Commit 0b97ffa
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
jira VULN-176310
cve CVE-2026-23193
commit-author Maurizio Lombardi <mlombard@redhat.com>
commit 84dc603
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reported-by: Zhaojuan Guo <zguo@redhat.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit 84dc603)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent 2da20d9 commit 0b97ffa
1 file changed
Lines changed: 4 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
775 | 775 | | |
776 | 776 | | |
777 | 777 | | |
778 | | - | |
| 778 | + | |
| 779 | + | |
779 | 780 | | |
| 781 | + | |
| 782 | + | |
780 | 783 | | |
781 | 784 | | |
782 | 785 | | |
| |||
0 commit comments