Page MenuHomeFreeBSD

iscsi: Always free a cdw before its associated ctl_io.
ClosedPublic

Authored by jhb on May 14 2021, 10:55 PM.
Tags
None
Referenced Files
F106270238: D30270.id89250.diff
Sat, Dec 28, 7:13 AM
F106232969: D30270.diff
Fri, Dec 27, 3:23 PM
Unknown Object (File)
Mon, Dec 9, 11:50 PM
Unknown Object (File)
Oct 6 2024, 12:41 PM
Unknown Object (File)
Sep 29 2024, 3:34 AM
Unknown Object (File)
Sep 21 2024, 10:59 PM
Unknown Object (File)
Sep 18 2024, 11:58 PM
Unknown Object (File)
Sep 18 2024, 3:20 AM
Subscribers

Details

Summary

cxgbei stores state about a target transfer in the ctl_private[] array
of a ctl_io that is freed when a target transfer (represented by the
cdw) is freed. As such, freeing a ctl_io before a cdw that references
it can result in a use after free in cxgbei. Two of the four places
freed the cdw first, and the other two freed the ctl_io first. Fix
the latter two places to free the cdw first.

Reported by: Jithesh Arakkan @ Chelsio

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 39201
Build 36090: arc lint + arc unit

Event Timeline

jhb requested review of this revision.May 14 2021, 10:55 PM

The panics showed up after Chelsio QA started testing the fix in e894e3adb206815c2acff17a4011becb166c2f66. Specifically, in some cases due to the bug this change fixes, the write to clear the pointer to NULL in ctl_io in the cxgbei driver in that commit would write to ctl_io after it had been freed by ctl_datamove_done().

sys/cam/ctl/ctl_frontend_iscsi.c
2959

I would appreciate some thoughts on my questions here.

Looks good to me. Just remove the XXX comment.

sys/cam/ctl/ctl_frontend_iscsi.c
2959

No, cdw_io != io here. io is the abort request, while cdw_io is the original SCSI command being aborted. You've properly fixed CTL_FLAG_DMA_INPROG clear on wrong io.

sys/cam/ctl/ctl_frontend_iscsi.c
2967

above we set it to 42, here 43? I'm not super familiar with the code, but is that a problem?

sys/cam/ctl/ctl_frontend_iscsi.c
2967

These codes were never formalized. I've done some cleanup, but haven't completed. So anything non-zero is OK, unique values are used just to ease debugging. And since the command was aborted, this code goes nowhere really, but still it is better to indicate that the transfer was not successful.

jhb marked an inline comment as done.May 19 2021, 9:04 PM
jhb added inline comments.
sys/cam/ctl/ctl_frontend_iscsi.c
2959

Thanks, I've axed the comment.

jhb marked an inline comment as done.
  • Remove comment with questions.
This revision is now accepted and ready to land.May 19 2021, 10:56 PM