scsi: libiscsi: Teardown iscsi_cls_conn gracefully
mainline inclusion from mainline-v5.18-rc1 commit 8709c323 category: bugfix bugzilla: 187381, https://gitee.com/openeuler/kernel/issues/I5LBBP CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8709c323091be019f76a49cf783052a5636aca85 -------------------------------- Commit 1b8d0300 ("scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()") fixed an UAF in iscsi_conn_get_param() and introduced 2 tmp_xxx varibles. We can gracefully fix this UAF with the help of device_del(). Calling iscsi_remove_conn() at the beginning of iscsi_conn_teardown would make userspace unable to see iscsi_cls_conn. This way we we can free memory safely. Remove iscsi_destroy_conn() since it is no longer used. Link: https://lore.kernel.org/r/20220310015759.3296841-4-haowenchao@huawei.comReviewed-by: NMike Christie <michael.christie@oracle.com> Signed-off-by: NWenchao Hao <haowenchao@huawei.com> Signed-off-by: NWu Bo <wubo40@huawei.com> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Conflict: iscsi_destroy_conn() is not removed. Signed-off-by: NYu Kuai <yukuai3@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
Showing
想要评论请 注册 或 登录