scsi: target: tcmu: avoid use-after-free after command timeout (a86a7586) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit a86a7586 authored Aug 11, 2019 by

Dmitry Fomichev Committed by Martin K. Petersen Aug 14, 2019

scsi: target: tcmu: avoid use-after-free after command timeout



In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.

This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().

Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Acked-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 26fa656e

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit b8cd0b7b
· Sep 10, 2019

mentioned in commit b8cd0b7b

mentioned in commit b8cd0b7b09ed932c7c16825ac9a853b2507e316c

Toggle commit list
mirror @mirror
mentioned in commit 46bf670f
· Sep 10, 2019

mentioned in commit 46bf670f

mentioned in commit 46bf670f44551801f36733d275a3c9bb5c9a03f5

Toggle commit list

Please register or to comment