From nobody Fri Oct 29 23:58:16 2021
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E1A76181D145;
	Fri, 29 Oct 2021 23:58:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Hgzs56vJ4z4VPS;
	Fri, 29 Oct 2021 23:58:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CC242203AF;
	Fri, 29 Oct 2021 23:58:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19TNwGch003543;
	Fri, 29 Oct 2021 23:58:16 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19TNwGdW003542;
	Fri, 29 Oct 2021 23:58:16 GMT
	(envelope-from git)
Date: Fri, 29 Oct 2021 23:58:16 GMT
Message-Id: <202110292358.19TNwGdW003542@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: b77045f1ca6a - stable/13 - iscsi: Always free a cdw before its associated ctl_io.
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: b77045f1ca6ae553ed5ca6fc0f16953854593369
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=b77045f1ca6ae553ed5ca6fc0f16953854593369

commit b77045f1ca6ae553ed5ca6fc0f16953854593369
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-05-20 16:58:59 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-29 23:03:54 +0000

    iscsi: Always free a cdw before its associated ctl_io.
    
    cxgbei stores state about a target transfer in the ctl_private[] array
    of a ctl_io that is freed when a target transfer (represented by the
    cdw) is freed.  As such, freeing a ctl_io before a cdw that references
    it can result in a use after free in cxgbei.  Two of the four places
    freed the cdw first, and the other two freed the ctl_io first.  Fix
    the latter two places to free the cdw first.
    
    Reported by:    Jithesh Arakkan @ Chelsio
    Reviewed by:    mav
    Differential Revision:  https://reviews.freebsd.org/D30270
    
    (cherry picked from commit 71e3d1b3a0ee4080c53615167bde4d93efe103fe)
---
 sys/cam/ctl/ctl_frontend_iscsi.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/sys/cam/ctl/ctl_frontend_iscsi.c b/sys/cam/ctl/ctl_frontend_iscsi.c
index fdbc06150f93..a5a80848c763 100644
--- a/sys/cam/ctl/ctl_frontend_iscsi.c
+++ b/sys/cam/ctl/ctl_frontend_iscsi.c
@@ -1112,7 +1112,7 @@ static void
 cfiscsi_session_terminate_tasks(struct cfiscsi_session *cs)
 {
 	struct cfiscsi_data_wait *cdw;
-	union ctl_io *io;
+	union ctl_io *io, *cdw_io;
 	int error, last, wait;
 
 	if (cs->cs_target == NULL)
@@ -1144,10 +1144,11 @@ cfiscsi_session_terminate_tasks(struct cfiscsi_session *cs)
 		 * assuming that the data transfer actually succeeded
 		 * and writing uninitialized data to disk.
 		 */
-		cdw->cdw_ctl_io->io_hdr.flags &= ~CTL_FLAG_DMA_INPROG;
-		cdw->cdw_ctl_io->scsiio.io_hdr.port_status = 42;
-		ctl_datamove_done(cdw->cdw_ctl_io, false);
+		cdw_io = cdw->cdw_ctl_io;
+		cdw_io->io_hdr.flags &= ~CTL_FLAG_DMA_INPROG;
+		cdw_io->scsiio.io_hdr.port_status = 42;
 		cfiscsi_data_wait_free(cs, cdw);
+		ctl_datamove_done(cdw_io, false);
 		CFISCSI_SESSION_LOCK(cs);
 	}
 	CFISCSI_SESSION_UNLOCK(cs);
@@ -2920,6 +2921,7 @@ cfiscsi_task_management_done(union ctl_io *io)
 	struct cfiscsi_data_wait *cdw, *tmpcdw;
 	struct cfiscsi_session *cs, *tcs;
 	struct cfiscsi_softc *softc;
+	union ctl_io *cdw_io;
 	int cold_reset = 0;
 
 	request = PRIV_REQUEST(io);
@@ -2953,10 +2955,11 @@ cfiscsi_task_management_done(union ctl_io *io)
 #endif
 			TAILQ_REMOVE(&cs->cs_waiting_for_data_out,
 			    cdw, cdw_next);
-			io->io_hdr.flags &= ~CTL_FLAG_DMA_INPROG;
-			cdw->cdw_ctl_io->scsiio.io_hdr.port_status = 43;
-			ctl_datamove_done(cdw->cdw_ctl_io, false);
+			cdw_io = cdw->cdw_ctl_io;
+			cdw_io->io_hdr.flags &= ~CTL_FLAG_DMA_INPROG;
+			cdw_io->scsiio.io_hdr.port_status = 43;
 			cfiscsi_data_wait_free(cs, cdw);
+			ctl_datamove_done(cdw_io, false);
 		}
 		CFISCSI_SESSION_UNLOCK(cs);
 	}