From nobody Mon Feb  9 12:15:34 2026
Received: from mail-yw1-f228.google.com (mail-yw1-f228.google.com
 [209.85.128.228])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44CDF20E6E2
	for <linux-kernel@vger.kernel.org>; Thu,  8 Jan 2026 06:43:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.228
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767854622; cv=none;
 b=e6O9qXv5NslEvVpp3PpSPA+3kl3yTz4KAR78ozndylqJmPcKeOyRml29ugXwiAWr21a6rkPOztRxJDoNOMrdTgmRFzLbrA0moxFlqqVltwD0aVbyEwpvZL1bLsxc6ci3qNF9jGB9l2w1US3rLji7zfvtt3QUWbep2M/WwB+pm/Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767854622; c=relaxed/simple;
	bh=ImYWes9RzLW7jZYyugbTJJDcav+gH48j/2LL5/t6sdg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=czz9DYLonORoLh6gZN5dEyEFzezM+Q7T271O5nqL3od8M7tx3tWufhOHSzGm2nvnXA0iSStvZlNoR1vq6ytESur7PvRTuDUWzTPudhuwarIj41LAO0/ZReufG3YTB3g1KBHk6UaEkldaoaLpgrgPXzkfK/as8O5YM6KpkcH2FEE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=broadcom.com;
 spf=fail smtp.mailfrom=broadcom.com;
 dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com
 header.b=GTC+xMUl; arc=none smtp.client-ip=209.85.128.228
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=broadcom.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=broadcom.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com
 header.b="GTC+xMUl"
Received: by mail-yw1-f228.google.com with SMTP id
 00721157ae682-78fb9a67b06so30460877b3.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 07 Jan 2026 22:43:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767854614; x=1768459414;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=T39mSU9rO41dWx7zi2EzUyLIRccI3ncgf9JgMb14jLo=;
        b=M96AnAft9dgybBy6XTa+JFamcd9PIC8hWwRah6pIWPZhxk+h2VGdq+69oKlP04PuLs
         rtlIk9pcAK1o+kpj31x96D74nu3Nn7qrm0I23NhIC/njHK6nwxCqsKTOnABuobiIhUmv
         ZRO+gcSt3VHU4HwHcVRk5dpbLyL6xWoEmI+HsW9i3yeuy5I+AR5mXwkPd56yW8JGevA2
         brK41gEfJhkTFvGYa8X0Xcjb1iC0Tg0goNFwFkezY0FvyLgemGL4Gw+XhPQiryGDV91J
         HTKzh9VzQkng5UoeP9w+8rV9nkNuohfy7oH6iuwjCK7j3VRfF2HLIUb91tnPshojIbob
         px6A==
X-Forwarded-Encrypted: i=1;
 AJvYcCX0Nd6MSyUnLC7F6EGeBgKcylYOuDL3RhZecJVZ+qR7BGWTudHa/TTm9Z3m4hJRzTp0TJM5rwSgT5DwHB8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzv4wbSpcZAE6mBCstIUavTQWT0J+xnQ4+2E4bpC/xdh89Yj4Gi
	/Av225Nede5ZIlVWO05zcS4g27qbDmGks3aKIzYB7FMFp3nlEyzy2RXxSvlL8UMf6ZsFTbu+Bsd
	J//vSBDl7OkJeMEoO72qL18GQ9U8Bf1DrxqZm+fJ/ExisisMkd5ElJ4hRyUCuNsB68XWL2X11ro
	PS2+c9qTDnvEEMPZsks0/FTyERq/4F/w+fX9Vif14GjFb6ai3wF46H19SnwvwEpF3OGwF99cDZ7
	9C0ZZe1QgSHFBVPXhvAJr8yBg==
X-Gm-Gg: AY/fxX7Zuq19enwo5IOrsHA9uMhmOVO8oAMlsIzIhT/yMt9WrlYDS3CYgCkQ99RrW/D
	+cOSZ4zUDvBjhDvYgFD7A0U88tncqlTmHSG6E/Tbj08JcZ97+EHcWcD3XxYSsln0XmAk/MIu4FB
	SgqAjXGQyd66KfOkbRTohdmMvnRNuNZsgGv0YIXVPGTqylAURk128HsomDkJP90J3jiNpRYZiqJ
	Kt74gKy9U375Y4vnOF7p4dbBgQ0Zg0QPfFeMEYRcpAf9FaCJsIY0Mi9MnIAFe9fmix3/rerY7Uk
	U1qrC1o+vju/6nLkyNst56aHkzk1nXH8daBrRlgoKcjiSIYgALwdnc3j+h36JenlSWRIHu8Wuyv
	yZ1rNkCkIE6LxCXiK7rxSrZYU1fyVWfQab46vs8HR2e2fR6Nijkp5rwjip7pYCLzud2ZmQSUweD
	KUN/USAXTKV+Jk9Nai1cjZJepYuddyK46cLbo5kDuIrnJ/7mTKEAs=
X-Google-Smtp-Source: 
 AGHT+IE2x8QnPDAMXpkcfpuf+XmWkzt7IoCWsldzhJVQh4VZTbHAr6ck6nF/uvGevmO16645xBfpguJYo/2Q
X-Received: by 2002:a05:690c:670a:b0:78d:6d62:f975 with SMTP id
 00721157ae682-790b55ed798mr55279857b3.24.1767854613891;
        Wed, 07 Jan 2026 22:43:33 -0800 (PST)
Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com
 (address-144-49-247-120.dlp.protect.broadcom.com. [144.49.247.120])
        by smtp-relay.gmail.com with ESMTPS id
 00721157ae682-790aa6a9cf8sm5343657b3.18.2026.01.07.22.43.33
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 07 Jan 2026 22:43:33 -0800 (PST)
X-Relaying-Domain: broadcom.com
X-CFilter-Loop: Reflected
Received: by mail-dy1-f197.google.com with SMTP id
 5a478bee46e88-2ae51ce0642so2052493eec.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 07 Jan 2026 22:43:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=broadcom.com; s=google; t=1767854613; x=1768459413;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=T39mSU9rO41dWx7zi2EzUyLIRccI3ncgf9JgMb14jLo=;
        b=GTC+xMUl+H9rrMgGCeeiDuqiQ8VkGDkULgmwqqtDPPUsOcTFJTZ+1AXIZ6piBlonuZ
         Ei6DI0ueBN9+tqASNuJdMKPTngWZqBbfowf/695PtrCJxYKL47EjooCGKBx1LiGPYYfU
         1BurbTVSH0XYcKzg4J5gcd6o2HAZsM2T43VS0=
X-Forwarded-Encrypted: i=1;
 AJvYcCUP7wngCOVyWM2iWZSmgFhGrh+6woGMQXmtXtdxYXMy/az11B57B8ign2fmT85r3Kpcs5Zjvk2p60cuR2M=@vger.kernel.org
X-Received: by 2002:a05:7022:225:b0:11b:94ab:be03 with SMTP id
 a92af1059eb24-121f8adec5cmr3971844c88.20.1767854612288;
        Wed, 07 Jan 2026 22:43:32 -0800 (PST)
X-Received: by 2002:a05:7022:225:b0:11b:94ab:be03 with SMTP id
 a92af1059eb24-121f8adec5cmr3971824c88.20.1767854611685;
        Wed, 07 Jan 2026 22:43:31 -0800 (PST)
Received: from shivania.lvn.broadcom.net ([192.19.161.250])
        by smtp.gmail.com with ESMTPSA id
 a92af1059eb24-121f243421esm13193731c88.2.2026.01.07.22.43.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 07 Jan 2026 22:43:31 -0800 (PST)
From: Shivani Agarwal <shivani.agarwal@broadcom.com>
To: stable@vger.kernel.org,
	gregkh@linuxfoundation.org
Cc: lduncan@suse.com,
	cleech@redhat.com,
	michael.christie@oracle.com,
	James.Bottomley@HansenPartnership.com,
	martin.petersen@oracle.com,
	open-iscsi@googlegroups.com,
	linux-scsi@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	ajay.kaher@broadcom.com,
	alexey.makhalov@broadcom.com,
	vamsi-krishna.brahmajosyula@broadcom.com,
	yin.ding@broadcom.com,
	tapas.kundu@broadcom.com,
	Ding Hui <dinghui@sangfor.com.cn>,
	Shivani Agarwal <shivani.agarwal@broadcom.com>
Subject: [PATCH 2/2 v5.10] scsi: iscsi_tcp: Fix UAF during logout when
 accessing the shost ipaddress
Date: Wed,  7 Jan 2026 22:22:22 -0800
Message-Id: <20260108062222.670715-3-shivani.agarwal@broadcom.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20260108062222.670715-1-shivani.agarwal@broadcom.com>
References: <20260108062222.670715-1-shivani.agarwal@broadcom.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e
Content-Type: text/plain; charset="utf-8"

From: Mike Christie <michael.christie@oracle.com>

[ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ]

Bug report and analysis from Ding Hui.

During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:

[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.=
0-rc8+ #3
[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX De=
sktop Reference Platform, BIOS 6.00 11/12/2020
[  276.944470] Call Trace:
[  276.944943]  <TASK>
[  276.945397]  dump_stack_lvl+0x34/0x48
[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
[  276.946421]  print_report+0x36/0x4f
[  276.947358]  kasan_report+0xad/0x130
[  276.948234]  kasan_check_range+0x35/0x1c0
[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi=
_transport_iscsi]
[  276.952185]  dev_attr_show+0x3f/0x80
[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
[  276.953401]  seq_read_iter+0x402/0x1020
[  276.954260]  vfs_read+0x532/0x7b0
[  276.955113]  ksys_read+0xed/0x1c0
[  276.955952]  do_syscall_64+0x38/0x90
[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.956769] RIP: 0033:0x7f5d3a679222
[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 =
00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48=
> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 000000=
0000000000
[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a6=
79222
[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 00000000000=
00003
[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 00000000000=
00000
[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 00000000000=
20000
[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26d=
ada58
[  276.960536]  </TASK>
[  276.961357] Allocated by task 2209:
[  276.961756]  kasan_save_stack+0x1e/0x40
[  276.962170]  kasan_set_track+0x21/0x30
[  276.962557]  __kasan_kmalloc+0x7e/0x90
[  276.962923]  __kmalloc+0x5b/0x140
[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_i=
scsi]
[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.965546]  netlink_unicast+0x4d5/0x7b0
[  276.965905]  netlink_sendmsg+0x78d/0xc30
[  276.966236]  sock_sendmsg+0xe5/0x120
[  276.966576]  ____sys_sendmsg+0x5fe/0x860
[  276.966923]  ___sys_sendmsg+0xe0/0x170
[  276.967300]  __sys_sendmsg+0xc8/0x170
[  276.967666]  do_syscall_64+0x38/0x90
[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.968773] Freed by task 2209:
[  276.969111]  kasan_save_stack+0x1e/0x40
[  276.969449]  kasan_set_track+0x21/0x30
[  276.969789]  kasan_save_free_info+0x2a/0x50
[  276.970146]  __kasan_slab_free+0x106/0x190
[  276.970470]  __kmem_cache_free+0x133/0x270
[  276.970816]  device_release+0x98/0x210
[  276.971145]  kobject_cleanup+0x101/0x360
[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.972808]  netlink_unicast+0x4d5/0x7b0
[  276.973201]  netlink_sendmsg+0x78d/0xc30
[  276.973544]  sock_sendmsg+0xe5/0x120
[  276.973864]  ____sys_sendmsg+0x5fe/0x860
[  276.974248]  ___sys_sendmsg+0xe0/0x170
[  276.974583]  __sys_sendmsg+0xc8/0x170
[  276.974891]  do_syscall_64+0x38/0x90
[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can easily reproduce by two tasks:
1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
2. while :; do cat \
/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done

            iscsid              |        cat
--------------------------------+---------------------------------------
|- iscsi_sw_tcp_session_destroy |
  |- iscsi_session_teardown     |
    |- device_release           |
      |- iscsi_session_release  ||- dev_attr_show
        |- kfree                |  |- show_host_param_
                                |             ISCSI_HOST_PARAM_IPADDRESS
                                |    |- iscsi_sw_tcp_host_get_param
                                |      |- r/w tcp_sw_host->session (UAF)
  |- iscsi_host_remove          |
  |- iscsi_host_free            |

Fix the above bug by splitting the session removal into 2 parts:

 1. removal from iSCSI class which includes sysfs and removal from host
    tracking.

 2. freeing of session.

During iscsi_tcp host and session removal we can remove the session from
sysfs then remove the host from sysfs. At this point we know userspace is
not accessing the kernel via sysfs so we can free the session and host.

Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@ora=
cle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Acked-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[Shivani: The false parameter was not passed to iscsi_host_remove() because,
          in Linux 5.10.y, the default behavior of iscsi_host_remove() alre=
ady
          assumes false.]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
 drivers/scsi/iscsi_tcp.c | 11 +++++++++--
 drivers/scsi/libiscsi.c  | 38 +++++++++++++++++++++++++++++++-------
 include/scsi/libiscsi.h  |  2 ++
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index def9fac7aa4f..2a83bd5d834d 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -933,10 +933,17 @@ static void iscsi_sw_tcp_session_destroy(struct iscsi=
_cls_session *cls_session)
 	if (WARN_ON_ONCE(session->leadconn))
 		return;
=20
+	iscsi_session_remove(cls_session);
+	/*
+	 * Our get_host_param needs to access the session, so remove the
+	 * host from sysfs before freeing the session to make sure userspace
+	 * is no longer accessing the callout.
+	 */
+	iscsi_host_remove(shost);
+
 	iscsi_tcp_r2tpool_free(cls_session->dd_data);
-	iscsi_session_teardown(cls_session);
=20
-	iscsi_host_remove(shost);
+	iscsi_session_free(cls_session);
 	iscsi_host_free(shost);
 }
=20
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 59da5cc280a4..7e82ddce5031 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2892,17 +2892,32 @@ iscsi_session_setup(struct iscsi_transport *iscsit,=
 struct Scsi_Host *shost,
 }
 EXPORT_SYMBOL_GPL(iscsi_session_setup);
=20
-/**
- * iscsi_session_teardown - destroy session, host, and cls_session
- * @cls_session: iscsi session
+/*
+ * issi_session_remove - Remove session from iSCSI class.
  */
-void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
+void iscsi_session_remove(struct iscsi_cls_session *cls_session)
 {
 	struct iscsi_session *session =3D cls_session->dd_data;
-	struct module *owner =3D cls_session->transport->owner;
 	struct Scsi_Host *shost =3D session->host;
=20
 	iscsi_remove_session(cls_session);
+	/*
+	 * host removal only has to wait for its children to be removed from
+	 * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing
+	 * the session, so drop the session count here.
+	 */
+	iscsi_host_dec_session_cnt(shost);
+}
+EXPORT_SYMBOL_GPL(iscsi_session_remove);
+
+/**
+ * iscsi_session_free - Free iscsi session and it's resources
+ * @cls_session: iscsi session
+ */
+void iscsi_session_free(struct iscsi_cls_session *cls_session)
+{
+	struct iscsi_session *session =3D cls_session->dd_data;
+	struct module *owner =3D cls_session->transport->owner;
=20
 	iscsi_pool_free(&session->cmdpool);
 	kfree(session->password);
@@ -2920,10 +2935,19 @@ void iscsi_session_teardown(struct iscsi_cls_sessio=
n *cls_session)
 	kfree(session->discovery_parent_type);
=20
 	iscsi_free_session(cls_session);
-
-	iscsi_host_dec_session_cnt(shost);
 	module_put(owner);
 }
+EXPORT_SYMBOL_GPL(iscsi_session_free);
+
+/**
+ * iscsi_session_teardown - destroy session and cls_session
+ * @cls_session: iscsi session
+ */
+void iscsi_session_teardown(struct iscsi_cls_session *cls_session)
+{
+	iscsi_session_remove(cls_session);
+	iscsi_session_free(cls_session);
+}
 EXPORT_SYMBOL_GPL(iscsi_session_teardown);
=20
 /**
diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h
index fa00e2543ad6..dd9b2bc1aea7 100644
--- a/include/scsi/libiscsi.h
+++ b/include/scsi/libiscsi.h
@@ -401,6 +401,8 @@ extern int iscsi_target_alloc(struct scsi_target *starg=
et);
 extern struct iscsi_cls_session *
 iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost,
 		    uint16_t, int, int, uint32_t, unsigned int);
+void iscsi_session_remove(struct iscsi_cls_session *cls_session);
+void iscsi_session_free(struct iscsi_cls_session *cls_session);
 extern void iscsi_session_teardown(struct iscsi_cls_session *);
 extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *);
 extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn,
--=20
2.43.7