diff mbox series

scsi: tcmu: fix use after free

Message ID 20190122101051.97661-1-xiubli@redhat.com (mailing list archive)
State Mainlined
Commit 40d883b091758472c79b81fa1c0e0347e24a9cff
Headers show
Series scsi: tcmu: fix use after free | expand

Commit Message

Xiubo Li Jan. 22, 2019, 10:10 a.m. UTC 
From: Xiubo Li <xiubli@redhat.com>

Fixes: 4147ebb3 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Mike Christie <mchristi@redhat.com>
Signed-off-by: Xiubo Li <xiubli@redhat.com>
---
 drivers/target/target_core_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Mike Christie Jan. 22, 2019, 4:31 p.m. UTC | #1 
On 01/22/2019 04:10 AM, xiubli@redhat.com wrote:
> From: Xiubo Li <xiubli@redhat.com>
> 
> Fixes: 4147ebb3 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Mike Christie <mchristi@redhat.com>
> Signed-off-by: Xiubo Li <xiubli@redhat.com>
> ---
>  drivers/target/target_core_user.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index ac76201..c46efa4 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -1317,12 +1317,13 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
>  		 * target_complete_cmd will translate this to LUN COMM FAILURE
>  		 */
>  		scsi_status = SAM_STAT_CHECK_CONDITION;
> +		list_del_init(&cmd->queue_entry);
>  	} else {
> +		list_del_init(&cmd->queue_entry);
>  		idr_remove(&udev->commands, id);
>  		tcmu_free_cmd(cmd);
>  		scsi_status = SAM_STAT_TASK_SET_FULL;
>  	}
> -	list_del_init(&cmd->queue_entry);
>  
>  	pr_debug("Timing out cmd %u on dev %s that is %s.\n",
>  		 id, udev->name, is_running ? "inflight" : "queued");
> 

Reviewed-by: Mike Christie <mchristi@redhat.com>
Martin K. Petersen Jan. 23, 2019, 1:56 a.m. UTC | #2 
Xiubo,

> Fixes: 4147ebb3 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")

Not sure where that hash comes from? I fixed it up. Also, please use 12
char abbrev.

Applied to 5.0/scsi-fixes.
Xiubo Li Jan. 23, 2019, 2:03 a.m. UTC | #3 
On 2019/1/23 9:56, Martin K. Petersen wrote:
> Xiubo,
>
>> Fixes: 4147ebb3 ("scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes")
> Not sure where that hash comes from? I fixed it up. Also, please use 12
> char abbrev.

Sorry, I may forgot to pull it from the upstream.

Thanks.

BRs

Xiubo


> Applied to 5.0/scsi-fixes.
>
diff mbox series

Patch

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index ac76201..c46efa4 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1317,12 +1317,13 @@  static int tcmu_check_expired_cmd(int id, void *p, void *data)
 		 * target_complete_cmd will translate this to LUN COMM FAILURE
 		 */
 		scsi_status = SAM_STAT_CHECK_CONDITION;
+		list_del_init(&cmd->queue_entry);
 	} else {
+		list_del_init(&cmd->queue_entry);
 		idr_remove(&udev->commands, id);
 		tcmu_free_cmd(cmd);
 		scsi_status = SAM_STAT_TASK_SET_FULL;
 	}
-	list_del_init(&cmd->queue_entry);
 
 	pr_debug("Timing out cmd %u on dev %s that is %s.\n",
 		 id, udev->name, is_running ? "inflight" : "queued");