mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-11 12:28:41 +08:00
57569c37f0
Fix a NULL pointer crash that occurs when we are freeing the socket at the
same time we access it via sysfs.
The problem is that:
1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
does a get on the "struct sock".
2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
on the "struct socket" and that does __sock_release() which sets the
sock->ops to NULL.
3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct
socket". Originally, we just held the frwd_lock the entire time but in
commit bcf3a2953d ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
calling getpeername()") we switched to refcount based because the network
layer changed and started taking a mutex in that path, so we could no
longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a
mutex for accessing the socket in the interface code paths.
Link: https://lore.kernel.org/r/20220907221700.10302-1-michael.christie@oracle.com
Fixes: bcf3a2953d ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()")
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
65 lines
1.6 KiB
C
65 lines
1.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/*
|
|
* iSCSI Initiator TCP Transport
|
|
* Copyright (C) 2004 Dmitry Yusupov
|
|
* Copyright (C) 2004 Alex Aizman
|
|
* Copyright (C) 2005 - 2006 Mike Christie
|
|
* Copyright (C) 2006 Red Hat, Inc. All rights reserved.
|
|
* maintained by open-iscsi@googlegroups.com
|
|
*
|
|
* See the file COPYING included with this distribution for more details.
|
|
*/
|
|
|
|
#ifndef ISCSI_SW_TCP_H
|
|
#define ISCSI_SW_TCP_H
|
|
|
|
#include <scsi/libiscsi.h>
|
|
#include <scsi/libiscsi_tcp.h>
|
|
|
|
struct socket;
|
|
struct iscsi_tcp_conn;
|
|
|
|
/* Socket connection send helper */
|
|
struct iscsi_sw_tcp_send {
|
|
struct iscsi_hdr *hdr;
|
|
struct iscsi_segment segment;
|
|
struct iscsi_segment data_segment;
|
|
};
|
|
|
|
struct iscsi_sw_tcp_conn {
|
|
struct socket *sock;
|
|
/* Taken when accessing the sock from the netlink/sysfs interface */
|
|
struct mutex sock_lock;
|
|
|
|
struct work_struct recvwork;
|
|
bool queue_recv;
|
|
|
|
struct iscsi_sw_tcp_send out;
|
|
/* old values for socket callbacks */
|
|
void (*old_data_ready)(struct sock *);
|
|
void (*old_state_change)(struct sock *);
|
|
void (*old_write_space)(struct sock *);
|
|
|
|
/* data and header digests */
|
|
struct ahash_request *tx_hash; /* CRC32C (Tx) */
|
|
struct ahash_request *rx_hash; /* CRC32C (Rx) */
|
|
|
|
/* MIB custom statistics */
|
|
uint32_t sendpage_failures_cnt;
|
|
uint32_t discontiguous_hdr_cnt;
|
|
|
|
ssize_t (*sendpage)(struct socket *, struct page *, int, size_t, int);
|
|
};
|
|
|
|
struct iscsi_sw_tcp_host {
|
|
struct iscsi_session *session;
|
|
};
|
|
|
|
struct iscsi_sw_tcp_hdrbuf {
|
|
struct iscsi_hdr hdrbuf;
|
|
char hdrextbuf[ISCSI_MAX_AHS_SIZE +
|
|
ISCSI_DIGEST_SIZE];
|
|
};
|
|
|
|
#endif /* ISCSI_SW_TCP_H */
|