| From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001 |
| From: Sagi Grimberg <sagig@mellanox.com> |
| Date: Thu, 4 Jun 2015 19:49:21 +0300 |
| Subject: iser-target: Fix possible use-after-free |
| |
| From: Sagi Grimberg <sagig@mellanox.com> |
| |
| commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream. |
| |
| iser connection termination process happens in 2 stages: |
| - isert_wait_conn: |
| - resumes rdma disconnect |
| - wait for session commands |
| - wait for flush completions (post a marked wr to signal we are done) |
| - wait for logout completion |
| - queue work for connection cleanup (depends on disconnected/timewait |
| events) |
| - isert_free_conn |
| - last reference put on the connection |
| |
| In case we are terminating during IOs, we might be posting send/recv |
| requests after we posted the last work request which might lead |
| to a use-after-free condition in isert_handle_wc. |
| After we posted the last wr in isert_wait_conn we are guaranteed that |
| no successful completions will follow (meaning no new work request posts |
| may happen) but other flush errors might still come. So before we |
| put the last reference on the connection, we repeat the process of |
| posting a marked work request (isert_wait4flush) in order to make sure all |
| pending completions were flushed. |
| |
| Signed-off-by: Sagi Grimberg <sagig@mellanox.com> |
| Signed-off-by: Jenny Falkovich <jennyf@mellanox.com> |
| Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/infiniband/ulp/isert/ib_isert.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/infiniband/ulp/isert/ib_isert.c |
| +++ b/drivers/infiniband/ulp/isert/ib_isert.c |
| @@ -3313,6 +3313,7 @@ static void isert_free_conn(struct iscsi |
| { |
| struct isert_conn *isert_conn = conn->context; |
| |
| + isert_wait4flush(isert_conn); |
| isert_put_conn(isert_conn); |
| } |
| |
