From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753704AbdGYUCy (ORCPT ); Tue, 25 Jul 2017 16:02:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35684 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753500AbdGYTX4 (ORCPT ); Tue, 25 Jul 2017 15:23:56 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bart Van Assche , Juergen Gross , Christoph Hellwig , Hannes Reinecke , David Disseldorp , xen-devel@lists.xenproject.org, Nicholas Bellinger Subject: [PATCH 4.12 047/196] xen/scsiback: Fix a TMR related use-after-free Date: Tue, 25 Jul 2017 12:20:46 -0700 Message-Id: <20170725192048.947682613@linuxfoundation.org> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170725192046.422343510@linuxfoundation.org> References: <20170725192046.422343510@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bart Van Assche commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream. scsiback_release_cmd() must not dereference se_cmd->se_tmr_req because that memory is freed by target_free_cmd_mem() before scsiback_release_cmd() is called. Fix this use-after-free by inlining struct scsiback_tmr into struct vscsibk_pend. Signed-off-by: Bart Van Assche Reviewed-by: Juergen Gross Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: David Disseldorp Cc: xen-devel@lists.xenproject.org Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman --- drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ 1 file changed, 9 insertions(+), 24 deletions(-) --- a/drivers/xen/xen-scsiback.c +++ b/drivers/xen/xen-scsiback.c @@ -134,9 +134,7 @@ struct vscsibk_pend { struct page *pages[VSCSI_MAX_GRANTS]; struct se_cmd se_cmd; -}; -struct scsiback_tmr { atomic_t tmr_complete; wait_queue_head_t tmr_wait; }; @@ -599,26 +597,20 @@ static void scsiback_device_action(struc struct scsiback_tpg *tpg = pending_req->v2p->tpg; struct scsiback_nexus *nexus = tpg->tpg_nexus; struct se_cmd *se_cmd = &pending_req->se_cmd; - struct scsiback_tmr *tmr; u64 unpacked_lun = pending_req->v2p->lun; int rc, err = FAILED; - tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL); - if (!tmr) { - target_put_sess_cmd(se_cmd); - goto err; - } - - init_waitqueue_head(&tmr->tmr_wait); + init_waitqueue_head(&pending_req->tmr_wait); rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess, &pending_req->sense_buffer[0], - unpacked_lun, tmr, act, GFP_KERNEL, + unpacked_lun, NULL, act, GFP_KERNEL, tag, TARGET_SCF_ACK_KREF); if (rc) goto err; - wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete)); + wait_event(pending_req->tmr_wait, + atomic_read(&pending_req->tmr_complete)); err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ? SUCCESS : FAILED; @@ -626,9 +618,8 @@ static void scsiback_device_action(struc scsiback_do_resp_with_sense(NULL, err, 0, pending_req); transport_generic_free_cmd(&pending_req->se_cmd, 1); return; + err: - if (tmr) - kfree(tmr); scsiback_do_resp_with_sense(NULL, err, 0, pending_req); } @@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru static void scsiback_release_cmd(struct se_cmd *se_cmd) { struct se_session *se_sess = se_cmd->se_sess; - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - - if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) { - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; - kfree(tmr); - } percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag); } @@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd) { - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; + struct vscsibk_pend *pending_req = container_of(se_cmd, + struct vscsibk_pend, se_cmd); - atomic_set(&tmr->tmr_complete, 1); - wake_up(&tmr->tmr_wait); + atomic_set(&pending_req->tmr_complete, 1); + wake_up(&pending_req->tmr_wait); } static void scsiback_aborted_task(struct se_cmd *se_cmd) From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg Kroah-Hartman Subject: [PATCH 4.12 047/196] xen/scsiback: Fix a TMR related use-after-free Date: Tue, 25 Jul 2017 12:20:46 -0700 Message-ID: <20170725192048.947682613@linuxfoundation.org> References: <20170725192046.422343510@linuxfoundation.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1da5R1-0004hf-DM for xen-devel@lists.xenproject.org; Tue, 25 Jul 2017 19:23:59 +0000 In-Reply-To: <20170725192046.422343510@linuxfoundation.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: linux-kernel@vger.kernel.org Cc: Juergen Gross , Hannes Reinecke , xen-devel@lists.xenproject.org, Greg Kroah-Hartman , stable@vger.kernel.org, Nicholas Bellinger , David Disseldorp , Bart Van Assche , Christoph Hellwig List-Id: xen-devel@lists.xenproject.org NC4xMi1zdGFibGUgcmV2aWV3IHBhdGNoLiAgSWYgYW55b25lIGhhcyBhbnkgb2JqZWN0aW9ucywg cGxlYXNlIGxldCBtZSBrbm93LgoKLS0tLS0tLS0tLS0tLS0tLS0tCgpGcm9tOiBCYXJ0IFZhbiBB c3NjaGUgPGJhcnQudmFuYXNzY2hlQHNhbmRpc2suY29tPgoKY29tbWl0IDlmNGFiMThhYzUxZGM4 NzM0NWE5Y2JkMjUyN2U2YWNmN2EwYTkzMzUgdXBzdHJlYW0uCgpzY3NpYmFja19yZWxlYXNlX2Nt ZCgpIG11c3Qgbm90IGRlcmVmZXJlbmNlIHNlX2NtZC0+c2VfdG1yX3JlcQpiZWNhdXNlIHRoYXQg bWVtb3J5IGlzIGZyZWVkIGJ5IHRhcmdldF9mcmVlX2NtZF9tZW0oKSBiZWZvcmUKc2NzaWJhY2tf cmVsZWFzZV9jbWQoKSBpcyBjYWxsZWQuIEZpeCB0aGlzIHVzZS1hZnRlci1mcmVlIGJ5CmlubGlu aW5nIHN0cnVjdCBzY3NpYmFja190bXIgaW50byBzdHJ1Y3QgdnNjc2lia19wZW5kLgoKU2lnbmVk LW9mZi1ieTogQmFydCBWYW4gQXNzY2hlIDxiYXJ0LnZhbmFzc2NoZUBzYW5kaXNrLmNvbT4KUmV2 aWV3ZWQtYnk6IEp1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmNvbT4KQ2M6IENocmlzdG9waCBI ZWxsd2lnIDxoY2hAbHN0LmRlPgpDYzogSGFubmVzIFJlaW5lY2tlIDxoYXJlQHN1c2UuY29tPgpD YzogRGF2aWQgRGlzc2VsZG9ycCA8ZGRpc3NAc3VzZS5kZT4KQ2M6IHhlbi1kZXZlbEBsaXN0cy54 ZW5wcm9qZWN0Lm9yZwpTaWduZWQtb2ZmLWJ5OiBOaWNob2xhcyBCZWxsaW5nZXIgPG5hYkBsaW51 eC1pc2NzaS5vcmc+ClNpZ25lZC1vZmYtYnk6IEdyZWcgS3JvYWgtSGFydG1hbiA8Z3JlZ2toQGxp bnV4Zm91bmRhdGlvbi5vcmc+CgotLS0KIGRyaXZlcnMveGVuL3hlbi1zY3NpYmFjay5jIHwgICAz MyArKysrKysrKystLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGlu c2VydGlvbnMoKyksIDI0IGRlbGV0aW9ucygtKQoKLS0tIGEvZHJpdmVycy94ZW4veGVuLXNjc2li YWNrLmMKKysrIGIvZHJpdmVycy94ZW4veGVuLXNjc2liYWNrLmMKQEAgLTEzNCw5ICsxMzQsNyBA QCBzdHJ1Y3QgdnNjc2lia19wZW5kIHsKIAlzdHJ1Y3QgcGFnZSAqcGFnZXNbVlNDU0lfTUFYX0dS QU5UU107CiAKIAlzdHJ1Y3Qgc2VfY21kIHNlX2NtZDsKLX07CiAKLXN0cnVjdCBzY3NpYmFja190 bXIgewogCWF0b21pY190IHRtcl9jb21wbGV0ZTsKIAl3YWl0X3F1ZXVlX2hlYWRfdCB0bXJfd2Fp dDsKIH07CkBAIC01OTksMjYgKzU5NywyMCBAQCBzdGF0aWMgdm9pZCBzY3NpYmFja19kZXZpY2Vf YWN0aW9uKHN0cnVjCiAJc3RydWN0IHNjc2liYWNrX3RwZyAqdHBnID0gcGVuZGluZ19yZXEtPnYy cC0+dHBnOwogCXN0cnVjdCBzY3NpYmFja19uZXh1cyAqbmV4dXMgPSB0cGctPnRwZ19uZXh1czsK IAlzdHJ1Y3Qgc2VfY21kICpzZV9jbWQgPSAmcGVuZGluZ19yZXEtPnNlX2NtZDsKLQlzdHJ1Y3Qg c2NzaWJhY2tfdG1yICp0bXI7CiAJdTY0IHVucGFja2VkX2x1biA9IHBlbmRpbmdfcmVxLT52MnAt Pmx1bjsKIAlpbnQgcmMsIGVyciA9IEZBSUxFRDsKIAotCXRtciA9IGt6YWxsb2Moc2l6ZW9mKHN0 cnVjdCBzY3NpYmFja190bXIpLCBHRlBfS0VSTkVMKTsKLQlpZiAoIXRtcikgewotCQl0YXJnZXRf cHV0X3Nlc3NfY21kKHNlX2NtZCk7Ci0JCWdvdG8gZXJyOwotCX0KLQotCWluaXRfd2FpdHF1ZXVl X2hlYWQoJnRtci0+dG1yX3dhaXQpOworCWluaXRfd2FpdHF1ZXVlX2hlYWQoJnBlbmRpbmdfcmVx LT50bXJfd2FpdCk7CiAKIAlyYyA9IHRhcmdldF9zdWJtaXRfdG1yKCZwZW5kaW5nX3JlcS0+c2Vf Y21kLCBuZXh1cy0+dHZuX3NlX3Nlc3MsCiAJCQkgICAgICAgJnBlbmRpbmdfcmVxLT5zZW5zZV9i dWZmZXJbMF0sCi0JCQkgICAgICAgdW5wYWNrZWRfbHVuLCB0bXIsIGFjdCwgR0ZQX0tFUk5FTCwK KwkJCSAgICAgICB1bnBhY2tlZF9sdW4sIE5VTEwsIGFjdCwgR0ZQX0tFUk5FTCwKIAkJCSAgICAg ICB0YWcsIFRBUkdFVF9TQ0ZfQUNLX0tSRUYpOwogCWlmIChyYykKIAkJZ290byBlcnI7CiAKLQl3 YWl0X2V2ZW50KHRtci0+dG1yX3dhaXQsIGF0b21pY19yZWFkKCZ0bXItPnRtcl9jb21wbGV0ZSkp OworCXdhaXRfZXZlbnQocGVuZGluZ19yZXEtPnRtcl93YWl0LAorCQkgICBhdG9taWNfcmVhZCgm cGVuZGluZ19yZXEtPnRtcl9jb21wbGV0ZSkpOwogCiAJZXJyID0gKHNlX2NtZC0+c2VfdG1yX3Jl cS0+cmVzcG9uc2UgPT0gVE1SX0ZVTkNUSU9OX0NPTVBMRVRFKSA/CiAJCVNVQ0NFU1MgOiBGQUlM RUQ7CkBAIC02MjYsOSArNjE4LDggQEAgc3RhdGljIHZvaWQgc2NzaWJhY2tfZGV2aWNlX2FjdGlv bihzdHJ1YwogCXNjc2liYWNrX2RvX3Jlc3Bfd2l0aF9zZW5zZShOVUxMLCBlcnIsIDAsIHBlbmRp bmdfcmVxKTsKIAl0cmFuc3BvcnRfZ2VuZXJpY19mcmVlX2NtZCgmcGVuZGluZ19yZXEtPnNlX2Nt ZCwgMSk7CiAJcmV0dXJuOworCiBlcnI6Ci0JaWYgKHRtcikKLQkJa2ZyZWUodG1yKTsKIAlzY3Np YmFja19kb19yZXNwX3dpdGhfc2Vuc2UoTlVMTCwgZXJyLCAwLCBwZW5kaW5nX3JlcSk7CiB9CiAK QEAgLTEzODksMTIgKzEzODAsNiBAQCBzdGF0aWMgaW50IHNjc2liYWNrX2NoZWNrX3N0b3BfZnJl ZShzdHJ1CiBzdGF0aWMgdm9pZCBzY3NpYmFja19yZWxlYXNlX2NtZChzdHJ1Y3Qgc2VfY21kICpz ZV9jbWQpCiB7CiAJc3RydWN0IHNlX3Nlc3Npb24gKnNlX3Nlc3MgPSBzZV9jbWQtPnNlX3Nlc3M7 Ci0Jc3RydWN0IHNlX3Rtcl9yZXEgKnNlX3RtciA9IHNlX2NtZC0+c2VfdG1yX3JlcTsKLQotCWlm IChzZV90bXIgJiYgc2VfY21kLT5zZV9jbWRfZmxhZ3MgJiBTQ0ZfU0NTSV9UTVJfQ0RCKSB7Ci0J CXN0cnVjdCBzY3NpYmFja190bXIgKnRtciA9IHNlX3Rtci0+ZmFicmljX3Rtcl9wdHI7Ci0JCWtm cmVlKHRtcik7Ci0JfQogCiAJcGVyY3B1X2lkYV9mcmVlKCZzZV9zZXNzLT5zZXNzX3RhZ19wb29s LCBzZV9jbWQtPm1hcF90YWcpOwogfQpAQCAtMTQ1NSwxMSArMTQ0MCwxMSBAQCBzdGF0aWMgaW50 IHNjc2liYWNrX3F1ZXVlX3N0YXR1cyhzdHJ1Y3QKIAogc3RhdGljIHZvaWQgc2NzaWJhY2tfcXVl dWVfdG1fcnNwKHN0cnVjdCBzZV9jbWQgKnNlX2NtZCkKIHsKLQlzdHJ1Y3Qgc2VfdG1yX3JlcSAq c2VfdG1yID0gc2VfY21kLT5zZV90bXJfcmVxOwotCXN0cnVjdCBzY3NpYmFja190bXIgKnRtciA9 IHNlX3Rtci0+ZmFicmljX3Rtcl9wdHI7CisJc3RydWN0IHZzY3NpYmtfcGVuZCAqcGVuZGluZ19y ZXEgPSBjb250YWluZXJfb2Yoc2VfY21kLAorCQkJCXN0cnVjdCB2c2NzaWJrX3BlbmQsIHNlX2Nt ZCk7CiAKLQlhdG9taWNfc2V0KCZ0bXItPnRtcl9jb21wbGV0ZSwgMSk7Ci0Jd2FrZV91cCgmdG1y LT50bXJfd2FpdCk7CisJYXRvbWljX3NldCgmcGVuZGluZ19yZXEtPnRtcl9jb21wbGV0ZSwgMSk7 CisJd2FrZV91cCgmcGVuZGluZ19yZXEtPnRtcl93YWl0KTsKIH0KIAogc3RhdGljIHZvaWQgc2Nz aWJhY2tfYWJvcnRlZF90YXNrKHN0cnVjdCBzZV9jbWQgKnNlX2NtZCkKCgoKX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVsIG1haWxpbmcgbGlz dApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5vcmcveGVuLWRldmVs Cg==