Make sure a malicious user-space program cannot crash the kernel module by prematurely closing the filedesc. Signed-off-by: Peter Zijlstra Acked-by: Mike Christie --- drivers/scsi/iscsi_tcp.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) Index: linux-2.6-git/drivers/scsi/iscsi_tcp.c =================================================================== --- linux-2.6-git.orig/drivers/scsi/iscsi_tcp.c 2007-01-16 14:15:50.000000000 +0100 +++ linux-2.6-git/drivers/scsi/iscsi_tcp.c 2007-01-16 14:24:05.000000000 +0100 @@ -1830,11 +1830,25 @@ tcp_conn_alloc_fail: } static void +iscsi_tcp_release_conn(struct iscsi_conn *conn) +{ + struct iscsi_tcp_conn *tcp_conn = conn->dd_data; + + if (!tcp_conn->sock) + return; + + sockfd_put(tcp_conn->sock); + tcp_conn->sock = NULL; + conn->recv_lock = NULL; +} + +static void iscsi_tcp_conn_destroy(struct iscsi_cls_conn *cls_conn) { struct iscsi_conn *conn = cls_conn->dd_data; struct iscsi_tcp_conn *tcp_conn = conn->dd_data; + iscsi_tcp_release_conn(conn); iscsi_conn_teardown(cls_conn); if (tcp_conn->tx_hash.tfm) crypto_free_hash(tcp_conn->tx_hash.tfm); @@ -1851,6 +1865,7 @@ iscsi_tcp_conn_stop(struct iscsi_cls_con struct iscsi_tcp_conn *tcp_conn = conn->dd_data; iscsi_conn_stop(cls_conn, flag); + iscsi_tcp_release_conn(conn); tcp_conn->hdr_size = sizeof(struct iscsi_hdr); } @@ -1873,8 +1888,10 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses } err = iscsi_conn_bind(cls_session, cls_conn, is_leading, transport_eph); - if (err) - goto done; + if (err) { + sockfd_put(sock); + return err; + } /* bind iSCSI connection and socket */ tcp_conn->sock = sock; @@ -1898,8 +1915,6 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses */ tcp_conn->in_progress = IN_PROGRESS_WAIT_HEADER; -done: - sockfd_put(sock); return err; } -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/