[PATCH 36/40] iscsi: fixup of the ep_connect patch

From: Peter Zijlstra
Date: Fri May 04 2007 - 06:45:14 EST

Next message: Peter Zijlstra: "[PATCH 29/40] nfs: fix various memory recursions possible with swap over NFS."
Previous message: Peter Zijlstra: "[PATCH 22/40] mm: prepare swap entry methods for use in page methods"
In reply to: Peter Zijlstra: "[PATCH 22/40] mm: prepare swap entry methods for use in page methods"
Next in thread: Peter Zijlstra: "[PATCH 29/40] nfs: fix various memory recursions possible with swap over NFS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Make sure a malicious user-space program cannot crash the kernel module
by prematurely closing the filedesc.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@xxxxxxxxx>
Acked-by: Mike Christie <michaelc@xxxxxxxxxxx>
---
drivers/scsi/iscsi_tcp.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)

Index: linux-2.6-git/drivers/scsi/iscsi_tcp.c
===================================================================
--- linux-2.6-git.orig/drivers/scsi/iscsi_tcp.c 2007-01-16 14:15:50.000000000 +0100
+++ linux-2.6-git/drivers/scsi/iscsi_tcp.c 2007-01-16 14:24:05.000000000 +0100
@@ -1830,11 +1830,25 @@ tcp_conn_alloc_fail:
}

static void
+iscsi_tcp_release_conn(struct iscsi_conn *conn)
+{
+ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+
+ if (!tcp_conn->sock)
+ return;
+
+ sockfd_put(tcp_conn->sock);
+ tcp_conn->sock = NULL;
+ conn->recv_lock = NULL;
+}
+
+static void
iscsi_tcp_conn_destroy(struct iscsi_cls_conn *cls_conn)
{
struct iscsi_conn *conn = cls_conn->dd_data;
struct iscsi_tcp_conn *tcp_conn = conn->dd_data;

+ iscsi_tcp_release_conn(conn);
iscsi_conn_teardown(cls_conn);
if (tcp_conn->tx_hash.tfm)
crypto_free_hash(tcp_conn->tx_hash.tfm);
@@ -1851,6 +1865,7 @@ iscsi_tcp_conn_stop(struct iscsi_cls_con
struct iscsi_tcp_conn *tcp_conn = conn->dd_data;

iscsi_conn_stop(cls_conn, flag);
+ iscsi_tcp_release_conn(conn);
tcp_conn->hdr_size = sizeof(struct iscsi_hdr);
}

@@ -1873,8 +1888,10 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses
}

err = iscsi_conn_bind(cls_session, cls_conn, is_leading, transport_eph);
- if (err)
- goto done;
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }

/* bind iSCSI connection and socket */
tcp_conn->sock = sock;
@@ -1898,8 +1915,6 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses
*/
tcp_conn->in_progress = IN_PROGRESS_WAIT_HEADER;

-done:
- sockfd_put(sock);
return err;
}

--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "[PATCH 29/40] nfs: fix various memory recursions possible with swap over NFS."
Previous message: Peter Zijlstra: "[PATCH 22/40] mm: prepare swap entry methods for use in page methods"
In reply to: Peter Zijlstra: "[PATCH 22/40] mm: prepare swap entry methods for use in page methods"
Next in thread: Peter Zijlstra: "[PATCH 29/40] nfs: fix various memory recursions possible with swap over NFS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]