[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 15/33] xen/scsiback: Fix a use-after-free



scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
because that memory is freed by target_free_cmd_mem() before
scsiback_release_cmd() is called. Fix this use-after-free by
inlining struct scsiback_tmr into struct vscsibk_pend.

Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
Cc: Juergen Gross <jgross@xxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: Hannes Reinecke <hare@xxxxxxxx>
Cc: David Disseldorp <ddiss@xxxxxxx>
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
---
 drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index d6950e0802b7..980f32817305 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -134,9 +134,7 @@ struct vscsibk_pend {
        struct page *pages[VSCSI_MAX_GRANTS];
 
        struct se_cmd se_cmd;
-};
 
-struct scsiback_tmr {
        atomic_t tmr_complete;
        wait_queue_head_t tmr_wait;
 };
@@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend 
*pending_req,
        struct scsiback_tpg *tpg = pending_req->v2p->tpg;
        struct scsiback_nexus *nexus = tpg->tpg_nexus;
        struct se_cmd *se_cmd = &pending_req->se_cmd;
-       struct scsiback_tmr *tmr;
        u64 unpacked_lun = pending_req->v2p->lun;
        int rc, err = FAILED;
 
-       tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
-       if (!tmr) {
-               target_put_sess_cmd(se_cmd);
-               goto err;
-       }
-
-       init_waitqueue_head(&tmr->tmr_wait);
+       init_waitqueue_head(&pending_req->tmr_wait);
 
        rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
                               &pending_req->sense_buffer[0],
-                              unpacked_lun, tmr, act, GFP_KERNEL,
+                              unpacked_lun, NULL, act, GFP_KERNEL,
                               tag, TARGET_SCF_ACK_KREF);
        if (rc)
                goto err;
 
-       wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
+       wait_event(pending_req->tmr_wait,
+                  atomic_read(&pending_req->tmr_complete));
 
        err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
                SUCCESS : FAILED;
@@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend 
*pending_req,
        scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
        transport_generic_free_cmd(&pending_req->se_cmd, 1);
        return;
+
 err:
-       if (tmr)
-               kfree(tmr);
        scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
 }
 
@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd 
*se_cmd)
 static void scsiback_release_cmd(struct se_cmd *se_cmd)
 {
        struct se_session *se_sess = se_cmd->se_sess;
-       struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-
-       if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
-               struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
-               kfree(tmr);
-       }
 
        percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
 }
@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd)
 
 static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
 {
-       struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-       struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
+       struct vscsibk_pend *pending_req = container_of(se_cmd,
+                               struct vscsibk_pend, se_cmd);
 
-       atomic_set(&tmr->tmr_complete, 1);
-       wake_up(&tmr->tmr_wait);
+       atomic_set(&pending_req->tmr_complete, 1);
+       wake_up(&pending_req->tmr_wait);
 }
 
 static void scsiback_aborted_task(struct se_cmd *se_cmd)
-- 
2.12.2


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.