From nobody Sun Feb 8 12:43:01 2026 Received: from mail-oi1-f227.google.com (mail-oi1-f227.google.com [209.85.167.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A4F6320383 for ; Thu, 8 Jan 2026 06:43:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767854616; cv=none; b=p0JHpl8xA+mSexLKu7OMN5mMhl6p5aa6pfURFxLbFZMQptYxWTNzAR5w6kcEjarv4Fno/h81pUYEtWAJHthIE2LJmtd7GeK7eCI4L/W/g64fEFV9ZhAsJQQK91pwrA3CE+H5+dwuDFNmRAaSC9hNI9HDHgfSbS37XE+UUUmgd50= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767854616; c=relaxed/simple; bh=5mic/q6vuxQbS8YXyfZUjqQArn9vFbNhUdp2DnF4O0M=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=iCUuBMlq5FKwx9IcUuBqbMdOUrxa/b9aXwdmf3T5FhMoI/5t3gYPtj0cCiFP8lSZBmfQrbf8gmMP3JYUE9ebOxV+AYeCe6bnv/av0RBZp6KVcINdczhJo4O6R8JwWgJlN6nf62mjdzDJx1D6JdqPhoCxvPD222riS2io1uYSaXQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=X/qFFU1e; arc=none smtp.client-ip=209.85.167.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="X/qFFU1e" Received: by mail-oi1-f227.google.com with SMTP id 5614622812f47-459a516592eso1852116b6e.1 for ; Wed, 07 Jan 2026 22:43:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767854609; x=1768459409; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RXr5VPevjUOPqn3fRQwqWW7ZEAc2kKpuQcOkyGsfGno=; b=He23iY4HPYwYCVGH05VKOsltzd927PskipVtFO8qy1F0L+KMqKmsUK/RcBOQvQBZ6Q +zQ2vPT/YUATUduLb10kd+oKGRiNoApO3FtI9XzfHDo4I1QMzB+kQrLPzj6MS3xW+cC+ tnFzuXSYmz9QGNfYC84UJZhvtx5II30mxAuf76ndRioElvyQSGWPcQ+5+oO31cbVnAkg NXMoZOaaC+wB3IKBUPrjkyLNoUjxgF6QR9YthiGIp0643qJKExRzHTtBu9QA1Sn41Tkr 2qfCurxk6t3/S7Sh80BDTzn0BiaXKIjl20MhFxIYWIniTi/EwCw1XZLHEGcjbJsRFDZz sXxQ== X-Forwarded-Encrypted: i=1; AJvYcCVqixJeVgietcDct9RgWkRBJi3mn49OwJd9GHrNj9grF58YiLDNiTiJG7twPSGxwtKqdqsW3CFxKfmbOXM=@vger.kernel.org X-Gm-Message-State: AOJu0Yyul0+ffdXSRnhfwZ/3ekewMTNYPlIbSK/IdzohZ6JnM35H1xat jFrFt4MnkIJLrjad+OPh3J0/5DWRt/8Y5Ow9u+UzERXfjoU0lWKDzHMEMYcUcfuS7f3oIPU3rL8 XHlZnBAGVwiXsvZhopQBLDxjY4LAlu4Ph45esNL1pzMdRC6xF81afTQy+LUMALDOzW/WlWGTj4F eoP/Pyqnen7YTlrKt8m5hRjuW0ZZZIXxxycr/o2Hp0RQ5sfVDpuMyFeSUCugYqnoiZXxiF9oqOd aGKDwbksZLjuaMHNlHZNlBDsQ== X-Gm-Gg: AY/fxX7GOPNbMdKYXSbnFZzqHxNs79+zt3tt2ZuR1TMjTeaUshizidpYc5qi2u9D8o3 lN3jPYYbR8+UfwqJxs4btlsuffpLgoKZWELLgoMHZuge37r7pZs/BNxAFHs3DC05BobqNCOKpsM X1woRFrzvWbIzYGx9eBXJ5PYYDuNYDIafjbSFgQEeen5Xc+IE3RWtMx4BOuIhY2a+/8HdKgfgqY VoeMegQBsgwcPi+UBR1QuKf0O9RiKN1Zm71cWQEbftsET/poXX669l+tFwdsWvjyZ9Lqc1aoeko Z2OntpFoLFF2FbKzDbEp/0UkiA4XbEJda+bbENJXiEQ7YRPtqFVlk3qm4kl3wptHqWAIiU+yhNP 3Nb1Nf+BsQV0/pc0g7PqgBKkI6hAvALhNxt2rAWS4ikJveKmkdNcbzjWI7y28fB3gN1i2V+R+ft AVRptMULMmV4BZcsaoctm9J/8tiR+0s01d5RQ6ZANeEoCLtQ== X-Google-Smtp-Source: AGHT+IGVWdMl4uH/oX/VExHIF7nGitAXDgNYdP2pfkllZih0ymEyB8cGqHJIAVcFb3X4gEkdhkzlScpnnWid X-Received: by 2002:a05:6808:2445:b0:450:d1ba:151b with SMTP id 5614622812f47-45a6bd4c3f9mr2013425b6e.29.1767854609113; Wed, 07 Jan 2026 22:43:29 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-1.dlp.protect.broadcom.com. [144.49.247.1]) by smtp-relay.gmail.com with ESMTPS id 586e51a60fabf-3ffa50f6dc7sm822445fac.18.2026.01.07.22.43.28 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jan 2026 22:43:29 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-dl1-f72.google.com with SMTP id a92af1059eb24-122008d48e5so332615c88.1 for ; Wed, 07 Jan 2026 22:43:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1767854607; x=1768459407; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RXr5VPevjUOPqn3fRQwqWW7ZEAc2kKpuQcOkyGsfGno=; b=X/qFFU1epwDz+O9K6wN8ilUkSsPuGpAF0QNELYXjzcmCMmYJ0BeXEYZcbiN4Rj4YS0 c6jZoYmOVQEBFm0QMrgRlIlYn/C+RRHxMkqDcwX3lh0LaFEXJFhECxuJl7XhZweBKBU6 hMNRZGQG+QBXgNIKdLYl4hAvCiuFE08Uo7Wr0= X-Forwarded-Encrypted: i=1; AJvYcCUDxDrEwzjC4qkYsQovU6MXsLwaOEZcJwqfn8wM/VL2SDTlPIWHw6xFJXp7Ay0cOlorKj3C131rLEIaHQQ=@vger.kernel.org X-Received: by 2002:a05:7022:6889:b0:11b:9386:a38b with SMTP id a92af1059eb24-121f8b9cf51mr4645218c88.46.1767854607340; Wed, 07 Jan 2026 22:43:27 -0800 (PST) X-Received: by 2002:a05:7022:6889:b0:11b:9386:a38b with SMTP id a92af1059eb24-121f8b9cf51mr4645201c88.46.1767854606766; Wed, 07 Jan 2026 22:43:26 -0800 (PST) Received: from shivania.lvn.broadcom.net ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121f243421esm13193731c88.2.2026.01.07.22.43.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 22:43:26 -0800 (PST) From: Shivani Agarwal To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Shivani Agarwal Subject: [PATCH 1/2 v5.10] scsi: iscsi: Move pool freeing Date: Wed, 7 Jan 2026 22:22:21 -0800 Message-Id: <20260108062222.670715-2-shivani.agarwal@broadcom.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260108062222.670715-1-shivani.agarwal@broadcom.com> References: <20260108062222.670715-1-shivani.agarwal@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Mike Christie [ Upstream commit a1f3486b3b095ed2259d7a1fc021a8b6e72a5365 ] This doesn't fix any bugs, but it makes more sense to free the pool after we have removed the session. At that time we know nothing is touching any of the session fields, because all devices have been removed and scans are stopped. Link: https://lore.kernel.org/r/20210525181821.7617-19-michael.christie@ora= cle.com Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen [Shivani: Modified to apply on 5.10.y] Signed-off-by: Shivani Agarwal --- drivers/scsi/libiscsi.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index bad5730bf7ab..59da5cc280a4 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -2902,10 +2902,9 @@ void iscsi_session_teardown(struct iscsi_cls_session= *cls_session) struct module *owner =3D cls_session->transport->owner; struct Scsi_Host *shost =3D session->host; =20 - iscsi_pool_free(&session->cmdpool); - iscsi_remove_session(cls_session); =20 + iscsi_pool_free(&session->cmdpool); kfree(session->password); kfree(session->password_in); kfree(session->username); --=20 2.43.7 From nobody Sun Feb 8 12:43:01 2026 Received: from mail-yw1-f228.google.com (mail-yw1-f228.google.com [209.85.128.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44CDF20E6E2 for ; Thu, 8 Jan 2026 06:43:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.228 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767854622; cv=none; b=e6O9qXv5NslEvVpp3PpSPA+3kl3yTz4KAR78ozndylqJmPcKeOyRml29ugXwiAWr21a6rkPOztRxJDoNOMrdTgmRFzLbrA0moxFlqqVltwD0aVbyEwpvZL1bLsxc6ci3qNF9jGB9l2w1US3rLji7zfvtt3QUWbep2M/WwB+pm/Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767854622; c=relaxed/simple; bh=ImYWes9RzLW7jZYyugbTJJDcav+gH48j/2LL5/t6sdg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=czz9DYLonORoLh6gZN5dEyEFzezM+Q7T271O5nqL3od8M7tx3tWufhOHSzGm2nvnXA0iSStvZlNoR1vq6ytESur7PvRTuDUWzTPudhuwarIj41LAO0/ZReufG3YTB3g1KBHk6UaEkldaoaLpgrgPXzkfK/as8O5YM6KpkcH2FEE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=GTC+xMUl; arc=none smtp.client-ip=209.85.128.228 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="GTC+xMUl" Received: by mail-yw1-f228.google.com with SMTP id 00721157ae682-78fb9a67b06so30460877b3.1 for ; Wed, 07 Jan 2026 22:43:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767854614; x=1768459414; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T39mSU9rO41dWx7zi2EzUyLIRccI3ncgf9JgMb14jLo=; b=M96AnAft9dgybBy6XTa+JFamcd9PIC8hWwRah6pIWPZhxk+h2VGdq+69oKlP04PuLs rtlIk9pcAK1o+kpj31x96D74nu3Nn7qrm0I23NhIC/njHK6nwxCqsKTOnABuobiIhUmv ZRO+gcSt3VHU4HwHcVRk5dpbLyL6xWoEmI+HsW9i3yeuy5I+AR5mXwkPd56yW8JGevA2 brK41gEfJhkTFvGYa8X0Xcjb1iC0Tg0goNFwFkezY0FvyLgemGL4Gw+XhPQiryGDV91J HTKzh9VzQkng5UoeP9w+8rV9nkNuohfy7oH6iuwjCK7j3VRfF2HLIUb91tnPshojIbob px6A== X-Forwarded-Encrypted: i=1; AJvYcCX0Nd6MSyUnLC7F6EGeBgKcylYOuDL3RhZecJVZ+qR7BGWTudHa/TTm9Z3m4hJRzTp0TJM5rwSgT5DwHB8=@vger.kernel.org X-Gm-Message-State: AOJu0Yzv4wbSpcZAE6mBCstIUavTQWT0J+xnQ4+2E4bpC/xdh89Yj4Gi /Av225Nede5ZIlVWO05zcS4g27qbDmGks3aKIzYB7FMFp3nlEyzy2RXxSvlL8UMf6ZsFTbu+Bsd J//vSBDl7OkJeMEoO72qL18GQ9U8Bf1DrxqZm+fJ/ExisisMkd5ElJ4hRyUCuNsB68XWL2X11ro PS2+c9qTDnvEEMPZsks0/FTyERq/4F/w+fX9Vif14GjFb6ai3wF46H19SnwvwEpF3OGwF99cDZ7 9C0ZZe1QgSHFBVPXhvAJr8yBg== X-Gm-Gg: AY/fxX7Zuq19enwo5IOrsHA9uMhmOVO8oAMlsIzIhT/yMt9WrlYDS3CYgCkQ99RrW/D +cOSZ4zUDvBjhDvYgFD7A0U88tncqlTmHSG6E/Tbj08JcZ97+EHcWcD3XxYSsln0XmAk/MIu4FB SgqAjXGQyd66KfOkbRTohdmMvnRNuNZsgGv0YIXVPGTqylAURk128HsomDkJP90J3jiNpRYZiqJ Kt74gKy9U375Y4vnOF7p4dbBgQ0Zg0QPfFeMEYRcpAf9FaCJsIY0Mi9MnIAFe9fmix3/rerY7Uk U1qrC1o+vju/6nLkyNst56aHkzk1nXH8daBrRlgoKcjiSIYgALwdnc3j+h36JenlSWRIHu8Wuyv yZ1rNkCkIE6LxCXiK7rxSrZYU1fyVWfQab46vs8HR2e2fR6Nijkp5rwjip7pYCLzud2ZmQSUweD KUN/USAXTKV+Jk9Nai1cjZJepYuddyK46cLbo5kDuIrnJ/7mTKEAs= X-Google-Smtp-Source: AGHT+IE2x8QnPDAMXpkcfpuf+XmWkzt7IoCWsldzhJVQh4VZTbHAr6ck6nF/uvGevmO16645xBfpguJYo/2Q X-Received: by 2002:a05:690c:670a:b0:78d:6d62:f975 with SMTP id 00721157ae682-790b55ed798mr55279857b3.24.1767854613891; Wed, 07 Jan 2026 22:43:33 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-120.dlp.protect.broadcom.com. [144.49.247.120]) by smtp-relay.gmail.com with ESMTPS id 00721157ae682-790aa6a9cf8sm5343657b3.18.2026.01.07.22.43.33 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jan 2026 22:43:33 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-dy1-f197.google.com with SMTP id 5a478bee46e88-2ae51ce0642so2052493eec.0 for ; Wed, 07 Jan 2026 22:43:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1767854613; x=1768459413; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T39mSU9rO41dWx7zi2EzUyLIRccI3ncgf9JgMb14jLo=; b=GTC+xMUl+H9rrMgGCeeiDuqiQ8VkGDkULgmwqqtDPPUsOcTFJTZ+1AXIZ6piBlonuZ Ei6DI0ueBN9+tqASNuJdMKPTngWZqBbfowf/695PtrCJxYKL47EjooCGKBx1LiGPYYfU 1BurbTVSH0XYcKzg4J5gcd6o2HAZsM2T43VS0= X-Forwarded-Encrypted: i=1; AJvYcCUP7wngCOVyWM2iWZSmgFhGrh+6woGMQXmtXtdxYXMy/az11B57B8ign2fmT85r3Kpcs5Zjvk2p60cuR2M=@vger.kernel.org X-Received: by 2002:a05:7022:225:b0:11b:94ab:be03 with SMTP id a92af1059eb24-121f8adec5cmr3971844c88.20.1767854612288; Wed, 07 Jan 2026 22:43:32 -0800 (PST) X-Received: by 2002:a05:7022:225:b0:11b:94ab:be03 with SMTP id a92af1059eb24-121f8adec5cmr3971824c88.20.1767854611685; Wed, 07 Jan 2026 22:43:31 -0800 (PST) Received: from shivania.lvn.broadcom.net ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121f243421esm13193731c88.2.2026.01.07.22.43.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 22:43:31 -0800 (PST) From: Shivani Agarwal To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: lduncan@suse.com, cleech@redhat.com, michael.christie@oracle.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Ding Hui , Shivani Agarwal Subject: [PATCH 2/2 v5.10] scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress Date: Wed, 7 Jan 2026 22:22:22 -0800 Message-Id: <20260108062222.670715-3-shivani.agarwal@broadcom.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260108062222.670715-1-shivani.agarwal@broadcom.com> References: <20260108062222.670715-1-shivani.agarwal@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Mike Christie [ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ] Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.= 0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX De= sktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi= _transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 = 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48= > 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 000000= 0000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a6= 79222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 00000000000= 00003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 00000000000= 00000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 00000000000= 20000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26d= ada58 [ 276.960536] [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_i= scsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_sendmsg+0xe0/0x170 [ 276.974583] __sys_sendmsg+0xc8/0x170 [ 276.974891] do_syscall_64+0x38/0x90 [ 276.975216] entry_SYSCALL_64_after_hwframe+0x63/0xcd We can easily reproduce by two tasks: 1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done 2. while :; do cat \ /sys/devices/platform/host*/iscsi_host/host*/ipaddress; done iscsid | cat --------------------------------+--------------------------------------- |- iscsi_sw_tcp_session_destroy | |- iscsi_session_teardown | |- device_release | |- iscsi_session_release ||- dev_attr_show |- kfree | |- show_host_param_ | ISCSI_HOST_PARAM_IPADDRESS | |- iscsi_sw_tcp_host_get_param | |- r/w tcp_sw_host->session (UAF) |- iscsi_host_remove | |- iscsi_host_free | Fix the above bug by splitting the session removal into 2 parts: 1. removal from iSCSI class which includes sysfs and removal from host tracking. 2. freeing of session. During iscsi_tcp host and session removal we can remove the session from sysfs then remove the host from sysfs. At this point we know userspace is not accessing the kernel via sysfs so we can free the session and host. Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@ora= cle.com Signed-off-by: Mike Christie Reviewed-by: Lee Duncan Acked-by: Ding Hui Signed-off-by: Martin K. Petersen [Shivani: The false parameter was not passed to iscsi_host_remove() because, in Linux 5.10.y, the default behavior of iscsi_host_remove() alre= ady assumes false.] Signed-off-by: Shivani Agarwal --- drivers/scsi/iscsi_tcp.c | 11 +++++++++-- drivers/scsi/libiscsi.c | 38 +++++++++++++++++++++++++++++++------- include/scsi/libiscsi.h | 2 ++ 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index def9fac7aa4f..2a83bd5d834d 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -933,10 +933,17 @@ static void iscsi_sw_tcp_session_destroy(struct iscsi= _cls_session *cls_session) if (WARN_ON_ONCE(session->leadconn)) return; =20 + iscsi_session_remove(cls_session); + /* + * Our get_host_param needs to access the session, so remove the + * host from sysfs before freeing the session to make sure userspace + * is no longer accessing the callout. + */ + iscsi_host_remove(shost); + iscsi_tcp_r2tpool_free(cls_session->dd_data); - iscsi_session_teardown(cls_session); =20 - iscsi_host_remove(shost); + iscsi_session_free(cls_session); iscsi_host_free(shost); } =20 diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 59da5cc280a4..7e82ddce5031 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -2892,17 +2892,32 @@ iscsi_session_setup(struct iscsi_transport *iscsit,= struct Scsi_Host *shost, } EXPORT_SYMBOL_GPL(iscsi_session_setup); =20 -/** - * iscsi_session_teardown - destroy session, host, and cls_session - * @cls_session: iscsi session +/* + * issi_session_remove - Remove session from iSCSI class. */ -void iscsi_session_teardown(struct iscsi_cls_session *cls_session) +void iscsi_session_remove(struct iscsi_cls_session *cls_session) { struct iscsi_session *session =3D cls_session->dd_data; - struct module *owner =3D cls_session->transport->owner; struct Scsi_Host *shost =3D session->host; =20 iscsi_remove_session(cls_session); + /* + * host removal only has to wait for its children to be removed from + * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing + * the session, so drop the session count here. + */ + iscsi_host_dec_session_cnt(shost); +} +EXPORT_SYMBOL_GPL(iscsi_session_remove); + +/** + * iscsi_session_free - Free iscsi session and it's resources + * @cls_session: iscsi session + */ +void iscsi_session_free(struct iscsi_cls_session *cls_session) +{ + struct iscsi_session *session =3D cls_session->dd_data; + struct module *owner =3D cls_session->transport->owner; =20 iscsi_pool_free(&session->cmdpool); kfree(session->password); @@ -2920,10 +2935,19 @@ void iscsi_session_teardown(struct iscsi_cls_sessio= n *cls_session) kfree(session->discovery_parent_type); =20 iscsi_free_session(cls_session); - - iscsi_host_dec_session_cnt(shost); module_put(owner); } +EXPORT_SYMBOL_GPL(iscsi_session_free); + +/** + * iscsi_session_teardown - destroy session and cls_session + * @cls_session: iscsi session + */ +void iscsi_session_teardown(struct iscsi_cls_session *cls_session) +{ + iscsi_session_remove(cls_session); + iscsi_session_free(cls_session); +} EXPORT_SYMBOL_GPL(iscsi_session_teardown); =20 /** diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h index fa00e2543ad6..dd9b2bc1aea7 100644 --- a/include/scsi/libiscsi.h +++ b/include/scsi/libiscsi.h @@ -401,6 +401,8 @@ extern int iscsi_target_alloc(struct scsi_target *starg= et); extern struct iscsi_cls_session * iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost, uint16_t, int, int, uint32_t, unsigned int); +void iscsi_session_remove(struct iscsi_cls_session *cls_session); +void iscsi_session_free(struct iscsi_cls_session *cls_session); extern void iscsi_session_teardown(struct iscsi_cls_session *); extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *); extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn, --=20 2.43.7