IB/isert: Fix incorrect release of isert connection

Saravanan Vajravel · rleon · commit 699826f4e30a · 2023-06-11T20:29:34.000+03:00
The ib_isert module is releasing the isert connection both in isert_wait_conn() handler as well as isert_free_conn() handler. In isert_wait_conn() handler, it is expected to wait for iSCSI session logout operation to complete. It should free the isert connection only in isert_free_conn() handler. When a bunch of iSER target is cleared, this issue can lead to use-after-free memory issue as isert conn is twice released Fixes: b02efbf ("iser-target: Fix implicit termination of connections") Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com> Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com> Link: https://lore.kernel.org/r/20230606102531.162967-4-saravanan.vajravel@broadcom.com Signed-off-by: Leon Romanovsky <leon@kernel.org>
diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2570,8 +2570,6 @@ static void isert_wait_conn(struct iscsit_conn *conn)
 	isert_put_unsol_pending_cmds(conn);
 	isert_wait4cmds(conn);
 	isert_wait4logout(isert_conn);
-
-	queue_work(isert_release_wq, &isert_conn->release_work);
 }
 
 static void isert_free_conn(struct iscsit_conn *conn)

Original file line number	Diff line number	Diff line change
`@@ -2570,8 +2570,6 @@ static void isert_wait_conn(struct iscsit_conn *conn)`
`2570`	`2570`	`isert_put_unsol_pending_cmds(conn);`
`2571`	`2571`	`isert_wait4cmds(conn);`
`2572`	`2572`	`isert_wait4logout(isert_conn);`
`2573`		`-`
`2574`		`- queue_work(isert_release_wq, &isert_conn->release_work);`
`2575`	`2573`	`}`
`2576`	`2574`
`2577`	`2575`	`static void isert_free_conn(struct iscsit_conn *conn)`