* Patch "xen/scsiback: Fix a TMR related use-after-free" has been added to the 4.12-stable tree
@ 2017-07-22 14:16 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-07-22 14:16 UTC (permalink / raw)
To: bart.vanassche, ddiss, gregkh, hare, hch, jgross, nab
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
xen/scsiback: Fix a TMR related use-after-free
to the 4.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xen-scsiback-fix-a-tmr-related-use-after-free.patch
and it can be found in the queue-4.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@sandisk.com>
Date: Tue, 23 May 2017 16:48:36 -0700
Subject: xen/scsiback: Fix a TMR related use-after-free
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream.
scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
because that memory is freed by target_free_cmd_mem() before
scsiback_release_cmd() is called. Fix this use-after-free by
inlining struct scsiback_tmr into struct vscsibk_pend.
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: David Disseldorp <ddiss@suse.de>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
1 file changed, 9 insertions(+), 24 deletions(-)
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -134,9 +134,7 @@ struct vscsibk_pend {
struct page *pages[VSCSI_MAX_GRANTS];
struct se_cmd se_cmd;
-};
-struct scsiback_tmr {
atomic_t tmr_complete;
wait_queue_head_t tmr_wait;
};
@@ -599,26 +597,20 @@ static void scsiback_device_action(struc
struct scsiback_tpg *tpg = pending_req->v2p->tpg;
struct scsiback_nexus *nexus = tpg->tpg_nexus;
struct se_cmd *se_cmd = &pending_req->se_cmd;
- struct scsiback_tmr *tmr;
u64 unpacked_lun = pending_req->v2p->lun;
int rc, err = FAILED;
- tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
- if (!tmr) {
- target_put_sess_cmd(se_cmd);
- goto err;
- }
-
- init_waitqueue_head(&tmr->tmr_wait);
+ init_waitqueue_head(&pending_req->tmr_wait);
rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
&pending_req->sense_buffer[0],
- unpacked_lun, tmr, act, GFP_KERNEL,
+ unpacked_lun, NULL, act, GFP_KERNEL,
tag, TARGET_SCF_ACK_KREF);
if (rc)
goto err;
- wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
+ wait_event(pending_req->tmr_wait,
+ atomic_read(&pending_req->tmr_complete));
err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
SUCCESS : FAILED;
@@ -626,9 +618,8 @@ static void scsiback_device_action(struc
scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
transport_generic_free_cmd(&pending_req->se_cmd, 1);
return;
+
err:
- if (tmr)
- kfree(tmr);
scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
}
@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru
static void scsiback_release_cmd(struct se_cmd *se_cmd)
{
struct se_session *se_sess = se_cmd->se_sess;
- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-
- if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
- kfree(tmr);
- }
percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
}
@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct
static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
{
- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
+ struct vscsibk_pend *pending_req = container_of(se_cmd,
+ struct vscsibk_pend, se_cmd);
- atomic_set(&tmr->tmr_complete, 1);
- wake_up(&tmr->tmr_wait);
+ atomic_set(&pending_req->tmr_complete, 1);
+ wake_up(&pending_req->tmr_wait);
}
static void scsiback_aborted_task(struct se_cmd *se_cmd)
Patches currently in stable-queue which might be from bart.vanassche@sandisk.com are
queue-4.12/scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch
queue-4.12/xen-scsiback-fix-a-tmr-related-use-after-free.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-07-22 17:04 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-22 14:16 Patch "xen/scsiback: Fix a TMR related use-after-free" has been added to the 4.12-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.