releases/4.4.81/iser-target-avoid-isert_conn-cm_id-dereference-in-isert_login_recv_done.patch

   1 From fce50a2fa4e9c6e103915c351b6d4a98661341d6 Mon Sep 17 00:00:00 2001
   2 From: Nicholas Bellinger <nab@linux-iscsi.org>
   3 Date: Thu, 29 Jun 2017 22:21:31 -0700
   4 Subject: iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done
   5
   6 From: Nicholas Bellinger <nab@linux-iscsi.org>
   7
   8 commit fce50a2fa4e9c6e103915c351b6d4a98661341d6 upstream.
   9
  10 This patch fixes a NULL pointer dereference in isert_login_recv_done()
  11 of isert_conn->cm_id due to isert_cma_handler() -> isert_connect_error()
  12 resetting isert_conn->cm_id = NULL during a failed login attempt.
  13
  14 As per Sagi, we will always see the completion of all recv wrs posted
  15 on the qp (given that we assigned a ->done handler), this is a FLUSH
  16 error completion, we just don't get to verify that because we deref
  17 NULL before.
  18
  19 The issue here, was the assumption that dereferencing the connection
  20 cm_id is always safe, which is not true since:
  21
  22     commit 4a579da2586bd3b79b025947ea24ede2bbfede62
  23     Author: Sagi Grimberg <sagig@mellanox.com>
  24     Date:   Sun Mar 29 15:52:04 2015 +0300
  25
  26          iser-target: Fix possible deadlock in RDMA_CM connection error
  27
  28 As I see it, we have a direct reference to the isert_device from
  29 isert_conn which is the one-liner fix that we actually need like
  30 we do in isert_rdma_read_done() and isert_rdma_write_done().
  31
  32 Reported-by: Andrea Righi <righi.andrea@gmail.com>
  33 Tested-by: Andrea Righi <righi.andrea@gmail.com>
  34 Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
  35 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
  36 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  37
  38 ---
  39  drivers/infiniband/ulp/isert/ib_isert.c |    2 +-
  40  1 file changed, 1 insertion(+), 1 deletion(-)
  41
  42 --- a/drivers/infiniband/ulp/isert/ib_isert.c
  43 +++ b/drivers/infiniband/ulp/isert/ib_isert.c
  44 @@ -1581,7 +1581,7 @@ isert_rcv_completion(struct iser_rx_desc
  45                      struct isert_conn *isert_conn,
  46                      u32 xfer_len)
  47  {
  48 -       struct ib_device *ib_dev = isert_conn->cm_id->device;
  49 +       struct ib_device *ib_dev = isert_conn->device->ib_device;
  50         struct iscsi_hdr *hdr;
  51         u64 rx_dma;
  52         int rx_buflen;