From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Bart Van Assche <bvanassche@acm.org>,
Mike Christie <mchristi@redhat.com>,
Christoph Hellwig <hch@lst.de>, Hannes Reinecke <hare@suse.com>,
Nicholas Bellinger <nab@linux-iscsi.org>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 289/671] scsi: target/core: Fix a race condition in the LUN lookup code
Date: Thu, 16 Jan 2020 11:58:47 -0500 [thread overview]
Message-ID: <20200116170509.12787-26-sashal@kernel.org> (raw)
In-Reply-To: <20200116170509.12787-1-sashal@kernel.org>
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 63f7479439c95bcd49b7dd4af809862c316c71a3 ]
The rcu_dereference(deve->se_lun) expression occurs twice in the LUN lookup
functions. Since these expressions are not serialized against deve->se_lun
assignments each of these expressions may yield a different result. Avoid
that the wrong LUN pointer is stored in se_cmd by reading deve->se_lun only
once.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Fixes: 29a05deebf6c ("target: Convert se_node_acl->device_list[] to RCU hlist") # v4.10
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index e9ff2a7c0c0e..22e97a93728d 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -85,7 +85,7 @@ transport_lookup_cmd_lun(struct se_cmd *se_cmd, u64 unpacked_lun)
goto out_unlock;
}
- se_cmd->se_lun = rcu_dereference(deve->se_lun);
+ se_cmd->se_lun = se_lun;
se_cmd->pr_res_key = deve->pr_res_key;
se_cmd->orig_fe_lun = unpacked_lun;
se_cmd->se_cmd_flags |= SCF_SE_LUN_CMD;
@@ -176,7 +176,7 @@ int transport_lookup_tmr_lun(struct se_cmd *se_cmd, u64 unpacked_lun)
goto out_unlock;
}
- se_cmd->se_lun = rcu_dereference(deve->se_lun);
+ se_cmd->se_lun = se_lun;
se_cmd->pr_res_key = deve->pr_res_key;
se_cmd->orig_fe_lun = unpacked_lun;
se_cmd->se_cmd_flags |= SCF_SE_LUN_CMD;
--
2.20.1
next prev parent reply other threads:[~2020-01-16 19:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:58 ` [PATCH AUTOSEL 4.19 282/671] scsi: qla2xxx: Unregister chrdev if module initialization fails Sasha Levin
2020-01-16 16:58 ` Sasha Levin [this message]
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 316/671] scsi: qla2xxx: Fix a format specifier Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 317/671] scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd() Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 318/671] scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory Sasha Levin
2020-01-16 17:01 ` [PATCH AUTOSEL 4.19 463/671] scsi: libfc: fix null pointer dereference on a null lport Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 538/671] scsi: fnic: fix msix interrupt allocation Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 626/671] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 632/671] scsi: core: scsi_trace: Use get_unaligned_be*() Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 652/671] scsi: qla4xxx: fix double free bug Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 653/671] scsi: bnx2i: fix potential use after free Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 654/671] scsi: target: core: Fix a pr_debug() argument Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 661/671] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Sasha Levin
2020-01-16 17:05 ` [PATCH AUTOSEL 4.19 662/671] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116170509.12787-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bvanassche@acm.org \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).