert_free_conn() handler.

When a bunch of iSER target is cleared, this issue can lead to
use-after-free memory issue as isert conn is twice released

Fixes: b02efbfc9a05 ("iser-target: Fix implicit termination of connections")
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
---
 drivers/infiniband/ulp/isert/ib_isert.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
index 00a7303c8cc6..92e1e7587af8 100644
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2570,8 +2570,6 @@ static void isert_wait_conn(struct iscsit_conn *conn)
 	isert_put_unsol_pending_cmds(conn);
 	isert_wait4cmds(conn);
 	isert_wait4logout(isert_conn);
-
-	queue_work(isert_release_wq, &isert_conn->release_work);
 }
 
 static void isert_free_conn(struct iscsit_conn *conn)