Message ID | 20170523234854.21452-16-bart.vanassche@sandisk.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 24/05/17 01:48, Bart Van Assche wrote: > scsiback_release_cmd() must not dereference se_cmd->se_tmr_req > because that memory is freed by target_free_cmd_mem() before > scsiback_release_cmd() is called. Fix this use-after-free by > inlining struct scsiback_tmr into struct vscsibk_pend. > > Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> > Cc: Juergen Gross <jgross@suse.com> > Cc: Christoph Hellwig <hch@lst.de> > Cc: Hannes Reinecke <hare@suse.com> > Cc: David Disseldorp <ddiss@suse.de> > Cc: xen-devel@lists.xenproject.org Reviewed-by: Juergen Gross <jgross@suse.com> Juergen -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote: > scsiback_release_cmd() must not dereference se_cmd->se_tmr_req > because that memory is freed by target_free_cmd_mem() before > scsiback_release_cmd() is called. Fix this use-after-free by > inlining struct scsiback_tmr into struct vscsibk_pend. > > Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> > Cc: Juergen Gross <jgross@suse.com> > Cc: Christoph Hellwig <hch@lst.de> > Cc: Hannes Reinecke <hare@suse.com> > Cc: David Disseldorp <ddiss@suse.de> > Cc: xen-devel@lists.xenproject.org > --- > drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ > 1 file changed, 9 insertions(+), 24 deletions(-) Applied. -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote: > On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote: > > scsiback_release_cmd() must not dereference se_cmd->se_tmr_req > > because that memory is freed by target_free_cmd_mem() before > > scsiback_release_cmd() is called. Fix this use-after-free by > > inlining struct scsiback_tmr into struct vscsibk_pend. > > > > Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> > > Cc: Juergen Gross <jgross@suse.com> > > Cc: Christoph Hellwig <hch@lst.de> > > Cc: Hannes Reinecke <hare@suse.com> > > Cc: David Disseldorp <ddiss@suse.de> > > Cc: xen-devel@lists.xenproject.org > > --- > > drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ > > 1 file changed, 9 insertions(+), 24 deletions(-) > > Applied. > Oh btw, this looks like stable material to me. So unless Juergen has any objections, adding a v3.18+ tag. -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 03/06/17 09:04, Nicholas A. Bellinger wrote: > On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote: >> On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote: >>> scsiback_release_cmd() must not dereference se_cmd->se_tmr_req >>> because that memory is freed by target_free_cmd_mem() before >>> scsiback_release_cmd() is called. Fix this use-after-free by >>> inlining struct scsiback_tmr into struct vscsibk_pend. >>> >>> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> >>> Cc: Juergen Gross <jgross@suse.com> >>> Cc: Christoph Hellwig <hch@lst.de> >>> Cc: Hannes Reinecke <hare@suse.com> >>> Cc: David Disseldorp <ddiss@suse.de> >>> Cc: xen-devel@lists.xenproject.org >>> --- >>> drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ >>> 1 file changed, 9 insertions(+), 24 deletions(-) >> >> Applied. >> > > Oh btw, this looks like stable material to me. > > So unless Juergen has any objections, adding a v3.18+ tag. No objections from me. Juergen -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c index d6950e0802b7..980f32817305 100644 --- a/drivers/xen/xen-scsiback.c +++ b/drivers/xen/xen-scsiback.c @@ -134,9 +134,7 @@ struct vscsibk_pend { struct page *pages[VSCSI_MAX_GRANTS]; struct se_cmd se_cmd; -}; -struct scsiback_tmr { atomic_t tmr_complete; wait_queue_head_t tmr_wait; }; @@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, struct scsiback_tpg *tpg = pending_req->v2p->tpg; struct scsiback_nexus *nexus = tpg->tpg_nexus; struct se_cmd *se_cmd = &pending_req->se_cmd; - struct scsiback_tmr *tmr; u64 unpacked_lun = pending_req->v2p->lun; int rc, err = FAILED; - tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL); - if (!tmr) { - target_put_sess_cmd(se_cmd); - goto err; - } - - init_waitqueue_head(&tmr->tmr_wait); + init_waitqueue_head(&pending_req->tmr_wait); rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess, &pending_req->sense_buffer[0], - unpacked_lun, tmr, act, GFP_KERNEL, + unpacked_lun, NULL, act, GFP_KERNEL, tag, TARGET_SCF_ACK_KREF); if (rc) goto err; - wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete)); + wait_event(pending_req->tmr_wait, + atomic_read(&pending_req->tmr_complete)); err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ? SUCCESS : FAILED; @@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, scsiback_do_resp_with_sense(NULL, err, 0, pending_req); transport_generic_free_cmd(&pending_req->se_cmd, 1); return; + err: - if (tmr) - kfree(tmr); scsiback_do_resp_with_sense(NULL, err, 0, pending_req); } @@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd *se_cmd) static void scsiback_release_cmd(struct se_cmd *se_cmd) { struct se_session *se_sess = se_cmd->se_sess; - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - - if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) { - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; - kfree(tmr); - } percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag); } @@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd) static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd) { - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; + struct vscsibk_pend *pending_req = container_of(se_cmd, + struct vscsibk_pend, se_cmd); - atomic_set(&tmr->tmr_complete, 1); - wake_up(&tmr->tmr_wait); + atomic_set(&pending_req->tmr_complete, 1); + wake_up(&pending_req->tmr_wait); } static void scsiback_aborted_task(struct se_cmd *se_cmd)
scsiback_release_cmd() must not dereference se_cmd->se_tmr_req because that memory is freed by target_free_cmd_mem() before scsiback_release_cmd() is called. Fix this use-after-free by inlining struct scsiback_tmr into struct vscsibk_pend. Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com> Cc: Juergen Gross <jgross@suse.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.com> Cc: David Disseldorp <ddiss@suse.de> Cc: xen-devel@lists.xenproject.org --- drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ 1 file changed, 9 insertions(+), 24 deletions(-)