From patchwork Wed Sep 7 22:17:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Christie X-Patchwork-Id: 606124 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31CAAC54EE9 for ; Wed, 7 Sep 2022 22:17:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229536AbiIGWRX (ORCPT ); Wed, 7 Sep 2022 18:17:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229495AbiIGWRV (ORCPT ); Wed, 7 Sep 2022 18:17:21 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5EAE99274 for ; Wed, 7 Sep 2022 15:17:20 -0700 (PDT) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 287LJUc1017876; Wed, 7 Sep 2022 22:17:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ChuNcVTb5/ihcK8RWL9JqnNd3cm3ZW1N57OddTsjNQ0=; b=Y9j/XF0RbhqbOqY2xrvOErShNbK2OEtIBw7/xazuHkAvqdhNuCOU6Qs2IUiwDOJ2MWpi GJwWVhjP0AZo67TjiN5EEAH7nBwvUB61h/syGd/V/5kzGteG953yZnZFf3vdy/JQYXCg c7+K1A14z9OGdcLM+4T8IpcoLJ2nSjI3bZPzaemokNq9Ws5s8jHy3Nn/Y2skRFmbm8uL S33SkM2dKwegY2KzgvED/DpNYRbuJWLLjtgGFRPwwXox1YLGuRgyO+/cbLzW9lA5MwUF mcBWNcDILAKoPggfERsvgQVePrtgHNy51ieHKB6QHpVlrnNNAUH9qvVnjirUnl1EYBTo 9A== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3jbwh1j881-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Sep 2022 22:17:06 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 287MFemF031125; Wed, 7 Sep 2022 22:17:04 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2171.outbound.protection.outlook.com [104.47.56.171]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3jbwcavjm3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Sep 2022 22:17:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C3Nj9FHuL6IY7Z+kSRpSjMp2IVwHLiOIYgTj0A6BxBNJWsUnd3SNslfcvNYn8ia7svaztKgoQTdyM0SlrNIxnPWzWl9bi3kUG7mKugzA1SpcAydFcaqs97UGV7ZN4Su3G+gGWPnyRc9gqTJAGMCthzGKHiG0ZLVfBMdBKKXVQX0dor4Ab64C/3dVl36bG1i75U10aQ1YWmAYpLEsjAqlDSdOMsd/eIs9dW/zXqBYt9EVAYGQ1LX9JLFyw5qsX1p1rAqAJOI7cn2iCL09bbn9TaV3I408Uh+PgqZH+JgA/j0okCoKNYIiTXd1NF76/FBMzu9l7e3MsJczrJbr3aveGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ChuNcVTb5/ihcK8RWL9JqnNd3cm3ZW1N57OddTsjNQ0=; b=MU/VO9SubQ9UeFVuPX7p3FehyUmjkZr0LK2gkDDQ9bUNdwBu1My2saDsVYsFzXrCgmz2fv4sAblTV7fHlwPful5g3CONQ+o6+XGxmXuojJfmeJHusxlO1bycL2onDPRsf4bslDTbTiqfVo/TDpk5UABd0r4yFfPQWOSqqwycNOHF0B1Ok0x90BUkBuddg57huml+eXAsfR7Qe2J9XbzLYaceoemyG/DEBXRwhi4qM/WJLqd1nnj5oEVr8MlGDyEN71pYK1K7kpeozw+XMwHE7qnv9HCGe4JsmAHH0LkZ83lYDkaRZCWu3OdhuUZlKSE590oI5fsHbnzX5ZyrVz1+gg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ChuNcVTb5/ihcK8RWL9JqnNd3cm3ZW1N57OddTsjNQ0=; b=aat3M/Bx2Fr0Tkk3IPsjHcyS3qS3vM85jqva+MJScvD6olIMlgsRPiTSmtpXi7F8zrqnhAxUwFmI6grcaBxaIGGMQn7WjRQVsh8GXRretFiP11ggA16f+3vGBPU2VU/Ad2vrPL5qq5hCyCt4LHPj1SZ0u4gJ+fCQgRUWOI9QasQ= Received: from DM5PR10MB1466.namprd10.prod.outlook.com (2603:10b6:3:b::7) by SJ1PR10MB5956.namprd10.prod.outlook.com (2603:10b6:a03:489::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.11; Wed, 7 Sep 2022 22:17:02 +0000 Received: from DM5PR10MB1466.namprd10.prod.outlook.com ([fe80::8dee:d667:f326:1d50]) by DM5PR10MB1466.namprd10.prod.outlook.com ([fe80::8dee:d667:f326:1d50%6]) with mapi id 15.20.5612.014; Wed, 7 Sep 2022 22:17:02 +0000 From: Mike Christie To: lijinlin3@huawei.com, lduncan@suse.com, cleech@redhat.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, jejb@linux.ibm.com Cc: Mike Christie Subject: [PATCH v2 1/1] scsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername Date: Wed, 7 Sep 2022 17:17:00 -0500 Message-Id: <20220907221700.10302-1-michael.christie@oracle.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: CH0P220CA0004.NAMP220.PROD.OUTLOOK.COM (2603:10b6:610:ef::10) To DM5PR10MB1466.namprd10.prod.outlook.com (2603:10b6:3:b::7) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM5PR10MB1466:EE_|SJ1PR10MB5956:EE_ X-MS-Office365-Filtering-Correlation-Id: b8083f94-7f3c-42c0-5e8e-08da911eb06c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VNht/17nlUW2fS+Uce1cwZhCE+bxxAkwnFoROoMfD4AeP3LbEGqiSaNT++umaaJISu5iX8KKuRBktiCx3iv4Xc1NGPoXY245D4Vf8o81+phf1pGaeBUU8K+IkjkoE3UcAjcHnRKPh23SCgI274jZJ+xcv9rWAbCK9rVd8V3PCjPJxb32IKFXcgKOU1bLT3MpFcUspiRVKjSw5VhkGKhsvWiBXsg3aJrc/Et5tTZBRvJoJPk9ktGMlbG/fq6xB2JH+d7UOcJxF+beir7m1ygna57+hYlBKff/xp4fUhnjKhcREUUbAnXK/W4G/6pAbVmKvnue9IkaElzGfhGdXYUDnen8k10JGcAzBpVysUBjwnlMRjVvc2AT39OuRX7cvcPWFKNAg0E0PKwuqatIEnF82xaVVnOEdY94ew1ogjv7Ujl2pFuztIAn5rG3TgUZpJo/59kNOrDS55LExEYuknmpGQMwXgfXIDR9DQjuGpcpprXiL5SZVf9pigL0TMcuAGR2mHo0rek7e7sNUvOX8WUt+4mqS0aG8XlRqB+pj8oLADtQ5mpZJXhIfSMcd9XUTVTG8e5QHlVMPebFLFM1YFUtkRzpTmH8/olY1riVBxU+goyUyHRyoHrN1JVP4P6+y+KOKTXlb99umyVrTe5v8fNZV9Hb1OxM2Bd5Q1KE7gXRepkY1iVa1uHsgqmBgy0fnrm5KOK1O7B4SslEKHrJmIrQ0A== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR10MB1466.namprd10.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(136003)(366004)(346002)(39860400002)(376002)(396003)(186003)(26005)(6512007)(478600001)(5660300002)(66556008)(6506007)(2906002)(41300700001)(86362001)(8936002)(6486002)(83380400001)(2616005)(107886003)(38100700002)(1076003)(316002)(36756003)(4326008)(8676002)(66476007)(66946007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Sd7Mm/aA0ITwfntW68HsAbwmNV/rndOzxJtszvK0wuGC3Peto1mYZVXSXSYrJgViFgSmG9umdk04OgeKcTnBuuDE6J6jRk+tc/1FxqkfznKvnfQf4Bm3uQ36t+vgfsKPtldLh5PYwz97vQDi8dJrM3ZJf35Nt/OTzCT0ETjqTwYci/4d3qKGBmUVuor53WErRJORukuCnV7wj/U39Mugkmi367LDCKmgxZAcYF6DWEH9M0eEt5lMB7O893E961POblsEaXoowiuPl/4Y8NXzhRUQzcYzfxjoclDXAtQQ2Ca4Aq1Xj2XX+4tRSWUfGJgq2yNcQPeWP3DpvsrwkvBuj6sLYVpqFCA/VoEgVsX84m9t9CV86C4XKPThfBezPmUgFXfsiLqMSnljmkGYH28Lv+xhN5Dz9CwjZH9h+mxp1y1SFuze96EaGOxMtDiuPdk3TXG50GKOjDUrgD9UtGdgd/uvcoMqGwXfCOGEla0FsG2lQfR3OukIGU2d459g0uYlTYV2eGkJRL2lEo7mJ0srqEpk1OZ351MlWCSakFq8HZfVARGkBrcfn6aAAP3budDfCcwKbdGCryUanoh1akh+ysnOVpVHwUebt0GEhwN+g3s6ON7mUSzxdTECPzNMrSzZyyZ6peYfq9ruHuZdGFMY1kY5zGigjHB/FGduRfjXMlziDoQmk1SwoxsHjm1iH0IwC/dsb0TnMA591KAOfdqlIyR+ZdI3mihuE7kH6tWsh09iTvPL2eTeNvHWhs/j+2IFywA72kuoHNt6S+4jg2EBpXCK7T+lCsbUl8uuIjgUrTdTOilwvqGCTaLpdKUh1LwTUTo88VChd5MoZQqhV/x6/o6LQmx6lIN6NDE2TkfAOGmRMhrZ5ckFC4a66eNdpHmcJK+YGQU2lRiFlH4S9FfiHsWVyamge+fVGnxv7pyrv0byjQglRD09z5/HdNyBY3jAvA5GpzIMQqgdNcWHZM4ob968jmvcp2HMzrvKVRizmMbAm+CU1QqrWmX9905PzN928aGojOH9hrrkSiN+RryLIEtJwhQWkXXA30KP0yHluZlDbjOQ2HuMXjdAgspiWGHPFRY5IOOh03N4kjjsxePG3MZdC2ycjHnqCXgYl3aSQJs/zMsww5b2Xw+fGe3Tze5vkwu5rB3UR4JLJKdrZvKkoXnqy2vDjXK+hf0A+wgatMwtLzQ3xwu9+C5F1rMDTU8DLkXq940W7iMs1GyqO1+gZw9RModheayqCELSwgEtL1sJ7aJf14lAvyJi/sO6ae17OeFf3BfLMQ5hS/eYpEkHhXb21rX77rhpFafUh7zUc60H6R+5ZTdUdYBp3A89UTAwAx7GZ97WAHjykjuAsED4lHHkoqWZSmhQJ6nUvI1sDUCRROusDPK5vnZS/6/iSKrmk2VTNqxGpUZUX06iqmErZEKmPANHgJwORvT24luuPYgpMJcnIJDO52iVOXNfJdsPS0p6LFV8P1kiyzDllVxdvjTclKXXlREvvkZ5Fh6Li0t7srdH9zq1dNA9FY8yeBB0jsvDD8t6NwkCftraB+prdXidGj+ZH+DalGYBRFGf3Mu5fyxIPvov65JM0HHDW7iDTpNQmR2FidWOTw07CSwBcQ== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b8083f94-7f3c-42c0-5e8e-08da911eb06c X-MS-Exchange-CrossTenant-AuthSource: DM5PR10MB1466.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2022 22:17:02.2847 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mNwvbJx+sztnIFnpPfB2etsMd8Q+LACPFUA8ZGCkBYxcraKJQEs+yPAtVwH9JZ2CEynmXBoN+juFNc5SblezbMqgi1YdV/neJ/3AmpSOzNU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ1PR10MB5956 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-07_10,2022-09-07_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2209070082 X-Proofpoint-GUID: tdB6XZYT0nZpn3yrZ5vm8N_rDZyvBErm X-Proofpoint-ORIG-GUID: tdB6XZYT0nZpn3yrZ5vm8N_rDZyvBErm Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org This patch fixes a NULL pointer crash that occurs when we are freeing the socket at the same time we access it via sysfs. The problem is that: 1. iscsi_sw_tcp_conn_get_param/iscsi_sw_tcp_host_get_param takes the frwd_lock and does sock_hold() then drops the frwd_lock. sock_hold does a get on the "struct sock". 2. iscsi_sw_tcp_release_conn does sockfd_put() which does the last put on the "struct socket" and that does __sock_release which sets the sock->ops to NULL. 3. iscsi_sw_tcp_conn_get_param/iscsi_sw_tcp_host_get_param then calls kernel_getpeername which acceses the NULL sock->ops. Above we do a get on the "struct sock", but we needed a get on the "struct socket". Originally, we just held the frwd_lock the entire time but in: commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()") we switched to refcount based because the network layer changed and started taking a mutex in that path, so we could no longer hold the frwd_lock. Instead of trying to maintain multiple refcounts, this just has a use a mutex for accessing the socket in the interface code paths. Fixes: bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()") Signed-off-by: Mike Christie --- v2: - set_param will be serialized with setup by the iscsi class but after the conn is added to sysfs, userspace can call into the driver. This adds a check in iscsi_sw_tcp_conn_get_param to make sure we have been bound (leaddconn is set) so we know setup has completed and we have connected to a target at least once. drivers/scsi/iscsi_tcp.c | 73 ++++++++++++++++++++++++++++------------ drivers/scsi/iscsi_tcp.h | 3 ++ 2 files changed, 55 insertions(+), 21 deletions(-) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 29b1bd755afe..5fb1f364e815 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -595,6 +595,8 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session, INIT_WORK(&conn->recvwork, iscsi_sw_tcp_recv_data_work); tcp_sw_conn->queue_recv = iscsi_recv_from_iscsi_q; + mutex_init(&tcp_sw_conn->sock_lock); + tfm = crypto_alloc_ahash("crc32c", 0, CRYPTO_ALG_ASYNC); if (IS_ERR(tfm)) goto free_conn; @@ -629,11 +631,15 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session, static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn) { - struct iscsi_session *session = conn->session; struct iscsi_tcp_conn *tcp_conn = conn->dd_data; struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; struct socket *sock = tcp_sw_conn->sock; + /* + * The iscsi transport class will make sure we are not called in + * parallel with start, stop, bind and destroys. However, this can be + * called twice if userspace does a stop then a destroy. + */ if (!sock) return; @@ -649,9 +655,9 @@ static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn) iscsi_suspend_rx(conn); - spin_lock_bh(&session->frwd_lock); + mutex_lock(&tcp_sw_conn->sock_lock); tcp_sw_conn->sock = NULL; - spin_unlock_bh(&session->frwd_lock); + mutex_unlock(&tcp_sw_conn->sock_lock); sockfd_put(sock); } @@ -703,7 +709,6 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, struct iscsi_cls_conn *cls_conn, uint64_t transport_eph, int is_leading) { - struct iscsi_session *session = cls_session->dd_data; struct iscsi_conn *conn = cls_conn->dd_data; struct iscsi_tcp_conn *tcp_conn = conn->dd_data; struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; @@ -723,10 +728,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, if (err) goto free_socket; - spin_lock_bh(&session->frwd_lock); + mutex_lock(&tcp_sw_conn->sock_lock); /* bind iSCSI connection and socket */ tcp_sw_conn->sock = sock; - spin_unlock_bh(&session->frwd_lock); + mutex_unlock(&tcp_sw_conn->sock_lock); /* setup Socket parameters */ sk = sock->sk; @@ -763,8 +768,15 @@ static int iscsi_sw_tcp_conn_set_param(struct iscsi_cls_conn *cls_conn, break; case ISCSI_PARAM_DATADGST_EN: iscsi_set_param(cls_conn, param, buf, buflen); + + mutex_lock(&tcp_sw_conn->sock_lock); + if (!tcp_sw_conn->sock) { + mutex_unlock(&tcp_sw_conn->sock_lock); + return -ENOTCONN; + } tcp_sw_conn->sendpage = conn->datadgst_en ? sock_no_sendpage : tcp_sw_conn->sock->ops->sendpage; + mutex_unlock(&tcp_sw_conn->sock_lock); break; case ISCSI_PARAM_MAX_R2T: return iscsi_tcp_set_max_r2t(conn, buf); @@ -779,8 +791,8 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn, enum iscsi_param param, char *buf) { struct iscsi_conn *conn = cls_conn->dd_data; - struct iscsi_tcp_conn *tcp_conn = conn->dd_data; - struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; + struct iscsi_sw_tcp_conn *tcp_sw_conn; + struct iscsi_tcp_conn *tcp_conn; struct sockaddr_in6 addr; struct socket *sock; int rc; @@ -790,21 +802,36 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn, case ISCSI_PARAM_CONN_ADDRESS: case ISCSI_PARAM_LOCAL_PORT: spin_lock_bh(&conn->session->frwd_lock); - if (!tcp_sw_conn || !tcp_sw_conn->sock) { + if (!conn->session->leadconn) { spin_unlock_bh(&conn->session->frwd_lock); return -ENOTCONN; } - sock = tcp_sw_conn->sock; - sock_hold(sock->sk); + /* + * The conn has been setup and bound, so just grab a ref + * incase a destroy runs while we are in the net layer. + */ + iscsi_get_conn(conn->cls_conn); spin_unlock_bh(&conn->session->frwd_lock); + tcp_conn = conn->dd_data; + tcp_sw_conn = tcp_conn->dd_data; + + mutex_lock(&tcp_sw_conn->sock_lock); + sock = tcp_sw_conn->sock; + if (!sock) { + rc = -ENOTCONN; + goto sock_unlock; + } + if (param == ISCSI_PARAM_LOCAL_PORT) rc = kernel_getsockname(sock, (struct sockaddr *)&addr); else rc = kernel_getpeername(sock, (struct sockaddr *)&addr); - sock_put(sock->sk); +sock_unlock: + mutex_unlock(&tcp_sw_conn->sock_lock); + iscsi_put_conn(conn->cls_conn); if (rc < 0) return rc; @@ -842,17 +869,21 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, } tcp_conn = conn->dd_data; tcp_sw_conn = tcp_conn->dd_data; - sock = tcp_sw_conn->sock; - if (!sock) { - spin_unlock_bh(&session->frwd_lock); - return -ENOTCONN; - } - sock_hold(sock->sk); + /* + * The conn has been setup and bound, so just grab a ref + * incase a destroy runs while we are in the net layer. + */ + iscsi_get_conn(conn->cls_conn); spin_unlock_bh(&session->frwd_lock); - rc = kernel_getsockname(sock, - (struct sockaddr *)&addr); - sock_put(sock->sk); + mutex_lock(&tcp_sw_conn->sock_lock); + sock = tcp_sw_conn->sock; + if (!sock) + rc = -ENOTCONN; + else + rc = kernel_getsockname(sock, (struct sockaddr *)&addr); + mutex_unlock(&tcp_sw_conn->sock_lock); + iscsi_put_conn(conn->cls_conn); if (rc < 0) return rc; diff --git a/drivers/scsi/iscsi_tcp.h b/drivers/scsi/iscsi_tcp.h index 850a018aefb9..68e14a344904 100644 --- a/drivers/scsi/iscsi_tcp.h +++ b/drivers/scsi/iscsi_tcp.h @@ -28,6 +28,9 @@ struct iscsi_sw_tcp_send { struct iscsi_sw_tcp_conn { struct socket *sock; + /* Taken when accessing the sock from the netlink/sysfs interface */ + struct mutex sock_lock; + struct work_struct recvwork; bool queue_recv;