1 From fce50a2fa4e9c6e103915c351b6d4a98661341d6 Mon Sep 17 00:00:00 2001
2 From: Nicholas Bellinger <nab@linux-iscsi.org>
3 Date: Thu, 29 Jun 2017 22:21:31 -0700
4 Subject: iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
6 From: Nicholas Bellinger <nab@linux-iscsi.org>
8 commit fce50a2fa4e9c6e103915c351b6d4a98661341d6 upstream.
10 This patch fixes a NULL pointer dereference in isert_login_recv_done()
11 of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
12 resetting isert_conn->cm_id = NULL during a failed login attempt.
14 As per Sagi, we will always see the completion of all recv wrs posted
15 on the qp (given that we assigned a ->done handler), this is a FLUSH
16 error completion, we just don't get to verify that because we deref
19 The issue here, was the assumption that dereferencing the connection
20 cm_id is always safe, which is not true since:
22 commit 4a579da2586bd3b79b025947ea24ede2bbfede62
23 Author: Sagi Grimberg <sagig@mellanox.com>
24 Date: Sun Mar 29 15:52:04 2015 +0300
26 iser-target: Fix possible deadlock in RDMA_CM connection error
28 As I see it, we have a direct reference to the isert_device from
29 isert_conn which is the one-liner fix that we actually need like
30 we do in isert_rdma_read_done() and isert_rdma_write_done().
32 Reported-by: Andrea Righi <righi.andrea@gmail.com>
33 Tested-by: Andrea Righi <righi.andrea@gmail.com>
34 Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
35 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
36 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
39 drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
40 1 file changed, 1 insertion(+), 1 deletion(-)
42 --- a/drivers/infiniband/ulp/isert/ib_isert.c
43 +++ b/drivers/infiniband/ulp/isert/ib_isert.c
44 @@ -1581,7 +1581,7 @@ isert_rcv_completion(struct iser_rx_desc
45 struct isert_conn *isert_conn,
48 - struct ib_device *ib_dev = isert_conn->cm_id->device;
49 + struct ib_device *ib_dev = isert_conn->device->ib_device;
50 struct iscsi_hdr *hdr;