From patchwork Thu May 23 22:21:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khazhismel Kumykov <khazhy@chromium.org>
X-Patchwork-Id: 798842
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9B6682897
 for <linux-scsi@vger.kernel.org>; Thu, 23 May 2024 22:23:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1716502984; cv=none;
 b=DMmtgNy3YmM3WWIUGlShWYt8eqKzS3dEipPM6TI6MXEcX34EjR9rOIFEBc2PgZUtPHDkCUBftMwoWTbSRtTo3RyBEGHlsa0I+OQZGNHuIJRwk+tz/Zt6IH7on0dDP9a6uO7e/aqSyzCu6cl2Jp7nQ4pfiSkB5aB3EVpGJPoNlVQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1716502984; c=relaxed/simple;
 bh=Wz8KW3duQ4WBU6Er1SlH2sT7ipbBWfk/6Oc1CpmLOvc=;
 h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=TkztrUXUSCyH7qFoeKCpF3zmZrpEd/DCTfs0olEv+XTieID60rjBPDxDnKekfK5V3ABcsF2mFTEqnr9pYSIOCqgnbVsXQJbMz0dDgxxf1NAjpyIXE83DWssCaKSciTh6tiS+yWi96Qgt4WpTrVDeDfUL+f3B5yITillryr4qFF8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=kCpJLD82; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="kCpJLD82"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-68194ee2174so218141a12.3
 for <linux-scsi@vger.kernel.org>;
 Thu, 23 May 2024 15:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=chromium.org; s=google; t=1716502982; x=1717107782;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=NtQY0C2jnJJ8Poo2ZtD6lzIbsrEueMnclolCRbYe6sk=;
 b=kCpJLD82RdB5SQonctFRy+wCUQDa8IbkWFYNB5vjHZ2K+KZwBdDB9mbSkxui5haIgx
 a/OLYoIpEsSDcEGUZ/TVnRlX+3ibQcik6e1eMlsPMHVQI0PZCoQ4RiM1+WIBPKjwQ7oo
 95hvIkRqzLbIfmU3/g1S2zQIn4G9OwGpBrRkc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716502982; x=1717107782;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=NtQY0C2jnJJ8Poo2ZtD6lzIbsrEueMnclolCRbYe6sk=;
 b=H1RvGwcsNp+RZlvg2UzTq7mUpl4gCKOQLRXB17NL8JzQGQSr9GWgDnvK8qqdfVd3GH
 8aMHs8hx86r/c7yhmJRjI3x9IQ7YAkzrqvwd0koppiQ9nobBb0onpFQgzwEL5p/nR0rS
 1WOYSqhH9es+i6n0ka/DPOlE4dkpMMS3sXYYMl+FSHZF7OAzYzIIfqS/3Sgm00PtWNUB
 J3HKUFbV0zPkH7Ik8sBYXJubtYY0iywH7Mhm3zbnKlilReIbMjXCzZPR7akxoNO7mPQU
 b2oGRdC2jispJHHEfayPE0lYsVYwrtRe1Hq30oT1eygyGXe7aCGsv/lAOY5eWTGK2imp
 QyrQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVmCe0qnEnCJ/6LGyXhs8hAvkyrmJ+mg+b1OPaXh+i+0hq9hHh5aSB0JvFKh6hwwg+UW5O6WCFPRxhvik2BdCzqMKfkDK6VmgMP1g==
X-Gm-Message-State: AOJu0Yx1/q3IRff5HjTHLIU9domMCxjJ9e4JX4a72FvxiAguLVPacnkJ
 efjTM6lr/8e1ZR98TRhcGGlbJU+4PG2Z4mvwV9viVWXV5oN1sisOLlIfXYv+lA==
X-Google-Smtp-Source: AGHT+IG9ROSwxnRhMnDBmI3dXR69CZhRLTfVfArFvBBcmmx+TLAD6gYG9PUjVbrfZXXUkbU3zvziPw==
X-Received: by 2002:a17:902:da87:b0:1ea:d979:d778 with SMTP id
 d9443c01a7336-1f4486bc798mr7645785ad.5.1716502982105;
 Thu, 23 May 2024 15:23:02 -0700 (PDT)
Received: from khazhy-linux.svl.corp.google.com
 ([2620:15c:2a3:200:6f10:db2c:e2ea:44ad])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1f44c7c59ebsm819125ad.105.2024.05.23.15.23.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 23 May 2024 15:23:01 -0700 (PDT)
From: Khazhismel Kumykov <khazhy@chromium.org>
X-Google-Original-From: Khazhismel Kumykov <khazhy@google.com>
To: Lee Duncan <lduncan@suse.com>, Chris Leech <cleech@redhat.com>,
 Mike Christie <michael.christie@oracle.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org,
 linux-kernel@vger.kernel.org, Khazhismel Kumykov <khazhy@google.com>
Subject: [PATCH v2 1/2] iscsi_tcp: do not bind sockets that already have extra
 callbacks
Date: Thu, 23 May 2024 15:21:27 -0700
Message-ID: <20240523222128.786137-1-khazhy@google.com>
X-Mailer: git-send-email 2.45.1.288.g0e0cd299f1-goog
Precedence: bulk
X-Mailing-List: linux-scsi@vger.kernel.org
List-Id: <linux-scsi.vger.kernel.org>
List-Subscribe: <mailto:linux-scsi+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-scsi+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

This attempts to avoid a situation where a misbehaving iscsi daemon
passes a socket for a different iSCSI connection to BIND_CONN - which
would result in infinite recursion and stack overflow. This will
also prevent passing *other* sockets which had sk_user_data overridden,
but that wouldn't have been safe anyways - since we throw away that
pointer anyways. This does not cover all hypothetical scenarios where we
pass bad sockets to BIND_CONN.

This also papers over a different bug - we allow a daemon to call
BIND_CONN twice for the same connection - which would result in, at the
least, failing to uninitialize/teardown the previous socket, which will
be addressed separately.

Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
---
 drivers/scsi/iscsi_tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 60688f18fac6..deb9252e02e6 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -725,7 +725,7 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session,
 	}
 
 	err = -EINVAL;
-	if (!sk_is_tcp(sock->sk))
+	if (!sk_is_tcp(sock->sk) || sock->sk->sk_user_data)
 		goto free_socket;
 
 	err = iscsi_conn_bind(cls_session, cls_conn, is_leading);

From patchwork Thu May 23 22:21:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khazhismel Kumykov <khazhy@chromium.org>
X-Patchwork-Id: 798623
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51FA012838D
 for <linux-scsi@vger.kernel.org>; Thu, 23 May 2024 22:23:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1716502987; cv=none;
 b=MzTy7t0WTVcx5LemNNDidUN/5xNPUZ+YPOSxdhxNoku5QDl40jL6aKG46/vjpFrrs7hMGsOLM/iX5E8DbDnbK6moZiJ51XDpDBe4OEsIhnsS213A9WWFGpeAD+/THe2bJecWpebsArwtuA6rn1Vy/T9Wt4+mh48W/A8kpalxXwQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1716502987; c=relaxed/simple;
 bh=Yw893T+VjD34w4x4yV0pVt0ig1FaascDQOJmlsUUHNg=;
 h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
 MIME-Version;
 b=UAT2hIMVL7R9Jf1LvyhMkpbhYg98+WAKDj9cgcAVkH+/3eTo4L5yvON3vSpOMh9mVkhIti+KMUj1m4j79l9y4eq8dB2B0+aDd43tfx0qmBswIaTmx6exKlOUf8YG4+FrJU1WiMV7wTKYYyU5QoqvYoCF8MoMbDb5+n6eMesJIY4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org;
 spf=pass smtp.mailfrom=chromium.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b=aPZhhoXs; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=chromium.org
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="aPZhhoXs"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-1f44b45d6abso1708645ad.0
 for <linux-scsi@vger.kernel.org>;
 Thu, 23 May 2024 15:23:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=chromium.org; s=google; t=1716502985; x=1717107785;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=7hlo/0USYgm45RKgbQV7mEAT0VdxfPiKQOpjReznKyw=;
 b=aPZhhoXsm0SxwtGla0KDtTur4S6A2NK90ijrFgZkvz3iafftzIyCxlUt+A9k/z/oSs
 NaDMSx+MJVE4zs7x5KAt5bj1BQE1Hz2WoPiCMa05Tw0/4k69LXeMwIsUUd/QkSG6i6s2
 jcoRHWjnZWAectaHvKKggBFQmfIwNpDgpGy1g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716502985; x=1717107785;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=7hlo/0USYgm45RKgbQV7mEAT0VdxfPiKQOpjReznKyw=;
 b=vkgp6IPJng2FkuDcLcCyHS2LAwk26sdNVXOtcleScVnOaGIFmbBT5UD1nkmSmAZbCd
 CYdjulS7dODYKrJqIQdqsr32a9n33b2see1kWzXO5TwQjytFLv8CYHYLFf3hATBk1K5S
 JV93BYj3M4lb5HY4mPzIkFoxyCbHRG1jXXQGveOuF3NPvjD2NpboeM0B2fhZdsQlKNrC
 x34tc4hGhEAfNRsSg9utOz2E44aq1VukBsjsRWprZfpltlKWyNSLDqq/upkB+GVfZU3P
 QBuGJWmpCFbhI6oBokU+/Xemy5jZkb7FF+GIuimttxT/qGtVhvZjONyj7gPMRGvob+v6
 ooiA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVrEmLU+XhN1tpuOibSb7Cm6sY6Nvp7zvF/OJPqVpe16EwtThS29SJebbrrPQQoBRq4ueY6W/4mpFng//CqjiBIf8WiMNDHoLqyxQ==
X-Gm-Message-State: AOJu0YzTyLdwciCiv6MRJXr871yDzYuKb88kMOxiuCcG/eRe47/y8T24
 jRIhduCpvNEO6+a4RbzvOwQLN12Sl9rUEGbdeMUoRv8YbHtdyah+g9wJevS3Zw==
X-Google-Smtp-Source: AGHT+IGgIlNycjUsworvnOTSYRhzHICvSHqnm+Q8HMxMdqvYn9kNEPLpT7lzSpNUJI8vxu3lm8gSKQ==
X-Received: by 2002:a17:902:ea11:b0:1f3:4d44:7000 with SMTP id
 d9443c01a7336-1f448a36c0amr6257655ad.41.1716502985499;
 Thu, 23 May 2024 15:23:05 -0700 (PDT)
Received: from khazhy-linux.svl.corp.google.com
 ([2620:15c:2a3:200:6f10:db2c:e2ea:44ad])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1f44c7c59ebsm819125ad.105.2024.05.23.15.23.04
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 23 May 2024 15:23:05 -0700 (PDT)
From: Khazhismel Kumykov <khazhy@chromium.org>
X-Google-Original-From: Khazhismel Kumykov <khazhy@google.com>
To: Lee Duncan <lduncan@suse.com>, Chris Leech <cleech@redhat.com>,
 Mike Christie <michael.christie@oracle.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>,
 "Martin K. Petersen" <martin.petersen@oracle.com>,
 open-iscsi@googlegroups.com, linux-scsi@vger.kernel.org,
 linux-kernel@vger.kernel.org, Khazhismel Kumykov <khazhy@google.com>
Subject: [PATCH v2 2/2] libiscsi: disallow binding an already-bound connection
Date: Thu, 23 May 2024 15:21:28 -0700
Message-ID: <20240523222128.786137-2-khazhy@google.com>
X-Mailer: git-send-email 2.45.1.288.g0e0cd299f1-goog
In-Reply-To: <20240523222128.786137-1-khazhy@google.com>
References: <20240523222128.786137-1-khazhy@google.com>
Precedence: bulk
X-Mailing-List: linux-scsi@vger.kernel.org
List-Id: <linux-scsi.vger.kernel.org>
List-Subscribe: <mailto:linux-scsi+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-scsi+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

This fixes issue where misbehaving userspace initiator could bind the
same connection multiple times, which would leak the old connection
socket without cleaning it up.

For iscsi_tcp, it calls iscsi_suspend_tx directly in stop_conn. Update
this to iscsi_conn_unbind, which matches the lifecycle of other drivers,
and clears the CONN_FLAG_BOUND.

Suggested-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
---
 drivers/scsi/iscsi_tcp.c | 2 +-
 drivers/scsi/libiscsi.c  | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index deb9252e02e6..1d93404515ae 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -696,7 +696,7 @@ static void iscsi_sw_tcp_conn_stop(struct iscsi_cls_conn *cls_conn, int flag)
 	wake_up_interruptible(sk_sleep(sock->sk));
 
 	/* stop xmit side */
-	iscsi_suspend_tx(conn);
+	iscsi_conn_unbind(cls_conn, true);
 
 	/* stop recv side and release socket */
 	iscsi_sw_tcp_release_conn(conn);
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 0fda8905eabd..0fb98eb53584 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -3453,6 +3453,12 @@ int iscsi_conn_bind(struct iscsi_cls_session *cls_session,
 	struct iscsi_conn *conn = cls_conn->dd_data;
 
 	spin_lock_bh(&session->frwd_lock);
+	if (test_bit(ISCSI_CONN_FLAG_BOUND, &conn->flags)) {
+		spin_unlock_bh(&session->frwd_lock);
+		return -EBUSY;
+	}
+
+
 	if (is_leading)
 		session->leadconn = conn;