scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (d4d765f4) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/scsi/iscsi_tcp.c

+6 −3

Original line number	Diff line number	Diff line
		@@ -770,7 +770,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
		enum iscsi_host_param param, char *buf)
		{
		struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
		struct iscsi_session *session = tcp_sw_host->session;
		struct iscsi_session *session;
		struct iscsi_conn *conn;
		struct iscsi_tcp_conn *tcp_conn;
		struct iscsi_sw_tcp_conn *tcp_sw_conn;
		@@ -779,6 +779,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,

		switch (param) {
		case ISCSI_HOST_PARAM_IPADDRESS:
		session = tcp_sw_host->session;
		if (!session)
		return -ENOTCONN;

		@@ -867,12 +868,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
		if (!cls_session)
		goto remove_host;
		session = cls_session->dd_data;
		tcp_sw_host = iscsi_host_priv(shost);
		tcp_sw_host->session = session;

		shost->can_queue = session->scsi_cmds_max;
		if (iscsi_tcp_r2tpool_alloc(session))
		goto remove_session;

		/* We are now fully setup so expose the session to sysfs. */
		tcp_sw_host = iscsi_host_priv(shost);
		tcp_sw_host->session = session;
		return cls_session;

		remove_session: