* [PATCH] scsi: fix use-after-free in scsi_init_io()
@ 2010-08-16 14:15 Tejun Heo
2010-08-16 15:06 ` James Bottomley
0 siblings, 1 reply; 3+ messages in thread
From: Tejun Heo @ 2010-08-16 14:15 UTC (permalink / raw)
To: James Bottomley, Linux SCSI List; +Cc: stable
scsi_init_io() dereferences scsi_cmnd after putting it in the error
path leading to oops. Fix it.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@kernel.org
---
drivers/scsi/scsi_lib.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: block/drivers/scsi/scsi_lib.c
===================================================================
--- block.orig/drivers/scsi/scsi_lib.c
+++ block/drivers/scsi/scsi_lib.c
@@ -968,7 +968,9 @@ static int scsi_init_sgtable(struct requ
*/
int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
{
+ struct request *req = cmd->request;
int error = scsi_init_sgtable(cmd->request, &cmd->sdb, gfp_mask);
+
if (error)
goto err_exit;
@@ -1012,7 +1014,7 @@ int scsi_init_io(struct scsi_cmnd *cmd,
err_exit:
scsi_release_buffers(cmd);
scsi_put_command(cmd);
- cmd->request->special = NULL;
+ req->special = NULL;
return error;
}
EXPORT_SYMBOL(scsi_init_io);
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: fix use-after-free in scsi_init_io()
2010-08-16 15:06 ` James Bottomley
@ 2010-08-16 15:04 ` Tejun Heo
0 siblings, 0 replies; 3+ messages in thread
From: Tejun Heo @ 2010-08-16 15:04 UTC (permalink / raw)
To: James Bottomley; +Cc: Linux SCSI List, stable
Hello,
On 08/16/2010 05:06 PM, James Bottomley wrote:
> Thanks for the bug report. The fix is a bit heavy handed; what about
> this?
Yeap, sure. Looks good to me.
--
tejun
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: fix use-after-free in scsi_init_io()
2010-08-16 14:15 [PATCH] scsi: fix use-after-free in scsi_init_io() Tejun Heo
@ 2010-08-16 15:06 ` James Bottomley
2010-08-16 15:04 ` Tejun Heo
0 siblings, 1 reply; 3+ messages in thread
From: James Bottomley @ 2010-08-16 15:06 UTC (permalink / raw)
To: Tejun Heo; +Cc: Linux SCSI List, stable
On Mon, 2010-08-16 at 16:15 +0200, Tejun Heo wrote:
> scsi_init_io() dereferences scsi_cmnd after putting it in the error
> path leading to oops. Fix it.
>
> Signed-off-by: Tejun Heo <tj@kernel.org>
> Cc: stable@kernel.org
> ---
> drivers/scsi/scsi_lib.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Index: block/drivers/scsi/scsi_lib.c
> ===================================================================
> --- block.orig/drivers/scsi/scsi_lib.c
> +++ block/drivers/scsi/scsi_lib.c
> @@ -968,7 +968,9 @@ static int scsi_init_sgtable(struct requ
> */
> int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
> {
> + struct request *req = cmd->request;
> int error = scsi_init_sgtable(cmd->request, &cmd->sdb, gfp_mask);
> +
> if (error)
> goto err_exit;
>
> @@ -1012,7 +1014,7 @@ int scsi_init_io(struct scsi_cmnd *cmd,
> err_exit:
> scsi_release_buffers(cmd);
> scsi_put_command(cmd);
> - cmd->request->special = NULL;
> + req->special = NULL;
Thanks for the bug report. The fix is a bit heavy handed; what about
this?
James
---
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 9ade720..ee02d38 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1011,8 +1011,8 @@ int scsi_init_io(struct scsi_cmnd *cmd, gfp_t gfp_mask)
err_exit:
scsi_release_buffers(cmd);
- scsi_put_command(cmd);
cmd->request->special = NULL;
+ scsi_put_command(cmd);
return error;
}
EXPORT_SYMBOL(scsi_init_io);
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-08-16 15:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-16 14:15 [PATCH] scsi: fix use-after-free in scsi_init_io() Tejun Heo
2010-08-16 15:06 ` James Bottomley
2010-08-16 15:04 ` Tejun Heo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).