xen/scsiback: Fix a TMR related use-after-free
scsiback_release_cmd() must not dereference se_cmd->se_tmr_req because that memory is freed by target_free_cmd_mem() before scsiback_release_cmd() is called. Fix this use-after-free by inlining struct scsiback_tmr into struct vscsibk_pend. Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Reviewed-by: Juergen Gross <jgross@suse.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.com> Cc: David Disseldorp <ddiss@suse.de> Cc: xen-devel@lists.xenproject.org Cc: <stable@vger.kernel.org> # 3.18+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>hifive-unleashed-5.1
Bart Van Assche
Nicholas Bellinger
parent
13fdd4458e
commit
9f4ab18ac5
|
|
@ -134,9 +134,7 @@ struct vscsibk_pend {
|
|||
struct page *pages[VSCSI_MAX_GRANTS];
|
||||
|
||||
struct se_cmd se_cmd;
|
||||
};
|
||||
|
||||
struct scsiback_tmr {
|
||||
atomic_t tmr_complete;
|
||||
wait_queue_head_t tmr_wait;
|
||||
};
|
||||
|
|
@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req,
|
|||
struct scsiback_tpg *tpg = pending_req->v2p->tpg;
|
||||
struct scsiback_nexus *nexus = tpg->tpg_nexus;
|
||||
struct se_cmd *se_cmd = &pending_req->se_cmd;
|
||||
struct scsiback_tmr *tmr;
|
||||
u64 unpacked_lun = pending_req->v2p->lun;
|
||||
int rc, err = FAILED;
|
||||
|
||||
tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
|
||||
if (!tmr) {
|
||||
target_put_sess_cmd(se_cmd);
|
||||
goto err;
|
||||
}
|
||||
|
||||
init_waitqueue_head(&tmr->tmr_wait);
|
||||
init_waitqueue_head(&pending_req->tmr_wait);
|
||||
|
||||
rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
|
||||
&pending_req->sense_buffer[0],
|
||||
unpacked_lun, tmr, act, GFP_KERNEL,
|
||||
unpacked_lun, NULL, act, GFP_KERNEL,
|
||||
tag, TARGET_SCF_ACK_KREF);
|
||||
if (rc)
|
||||
goto err;
|
||||
|
||||
wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
|
||||
wait_event(pending_req->tmr_wait,
|
||||
atomic_read(&pending_req->tmr_complete));
|
||||
|
||||
err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
|
||||
SUCCESS : FAILED;
|
||||
|
|
@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req,
|
|||
scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
|
||||
transport_generic_free_cmd(&pending_req->se_cmd, 1);
|
||||
return;
|
||||
|
||||
err:
|
||||
if (tmr)
|
||||
kfree(tmr);
|
||||
scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
|
||||
}
|
||||
|
||||
|
|
@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd *se_cmd)
|
|||
static void scsiback_release_cmd(struct se_cmd *se_cmd)
|
||||
{
|
||||
struct se_session *se_sess = se_cmd->se_sess;
|
||||
struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
|
||||
|
||||
if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
|
||||
struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
|
||||
kfree(tmr);
|
||||
}
|
||||
|
||||
percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
|
||||
}
|
||||
|
|
@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd)
|
|||
|
||||
static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
|
||||
{
|
||||
struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
|
||||
struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
|
||||
struct vscsibk_pend *pending_req = container_of(se_cmd,
|
||||
struct vscsibk_pend, se_cmd);
|
||||
|
||||
atomic_set(&tmr->tmr_complete, 1);
|
||||
wake_up(&tmr->tmr_wait);
|
||||
atomic_set(&pending_req->tmr_complete, 1);
|
||||
wake_up(&pending_req->tmr_wait);
|
||||
}
|
||||
|
||||
static void scsiback_aborted_task(struct se_cmd *se_cmd)
|
||||
|
|
|
|||
Loading…
Reference in New Issue