| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210323025851.11782-1-lyl2019@mail.ustc.edu.cn>
Date: Mon, 22 Mar 2021 19:58:51 -0700
From: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
To: martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org, target-devel@...r.kernel.org,
linux-kernel@...r.kernel.org, Lv Yunlong <lyl2019@...l.ustc.edu.cn>
Subject: [PATCH] target: Fix a double put in transport_free_session
In transport_free_session, se_nacl is got from se_sess
with the initial reference. If se_nacl->acl_sess_list is
empty, se_nacl->dynamic_stop is set to true. Then the first
target_put_nacl(se_nacl) will drop the initial reference
and free se_nacl. Later there is a second target_put_nacl()
to put se_nacl. It may cause error in race.
My patch sets se_nacl->dynamic_stop to false to avoid the
double put.
Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
---
drivers/target/target_core_transport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 5ecb9f18a53d..c266defe694f 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -584,8 +584,10 @@ void transport_free_session(struct se_session *se_sess)
}
mutex_unlock(&se_tpg->acl_node_mutex);
- if (se_nacl->dynamic_stop)
+ if (se_nacl->dynamic_stop) {
target_put_nacl(se_nacl);
+ se_nacl->dynamic_stop = false;
+ }
target_put_nacl(se_nacl);
}
--
2.25.1
Powered by blists - more mailing lists