• Sagi Grimberg's avatar
    iser-target: Fix possible use-after-free · 524630d5
    Sagi Grimberg authored
    iser connection termination process happens in 2 stages:
    - isert_wait_conn:
      - resumes rdma disconnect
      - wait for session commands
      - wait for flush completions (post a marked wr to signal we are done)
      - wait for logout completion
      - queue work for connection cleanup (depends on disconnected/timewait
        events)
    - isert_free_conn
      - last reference put on the connection
    
    In case we are terminating during IOs, we might be posting send/recv
    requests after we posted the last work request which might lead
    to a use-after-free condition in isert_handle_wc.
    After we posted the last wr in isert_wait_conn we are guaranteed that
    no successful completions will follow (meaning no new work request posts
    may happen) but other flush errors might still come. So before we
    put the last reference on the connection, we repeat the process of
    posting a marked work request (isert_wait4flush) in order to make sure all
    pending completions were flushed.
    Signed-off-by: default avatarSagi Grimberg <sagig@mellanox.com>
    Signed-off-by: default avatarJenny Falkovich <jennyf@mellanox.com>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
    524630d5
ib_isert.c 90.8 KB