Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f4ab18a authored by Bart Van Assche's avatar Bart Van Assche Committed by Nicholas Bellinger
Browse files

xen/scsiback: Fix a TMR related use-after-free 



scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
because that memory is freed by target_free_cmd_mem() before
scsiback_release_cmd() is called. Fix this use-after-free by
inlining struct scsiback_tmr into struct vscsibk_pend.

Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: David Disseldorp <ddiss@suse.de>
Cc: xen-devel@lists.xenproject.org
Cc: <stable@vger.kernel.org> # 3.18+
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
parent 13fdd445

drivers/xen/xen-scsiback.c

+9 −24
Original line number Diff line number Diff line
@@ -134,9 +134,7 @@ struct vscsibk_pend { 
	struct page *pages[VSCSI_MAX_GRANTS];



	struct se_cmd se_cmd;

};



struct scsiback_tmr {

	atomic_t tmr_complete;

	wait_queue_head_t tmr_wait;

};
@@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, 
	struct scsiback_tpg *tpg = pending_req->v2p->tpg;

	struct scsiback_nexus *nexus = tpg->tpg_nexus;

	struct se_cmd *se_cmd = &pending_req->se_cmd;

	struct scsiback_tmr *tmr;

	u64 unpacked_lun = pending_req->v2p->lun;

	int rc, err = FAILED;



	tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);

	if (!tmr) {

		target_put_sess_cmd(se_cmd);

		goto err;

	}



	init_waitqueue_head(&tmr->tmr_wait);

	init_waitqueue_head(&pending_req->tmr_wait);



	rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,

			       &pending_req->sense_buffer[0],

			       unpacked_lun, tmr, act, GFP_KERNEL,

			       unpacked_lun, NULL, act, GFP_KERNEL,

			       tag, TARGET_SCF_ACK_KREF);

	if (rc)

		goto err;



	wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));

	wait_event(pending_req->tmr_wait,

		   atomic_read(&pending_req->tmr_complete));



	err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?

		SUCCESS : FAILED;
@@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, 
	scsiback_do_resp_with_sense(NULL, err, 0, pending_req);

	transport_generic_free_cmd(&pending_req->se_cmd, 1);

	return;



err:

	if (tmr)

		kfree(tmr);

	scsiback_do_resp_with_sense(NULL, err, 0, pending_req);

}
@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd *se_cmd) 
static void scsiback_release_cmd(struct se_cmd *se_cmd)

{

	struct se_session *se_sess = se_cmd->se_sess;

	struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;



	if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {

		struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;

		kfree(tmr);

	}



	percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);

}
@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd) 


static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)

{

	struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;

	struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;

	struct vscsibk_pend *pending_req = container_of(se_cmd,

				struct vscsibk_pend, se_cmd);



	atomic_set(&tmr->tmr_complete, 1);

	wake_up(&tmr->tmr_wait);

	atomic_set(&pending_req->tmr_complete, 1);

	wake_up(&pending_req->tmr_wait);

}



static void scsiback_aborted_task(struct se_cmd *se_cmd)