diff options
| author |   Dmitry Fomichev <dmitry.fomichev@wdc.com> | 2019-08-11 11:25:10 -0700 |
|---|---|---|
| committer |   Martin K. Petersen <martin.petersen@oracle.com> | 2019-08-14 21:58:55 -0400 |
| commit | a86a75865ff4d8c05f355d1750a5250aec89ab15 (patch) | |
| tree | b5389c79415919888ee79500f0415ec121ab97f3 /drivers/scsi | |
| parent | scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure (diff) | |
| download | linux-dev-a86a75865ff4d8c05f355d1750a5250aec89ab15.tar.xz linux-dev-a86a75865ff4d8c05f355d1750a5250aec89ab15.zip | |
scsi: target: tcmu: avoid use-after-free after command timeout
In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.
This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().
Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Acked-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi')
0 files changed, 0 insertions, 0 deletions