-
由 Zhong Jinghua 提交于
hulk inclusion category: bugfix bugzilla: 188355, https://gitee.com/openeuler/kernel/issues/I6E4JF ---------------------------------------- A use-after-free problem like below: BUG: KASAN: use-after-free in scsi_target_reap+0x6c/0x70 Workqueue: scsi_wq_1 __iscsi_unbind_session [scsi_transport_iscsi] Call trace: dump_backtrace+0x0/0x320 show_stack+0x24/0x30 dump_stack+0xdc/0x128 print_address_description+0x68/0x278 kasan_report+0x1e4/0x308 __asan_report_load4_noabort+0x30/0x40 scsi_target_reap+0x6c/0x70 scsi_remove_target+0x430/0x640 __iscsi_unbind_session+0x164/0x268 [scsi_transport_iscsi] process_one_work+0x67c/0x1350 worker_thread+0x370/0xf90 kthread+0x2a4/0x320 ret_from_fork+0x10/0x18 The problem is caused by a concurrency scenario: T0: delete target // echo 1 > /sys/devices/platform/host1/session1/target1:0:0/1:0:0:1/delete T1: logout // iscsiadm -m node --logout T0 T1 sdev_store_delete scsi_remove_device device_remove_file __scsi_remove_device __iscsi_unbind_session scsi_remove_target spin_lock_irqsave list_for_each_entry scsi_target_reap // starget->reap_ref 1 -> 0 kref_get(&starget->reap_ref); // warn use-after-free. spin_unlock_irqrestore scsi_target_reap_ref_release scsi_target_destroy ... // delete starget scsi_target_reap // UAF When T0 reduces the reference count to 0, but has not been released, T1 can still enter list_for_each_entry, and then kref_get reports UAF. Fix it by using kref_get_unless_zero() to check for a reference count of 0. Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: NHou Tao <houtao1@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
9e53bbc6