Skip to content

Commit c22dde6

Browse files
committed
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
jira VULN-176311 cve CVE-2026-23193 commit-author Maurizio Lombardi <mlombard@redhat.com> commit 84dc603 In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute spin_unlock_bh() on a session structure that has already been deallocated, resulting in a KASAN slab-use-after-free. To resolve this, release the session_usage_lock before calling complete() to ensure all dereferences of the sess pointer are finished before the waiter is allowed to proceed with deallocation. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reported-by: Zhaojuan Guo <zguo@redhat.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Link: https://patch.msgid.link/20260112165352.138606-3-mlombard@redhat.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit 84dc603) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
1 parent 45c537b commit c22dde6

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

drivers/target/iscsi/iscsi_target_util.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -795,8 +795,11 @@ void iscsit_dec_session_usage_count(struct iscsi_session *sess)
795795
spin_lock_bh(&sess->session_usage_lock);
796796
sess->session_usage_count--;
797797

798-
if (!sess->session_usage_count && sess->session_waiting_on_uc)
798+
if (!sess->session_usage_count && sess->session_waiting_on_uc) {
799+
spin_unlock_bh(&sess->session_usage_lock);
799800
complete(&sess->session_waiting_on_uc_comp);
801+
return;
802+
}
800803

801804
spin_unlock_bh(&sess->session_usage_lock);
802805
}

0 commit comments

Comments
 (0)