From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org,
Hu Tao <hutao@cn.fujitsu.com>
Subject: Re: [PATCH for 3.4] virtio-scsi: fix TMF use-after-free
Date: Wed, 18 Apr 2012 18:09:08 +0400 [thread overview]
Message-ID: <1334758148.4410.51.camel@dabdike> (raw)
In-Reply-To: <1334756761-12312-1-git-send-email-pbonzini@redhat.com>
On Wed, 2012-04-18 at 15:46 +0200, Paolo Bonzini wrote:
> Fix a race in TMF path, where cmd may have been already freed
> by virtscsi_complete_free after waking up from the completion.
There's no may about this; the command will be freed long before the
completion waiter is awoken. The description could be clearer.
The problem is a use after free in virtscsi_tmf because the
virtio_scsi_command is freed before the completion returns.
The fix is to make callers specifying a completion responsible for
freeing the command in all cases.
James
> Cc: James Bottomley <JBottomley@parallels.com>
> Cc: linux-scsi@vger.kernel.org
> Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> drivers/scsi/virtio_scsi.c | 24 +++++++++++++-----------
> 1 file changed, 13 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
> index efccd72..1b38431 100644
> --- a/drivers/scsi/virtio_scsi.c
> +++ b/drivers/scsi/virtio_scsi.c
> @@ -175,7 +175,8 @@ static void virtscsi_complete_free(void *buf)
>
> if (cmd->comp)
> complete_all(cmd->comp);
> - mempool_free(cmd, virtscsi_cmd_pool);
> + else
> + mempool_free(cmd, virtscsi_cmd_pool);
> }
>
> static void virtscsi_ctrl_done(struct virtqueue *vq)
> @@ -311,21 +312,22 @@ out:
> static int virtscsi_tmf(struct virtio_scsi *vscsi, struct virtio_scsi_cmd *cmd)
> {
> DECLARE_COMPLETION_ONSTACK(comp);
> - int ret;
> + int ret = FAILED;
>
> cmd->comp = ∁
> - ret = virtscsi_kick_cmd(vscsi, vscsi->ctrl_vq, cmd,
> - sizeof cmd->req.tmf, sizeof cmd->resp.tmf,
> - GFP_NOIO);
> - if (ret < 0)
> - return FAILED;
> + if (virtscsi_kick_cmd(vscsi, vscsi->ctrl_vq, cmd,
> + sizeof cmd->req.tmf, sizeof cmd->resp.tmf,
> + GFP_NOIO) < 0)
> + goto out;
>
> wait_for_completion(&comp);
> - if (cmd->resp.tmf.response != VIRTIO_SCSI_S_OK &&
> - cmd->resp.tmf.response != VIRTIO_SCSI_S_FUNCTION_SUCCEEDED)
> - return FAILED;
> + if (cmd->resp.tmf.response == VIRTIO_SCSI_S_OK ||
> + cmd->resp.tmf.response == VIRTIO_SCSI_S_FUNCTION_SUCCEEDED)
> + ret = SUCCESS;
>
> - return SUCCESS;
> +out:
> + mempool_free(cmd, virtscsi_cmd_pool);
> + return ret;
> }
>
> static int virtscsi_device_reset(struct scsi_cmnd *sc)
next prev parent reply other threads:[~2012-04-18 14:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-18 13:46 [PATCH for 3.4] virtio-scsi: fix TMF use-after-free Paolo Bonzini
2012-04-18 14:01 ` Zhi Yong Wu
2012-04-18 14:09 ` James Bottomley [this message]
2012-05-01 8:09 ` Paolo Bonzini
2012-05-01 8:52 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1334758148.4410.51.camel@dabdike \
--to=james.bottomley@hansenpartnership.com \
--cc=hutao@cn.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.