Make sure a malicious user-space program cannot crash the kernel module
by prematurely closing the filedesc.
Signed-off-by: Peter Zijlstra <[EMAIL PROTECTED]>
Acked-by: Mike Christie <[EMAIL PROTECTED]>
---
drivers/scsi/iscsi_tcp.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
Index: linux-2.6-git/drivers/scsi/iscsi_tcp.c
===================================================================
--- linux-2.6-git.orig/drivers/scsi/iscsi_tcp.c 2007-01-16 14:15:50.000000000
+0100
+++ linux-2.6-git/drivers/scsi/iscsi_tcp.c 2007-01-16 14:24:05.000000000
+0100
@@ -1830,11 +1830,25 @@ tcp_conn_alloc_fail:
}
static void
+iscsi_tcp_release_conn(struct iscsi_conn *conn)
+{
+ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+
+ if (!tcp_conn->sock)
+ return;
+
+ sockfd_put(tcp_conn->sock);
+ tcp_conn->sock = NULL;
+ conn->recv_lock = NULL;
+}
+
+static void
iscsi_tcp_conn_destroy(struct iscsi_cls_conn *cls_conn)
{
struct iscsi_conn *conn = cls_conn->dd_data;
struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+ iscsi_tcp_release_conn(conn);
iscsi_conn_teardown(cls_conn);
if (tcp_conn->tx_hash.tfm)
crypto_free_hash(tcp_conn->tx_hash.tfm);
@@ -1851,6 +1865,7 @@ iscsi_tcp_conn_stop(struct iscsi_cls_con
struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
iscsi_conn_stop(cls_conn, flag);
+ iscsi_tcp_release_conn(conn);
tcp_conn->hdr_size = sizeof(struct iscsi_hdr);
}
@@ -1873,8 +1888,10 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses
}
err = iscsi_conn_bind(cls_session, cls_conn, is_leading, transport_eph);
- if (err)
- goto done;
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
/* bind iSCSI connection and socket */
tcp_conn->sock = sock;
@@ -1898,8 +1915,6 @@ iscsi_tcp_conn_bind(struct iscsi_cls_ses
*/
tcp_conn->in_progress = IN_PROGRESS_WAIT_HEADER;
-done:
- sockfd_put(sock);
return err;
}
--
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
