RDMA/srp: Do not call scsi_done() from srp_abort()
stable inclusion from stable-v5.10.199 commit 26788a5b48d9d5cd3283d777d238631c8cd7495a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95B1O CVE: CVE-2023-52515 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26788a5b48d9d5cd3283d777d238631c8cd7495a -------------------------------- [ Upstream commit e193b795 ] After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: * Call scsi_queue_insert(). * Call scsi_finish_command(). * Call scsi_eh_scmd_add(). Hence, SCSI abort handlers must not call scsi_done(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsi_done() call from srp_abort(). Keep the srp_free_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned. Cc: Bob Pearson <rpearsonhpe@gmail.com> Cc: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com> Fixes: d8536670 ("IB/srp: Avoid having aborted requests hang") Signed-off-by:Bart Van Assche <bvanassche@acm.org> Link: https://lore.kernel.org/r/20230823205727.505681-1-bvanassche@acm.org Signed-off-by:
Loading
Please sign in to comment