From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>,
Mike Christie <mchristi@redhat.com>,
Damien Le Moal <damien.lemoal@wdc.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 17/45] scsi: target: tcmu: avoid use-after-free after command timeout
Date: Thu, 29 Aug 2019 14:15:17 -0400 [thread overview]
Message-ID: <20190829181547.8280-17-sashal@kernel.org> (raw)
In-Reply-To: <20190829181547.8280-1-sashal@kernel.org>
From: Dmitry Fomichev <dmitry.fomichev@wdc.com>
[ Upstream commit a86a75865ff4d8c05f355d1750a5250aec89ab15 ]
In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.
This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().
Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Acked-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_user.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index c46efa47d68a5..7159e8363b83b 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1143,14 +1143,16 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
struct se_cmd *se_cmd = cmd->se_cmd;
struct tcmu_dev *udev = cmd->tcmu_dev;
bool read_len_valid = false;
- uint32_t read_len = se_cmd->data_length;
+ uint32_t read_len;
/*
* cmd has been completed already from timeout, just reclaim
* data area space and free cmd
*/
- if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags))
+ if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+ WARN_ON_ONCE(se_cmd);
goto out;
+ }
list_del_init(&cmd->queue_entry);
@@ -1163,6 +1165,7 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
goto done;
}
+ read_len = se_cmd->data_length;
if (se_cmd->data_direction == DMA_FROM_DEVICE &&
(entry->hdr.uflags & TCMU_UFLAG_READ_LEN) && entry->rsp.read_len) {
read_len_valid = true;
@@ -1318,6 +1321,7 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
*/
scsi_status = SAM_STAT_CHECK_CONDITION;
list_del_init(&cmd->queue_entry);
+ cmd->se_cmd = NULL;
} else {
list_del_init(&cmd->queue_entry);
idr_remove(&udev->commands, id);
@@ -2036,6 +2040,7 @@ static void tcmu_reset_ring(struct tcmu_dev *udev, u8 err_level)
idr_remove(&udev->commands, i);
if (!test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+ WARN_ON(!cmd->se_cmd);
list_del_init(&cmd->queue_entry);
if (err_level == 1) {
/*
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>,
Mike Christie <mchristi@redhat.com>,
Damien Le Moal <damien.lemoal@wdc.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
linux-scsi@vger.kernel.org, target-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 17/45] scsi: target: tcmu: avoid use-after-free after command timeout
Date: Thu, 29 Aug 2019 18:15:17 +0000 [thread overview]
Message-ID: <20190829181547.8280-17-sashal@kernel.org> (raw)
In-Reply-To: <20190829181547.8280-1-sashal@kernel.org>
From: Dmitry Fomichev <dmitry.fomichev@wdc.com>
[ Upstream commit a86a75865ff4d8c05f355d1750a5250aec89ab15 ]
In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.
This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().
Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Acked-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_user.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index c46efa47d68a5..7159e8363b83b 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1143,14 +1143,16 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
struct se_cmd *se_cmd = cmd->se_cmd;
struct tcmu_dev *udev = cmd->tcmu_dev;
bool read_len_valid = false;
- uint32_t read_len = se_cmd->data_length;
+ uint32_t read_len;
/*
* cmd has been completed already from timeout, just reclaim
* data area space and free cmd
*/
- if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags))
+ if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+ WARN_ON_ONCE(se_cmd);
goto out;
+ }
list_del_init(&cmd->queue_entry);
@@ -1163,6 +1165,7 @@ static void tcmu_handle_completion(struct tcmu_cmd *cmd, struct tcmu_cmd_entry *
goto done;
}
+ read_len = se_cmd->data_length;
if (se_cmd->data_direction = DMA_FROM_DEVICE &&
(entry->hdr.uflags & TCMU_UFLAG_READ_LEN) && entry->rsp.read_len) {
read_len_valid = true;
@@ -1318,6 +1321,7 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
*/
scsi_status = SAM_STAT_CHECK_CONDITION;
list_del_init(&cmd->queue_entry);
+ cmd->se_cmd = NULL;
} else {
list_del_init(&cmd->queue_entry);
idr_remove(&udev->commands, id);
@@ -2036,6 +2040,7 @@ static void tcmu_reset_ring(struct tcmu_dev *udev, u8 err_level)
idr_remove(&udev->commands, i);
if (!test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
+ WARN_ON(!cmd->se_cmd);
list_del_init(&cmd->queue_entry);
if (err_level = 1) {
/*
--
2.20.1
next prev parent reply other threads:[~2019-08-29 18:16 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 18:15 [PATCH AUTOSEL 4.19 01/45] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 02/45] netfilter: nf_tables: use-after-free in failing rule with bound set Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 03/45] rxrpc: Fix local endpoint refcounting Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 04/45] tools: bpftool: fix error message (prog -> object) Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 05/45] hv_netvsc: Fix a warning of suspicious RCU usage Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 06/45] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 07/45] Bluetooth: btqca: Add a short delay before downloading the NVM Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 08/45] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 09/45] ibmveth: Convert multicast list size for little-endian system Sasha Levin
2019-08-29 18:15 ` Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 10/45] gpio: Fix build error of function redefinition Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 11/45] netfilter: nft_flow_offload: skip tcp rst and fin packets Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 12/45] rxrpc: Fix local endpoint replacement Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 13/45] rxrpc: Fix read-after-free in rxrpc_queue_local() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 14/45] drm/mediatek: use correct device to import PRIME buffers Sasha Levin
2019-08-29 18:15 ` Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 15/45] drm/mediatek: set DMA max segment size Sasha Levin
2019-08-29 18:15 ` Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 16/45] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Sasha Levin
2019-08-29 18:15 ` Sasha Levin [this message]
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 17/45] scsi: target: tcmu: avoid use-after-free after command timeout Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 18/45] cxgb4: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 19/45] liquidio: add cleanup in octeon_setup_iq() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 20/45] net: myri10ge: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 21/45] lan78xx: Fix " Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 22/45] vfs: fix page locking deadlocks when deduping files Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 23/45] cx82310_eth: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 24/45] net: kalmia: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 25/45] ibmvnic: Unmap DMA address of TX descriptor buffers after use Sasha Levin
2019-08-29 18:15 ` Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 26/45] net: cavium: fix driver name Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 27/45] wimax/i2400m: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 28/45] ravb: Fix use-after-free ravb_tstamp_skb Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 29/45] kprobes: Fix potential deadlock in kprobe_optimizer() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 30/45] HID: cp2112: prevent sleeping function called from invalid context Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 31/45] x86/boot/compressed/64: Fix boot on machines with broken E820 table Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 32/45] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 33/45] Tools: hv: kvp: eliminate 'may be used uninitialized' warning Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 34/45] nvme-multipath: fix possible I/O hang when paths are updated Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 35/45] IB/mlx4: Fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 36/45] infiniband: hfi1: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 37/45] infiniband: hfi1: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 38/45] selftests: kvm: fix state save/load on processors without XSAVE Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 39/45] selftests/kvm: make platform_info_test pass on AMD Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 40/45] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 41/45] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 42/45] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 43/45] KVM: arm/arm64: Only skip MMIO insn once Sasha Levin
2019-08-29 18:15 ` Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 44/45] afs: Fix leak in afs_lookup_cell_rcu() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 45/45] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Sasha Levin
2019-08-29 18:15 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190829181547.8280-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=damien.lemoal@wdc.com \
--cc=dmitry.fomichev@wdc.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=stable@vger.kernel.org \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.