[PATCH 4/4] UBUNTU: SAUCE: (no-up) target/user: Fix use-after-free of tcmu_cmds if they are expired
Tim Gardner
tim.gardner at canonical.com
Tue Dec 6 19:40:55 UTC 2016
From: Andy Grover <agrover at redhat.com>
BugLink: http://bugs.launchpad.net/bugs/1646204
Don't free the cmd in tcmu_check_expired_cmd, it's still referenced by
an entry in our cmd_id->cmd idr. If userspace ever resumes processing,
tcmu_handle_completions() will use the now-invalid cmd pointer.
Instead, don't free cmd. It will be freed by tcmu_handle_completion() if
userspace ever recovers, or tcmu_free_device if not.
Cc: stable at vger.kernel.org
Reported-by: Bryant G Ly <bgly at us.ibm.com>
Signed-off-by: Andy Grover <agrover at redhat.com>
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
drivers/target/target_core_user.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index f383561..cbc2ac9 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -668,8 +668,6 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
target_complete_cmd(cmd->se_cmd, SAM_STAT_CHECK_CONDITION);
cmd->se_cmd = NULL;
- kmem_cache_free(tcmu_cmd_cache, cmd);
-
return 0;
}
--
2.7.4
More information about the kernel-team
mailing list