Commit 5a8dd161 authored by Nicholas Bellinger's avatar Nicholas Bellinger Committed by Sasha Levin

iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done

[ Upstream commit fce50a2f ]

This patch fixes a NULL pointer dereference in isert_login_recv_done()
of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
resetting isert_conn->cm_id = NULL during a failed login attempt.

As per Sagi, we will always see the completion of all recv wrs posted
on the qp (given that we assigned a ->done handler), this is a FLUSH
error completion, we just don't get to verify that because we deref
NULL before.

The issue here, was the assumption that dereferencing the connection
cm_id is always safe, which is not true since:

    commit 4a579da2
    Author: Sagi Grimberg <sagig@mellanox.com>
    Date:   Sun Mar 29 15:52:04 2015 +0300

         iser-target: Fix possible deadlock in RDMA_CM connection error

As I see it, we have a direct reference to the isert_device from
isert_conn which is the one-liner fix that we actually need like
we do in isert_rdma_read_done() and isert_rdma_write_done().
Reported-by: default avatarAndrea Righi <righi.andrea@gmail.com>
Tested-by: default avatarAndrea Righi <righi.andrea@gmail.com>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
parent 947dd1ad
...@@ -1586,7 +1586,7 @@ isert_rcv_completion(struct iser_rx_desc *desc, ...@@ -1586,7 +1586,7 @@ isert_rcv_completion(struct iser_rx_desc *desc,
struct isert_conn *isert_conn, struct isert_conn *isert_conn,
u32 xfer_len) u32 xfer_len)
{ {
struct ib_device *ib_dev = isert_conn->cm_id->device; struct ib_device *ib_dev = isert_conn->device->ib_device;
struct iscsi_hdr *hdr; struct iscsi_hdr *hdr;
u64 rx_dma; u64 rx_dma;
int rx_buflen, outstanding; int rx_buflen, outstanding;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment