| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2059dc74-a00b-fd53-f5ce-3dd41bfbf4f1@oracle.com>
Date: Wed, 10 May 2023 13:14:57 -0700
From: michael.christie@...cle.com
To: Chris Leech <cleech@...hat.com>, Lee Duncan <lduncan@...e.com>,
linux-scsi@...r.kernel.org, open-iscsi@...glegroups.com,
netdev@...r.kernel.org
Subject: Re: [PATCH 11/11] iscsi: force destroy sesions when a network
namespace exits
On 5/10/23 1:09 PM, michael.christie@...cle.com wrote:
> On 5/6/23 4:29 PM, Chris Leech wrote:
>> The namespace is gone, so there is no userspace to clean up.
>> Force close all the sessions.
>>
>> This should be enough for software transports, there's no implementation
>> of migrating physical iSCSI hosts between network namespaces currently.
>>
>> Reviewed-by: Hannes Reinecke <hare@...e.de>
>> Signed-off-by: Chris Leech <cleech@...hat.com>
>> ---
>> drivers/scsi/scsi_transport_iscsi.c | 16 ++++++++++++++++
>> 1 file changed, 16 insertions(+)
>>
>> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
>> index 15d28186996d..10e9414844d8 100644
>> --- a/drivers/scsi/scsi_transport_iscsi.c
>> +++ b/drivers/scsi/scsi_transport_iscsi.c
>> @@ -5235,9 +5235,25 @@ static int __net_init iscsi_net_init(struct net *net)
>>
>> static void __net_exit iscsi_net_exit(struct net *net)
>> {
>> + struct iscsi_cls_session *session, *tmp;
>> struct iscsi_net *isn;
>> + unsigned long flags;
>> + LIST_HEAD(sessions);
>>
>> isn = net_generic(net, iscsi_net_id);
>> +
>> + spin_lock_irqsave(&isn->sesslock, flags);
>> + list_replace_init(&isn->sesslist, &sessions);
>> + spin_unlock_irqrestore(&isn->sesslock, flags);
>> +
>> + /* force session destruction, there is no userspace anymore */
>> + list_for_each_entry_safe(session, tmp, &sessions, sess_list) {
>> + device_for_each_child(&session->dev, NULL,
>> + iscsi_iter_force_destroy_conn_fn);
>> + flush_work(&session->destroy_work);
>
> I think if this flush_work actually flushed, then we would be doing a use
> after free because the running work would free the session from under us.
>
> We should never have a running destroy_work and be ale to see it on the sesslist
> right? Maybe a WARN_ON or something else so it doesn't look like a possible
> bug.
Maybe not a WARN_ON. What happens if there is running destroy_works for this
namespace and we return from this function?
>
>
>> + __iscsi_destroy_session(&session->destroy_work);
>> + }
>> +
>> netlink_kernel_release(isn->nls);
>> isn->nls = NULL;
>> }
>
Powered by blists - more mailing lists