lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2059dc74-a00b-fd53-f5ce-3dd41bfbf4f1@oracle.com>
Date: Wed, 10 May 2023 13:14:57 -0700
From: michael.christie@...cle.com
To: Chris Leech <cleech@...hat.com>, Lee Duncan <lduncan@...e.com>,
        linux-scsi@...r.kernel.org, open-iscsi@...glegroups.com,
        netdev@...r.kernel.org
Subject: Re: [PATCH 11/11] iscsi: force destroy sesions when a network
 namespace exits

On 5/10/23 1:09 PM, michael.christie@...cle.com wrote:
> On 5/6/23 4:29 PM, Chris Leech wrote:
>> The namespace is gone, so there is no userspace to clean up.
>> Force close all the sessions.
>>
>> This should be enough for software transports, there's no implementation
>> of migrating physical iSCSI hosts between network namespaces currently.
>>
>> Reviewed-by: Hannes Reinecke <hare@...e.de>
>> Signed-off-by: Chris Leech <cleech@...hat.com>
>> ---
>>  drivers/scsi/scsi_transport_iscsi.c | 16 ++++++++++++++++
>>  1 file changed, 16 insertions(+)
>>
>> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
>> index 15d28186996d..10e9414844d8 100644
>> --- a/drivers/scsi/scsi_transport_iscsi.c
>> +++ b/drivers/scsi/scsi_transport_iscsi.c
>> @@ -5235,9 +5235,25 @@ static int __net_init iscsi_net_init(struct net *net)
>>  
>>  static void __net_exit iscsi_net_exit(struct net *net)
>>  {
>> +	struct iscsi_cls_session *session, *tmp;
>>  	struct iscsi_net *isn;
>> +	unsigned long flags;
>> +	LIST_HEAD(sessions);
>>  
>>  	isn = net_generic(net, iscsi_net_id);
>> +
>> +	spin_lock_irqsave(&isn->sesslock, flags);
>> +	list_replace_init(&isn->sesslist, &sessions);
>> +	spin_unlock_irqrestore(&isn->sesslock, flags);
>> +
>> +	/* force session destruction, there is no userspace anymore */
>> +	list_for_each_entry_safe(session, tmp, &sessions, sess_list) {
>> +		device_for_each_child(&session->dev, NULL,
>> +				      iscsi_iter_force_destroy_conn_fn);
>> +		flush_work(&session->destroy_work);
> 
> I think if this flush_work actually flushed, then we would be doing a use
> after free because the running work would free the session from under us.
> 
> We should never have a running destroy_work and be ale to see it on the sesslist
> right? Maybe a WARN_ON or something else so it doesn't look like a possible
> bug.

Maybe not a WARN_ON. What happens if there is running destroy_works for this
namespace and we return from this function?

> 
> 
>> +		__iscsi_destroy_session(&session->destroy_work);
>> +	}
>> +
>>  	netlink_kernel_release(isn->nls);
>>  	isn->nls = NULL;
>>  }
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ