[15/33] xen/scsiback: Fix a use-after-free

Message ID	20170523234854.21452-16-bart.vanassche@sandisk.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <target-devel-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates 63.163.107.225 as permitted sender) receiver=protection.outlook.com; client-ip=63.163.107.225; helo=milsmgep14.sandisk.com; From: Bart Van Assche <bart.vanassche@sandisk.com> To: Nicholas Bellinger <nab@linux-iscsi.org> CC: <target-devel@vger.kernel.org>, Bart Van Assche <bart.vanassche@sandisk.com>, Juergen Gross <jgross@suse.com>, "Christoph Hellwig" <hch@lst.de>, Hannes Reinecke <hare@suse.com>, David Disseldorp <ddiss@suse.de>, <xen-devel@lists.xenproject.org> Subject: [PATCH 15/33] xen/scsiback: Fix a use-after-free Date: Tue, 23 May 2017 16:48:36 -0700 Message-ID: <20170523234854.21452-16-bart.vanassche@sandisk.com> In-Reply-To: <20170523234854.21452-1-bart.vanassche@sandisk.com> References: <20170523234854.21452-1-bart.vanassche@sandisk.com> MIME-Version: 1.0 Content-Type: text/plain WDCIPOUTBOUND: EOP-TRUE X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 20:p3jzdI54RhtPKQC2WNn8UYUzx8PPPzpI42VjTJQphxz5RO+vZ7z/CCm1exLkewNaYhbiT3i5wax6jEpHnIh+Ch2K3qvpJl2Hwf5S3U84nam/m94Kf2MTfA/pGijwl6q9hZ60O1TioNLxUpjLzSOQxMnMW2FKk1xpoq120b3EZ4DCEuTyTZFieG8cuonkcY5gHNW987OyQ5zPJoB7Swiy1O6Zli32hF5iqqiDbbAH4YE8DZc4C/txYT28vallSepR69wu9uuLF0JpHEa39aJhy5hsprBTnQ4sgB7/NUMkbgvYLd87BNhFWaNKlXIvtKc0hATPz6Hl5aip0Qd/osZnltJPe29wTpW/dsnDT2XYOZk7MOA0SE45HxbNgH0XmKpLA+y/0xdOl82qDQZ9BquM5Fc8gv+V+ekdaywsNSZF3n6ryJ1Yksb3sDTC2z2Aj37wiVXUrnwG5mBmjYaz1rRCEylSGPtZ/GtNUB0y/5SxlsP0PUL4i37vKCXKGVNIdozh SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 7:gUgto4su02UO9a0pc16IS6sDiTUv74Dq4DgK3cWN4dNC/IU5AYGUyJm9A6BW6ObAx3L7xXfs5PkOjREeYQEY3Ltv3dN5IbzwE72ofJQZumiAhjHcIVDCUPYwfv6hnHmjxp/6lPRTBnYHRJLhg4xZeWqeluUEs3bNIeMYW3JcrsZzPkPQzN5TYwMG8yC9A3ssoWIViPrhJGtjh2w5cNO8qNcCUMPzj7AfENss+m3eJSrmSz2+QrgwjYraLUv4YZnFePc2GLysXPy5FvQ1HatAg6f4SFP3Tmk+0T1kQkTRwA9+V42jLRoZey2QGBFMOX7xNYg5jhXdBG0ImW5Ak/xaiw==; 20:oJgMDZL0m4mmzoaEeKwTWHHy1Jc26IIqnaYK4Vw4zpqxoXmtYOEYkx3XY03VlvA7Gnk8bpp2BFL42JCy6CU4bSzr0SYhnI5khSrHZ7VI66KWN7DblYuFIOWEM8cTCM2g3i89GAKtiUa/VVL8RXbwbXvavP30qG0U0O6cFPlMH+k= Sender: target-devel-owner@vger.kernel.org Precedence: bulk

Message ID

20170523234854.21452-16-bart.vanassche@sandisk.com (mailing list archive)

State

New, archived

Headers

Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates
	63.163.107.225 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=63.163.107.225; helo=milsmgep14.sandisk.com;
From: Bart Van Assche <bart.vanassche@sandisk.com>
To: Nicholas Bellinger <nab@linux-iscsi.org>
CC: <target-devel@vger.kernel.org>,
	Bart Van Assche <bart.vanassche@sandisk.com>,
	Juergen Gross <jgross@suse.com>,
	"Christoph Hellwig" <hch@lst.de>, Hannes Reinecke <hare@suse.com>,
	David Disseldorp <ddiss@suse.de>, <xen-devel@lists.xenproject.org>
Subject: [PATCH 15/33] xen/scsiback: Fix a use-after-free
Date: Tue, 23 May 2017 16:48:36 -0700
Message-ID: <20170523234854.21452-16-bart.vanassche@sandisk.com>
In-Reply-To: <20170523234854.21452-1-bart.vanassche@sandisk.com>
References: <20170523234854.21452-1-bart.vanassche@sandisk.com>
MIME-Version: 1.0
Content-Type: text/plain
WDCIPOUTBOUND: EOP-TRUE
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2017 23:49:03.0479
	(UTC)
X-MS-Exchange-CrossTenant-Id: b61c8803-16f3-4c35-9b17-6f65f441df86
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b61c8803-16f3-4c35-9b17-6f65f441df86;
	Ip=[63.163.107.225]; Helo=[milsmgep14.sandisk.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR04MB0499
Sender: target-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <target-devel.vger.kernel.org>
X-Mailing-List: target-devel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Bart Van Assche May 23, 2017, 11:48 p.m. UTC

scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
because that memory is freed by target_free_cmd_mem() before
scsiback_release_cmd() is called. Fix this use-after-free by
inlining struct scsiback_tmr into struct vscsibk_pend.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: David Disseldorp <ddiss@suse.de>
Cc: xen-devel@lists.xenproject.org
---
 drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

Comments

Jürgen Groß May 26, 2017, 9:57 a.m. UTC | #1

On 24/05/17 01:48, Bart Van Assche wrote:
> scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
> because that memory is freed by target_free_cmd_mem() before
> scsiback_release_cmd() is called. Fix this use-after-free by
> inlining struct scsiback_tmr into struct vscsibk_pend.
> 
> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
> Cc: Juergen Gross <jgross@suse.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Hannes Reinecke <hare@suse.com>
> Cc: David Disseldorp <ddiss@suse.de>
> Cc: xen-devel@lists.xenproject.org

Reviewed-by: Juergen Gross <jgross@suse.com>


Juergen
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Nicholas A. Bellinger June 3, 2017, 5:40 a.m. UTC | #2

On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote:
> scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
> because that memory is freed by target_free_cmd_mem() before
> scsiback_release_cmd() is called. Fix this use-after-free by
> inlining struct scsiback_tmr into struct vscsibk_pend.
> 
> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
> Cc: Juergen Gross <jgross@suse.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Hannes Reinecke <hare@suse.com>
> Cc: David Disseldorp <ddiss@suse.de>
> Cc: xen-devel@lists.xenproject.org
> ---
>  drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
>  1 file changed, 9 insertions(+), 24 deletions(-)

Applied.

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Nicholas A. Bellinger June 3, 2017, 7:04 a.m. UTC | #3

On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote:
> On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote:
> > scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
> > because that memory is freed by target_free_cmd_mem() before
> > scsiback_release_cmd() is called. Fix this use-after-free by
> > inlining struct scsiback_tmr into struct vscsibk_pend.
> > 
> > Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
> > Cc: Juergen Gross <jgross@suse.com>
> > Cc: Christoph Hellwig <hch@lst.de>
> > Cc: Hannes Reinecke <hare@suse.com>
> > Cc: David Disseldorp <ddiss@suse.de>
> > Cc: xen-devel@lists.xenproject.org
> > ---
> >  drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
> >  1 file changed, 9 insertions(+), 24 deletions(-)
> 
> Applied.
> 

Oh btw, this looks like stable material to me.

So unless Juergen has any objections, adding a v3.18+ tag.

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jürgen Groß June 3, 2017, 7:06 a.m. UTC | #4

On 03/06/17 09:04, Nicholas A. Bellinger wrote:
> On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote:
>> On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote:
>>> scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
>>> because that memory is freed by target_free_cmd_mem() before
>>> scsiback_release_cmd() is called. Fix this use-after-free by
>>> inlining struct scsiback_tmr into struct vscsibk_pend.
>>>
>>> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
>>> Cc: Juergen Gross <jgross@suse.com>
>>> Cc: Christoph Hellwig <hch@lst.de>
>>> Cc: Hannes Reinecke <hare@suse.com>
>>> Cc: David Disseldorp <ddiss@suse.de>
>>> Cc: xen-devel@lists.xenproject.org
>>> ---
>>>  drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
>>>  1 file changed, 9 insertions(+), 24 deletions(-)
>>
>> Applied.
>>
> 
> Oh btw, this looks like stable material to me.
> 
> So unless Juergen has any objections, adding a v3.18+ tag.

No objections from me.


Juergen

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index d6950e0802b7..980f32817305 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -134,9 +134,7 @@  struct vscsibk_pend {
 	struct page *pages[VSCSI_MAX_GRANTS];
 
 	struct se_cmd se_cmd;
-};
 
-struct scsiback_tmr {
 	atomic_t tmr_complete;
 	wait_queue_head_t tmr_wait;
 };
@@ -599,26 +597,20 @@  static void scsiback_device_action(struct vscsibk_pend *pending_req,
 	struct scsiback_tpg *tpg = pending_req->v2p->tpg;
 	struct scsiback_nexus *nexus = tpg->tpg_nexus;
 	struct se_cmd *se_cmd = &pending_req->se_cmd;
-	struct scsiback_tmr *tmr;
 	u64 unpacked_lun = pending_req->v2p->lun;
 	int rc, err = FAILED;
 
-	tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
-	if (!tmr) {
-		target_put_sess_cmd(se_cmd);
-		goto err;
-	}
-
-	init_waitqueue_head(&tmr->tmr_wait);
+	init_waitqueue_head(&pending_req->tmr_wait);
 
 	rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
 			       &pending_req->sense_buffer[0],
-			       unpacked_lun, tmr, act, GFP_KERNEL,
+			       unpacked_lun, NULL, act, GFP_KERNEL,
 			       tag, TARGET_SCF_ACK_KREF);
 	if (rc)
 		goto err;
 
-	wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
+	wait_event(pending_req->tmr_wait,
+		   atomic_read(&pending_req->tmr_complete));
 
 	err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
 		SUCCESS : FAILED;
@@ -626,9 +618,8 @@  static void scsiback_device_action(struct vscsibk_pend *pending_req,
 	scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
 	transport_generic_free_cmd(&pending_req->se_cmd, 1);
 	return;
+
 err:
-	if (tmr)
-		kfree(tmr);
 	scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
 }
 
@@ -1389,12 +1380,6 @@  static int scsiback_check_stop_free(struct se_cmd *se_cmd)
 static void scsiback_release_cmd(struct se_cmd *se_cmd)
 {
 	struct se_session *se_sess = se_cmd->se_sess;
-	struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-
-	if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
-		struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
-		kfree(tmr);
-	}
 
 	percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
 }
@@ -1455,11 +1440,11 @@  static int scsiback_queue_status(struct se_cmd *se_cmd)
 
 static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
 {
-	struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
-	struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
+	struct vscsibk_pend *pending_req = container_of(se_cmd,
+				struct vscsibk_pend, se_cmd);
 
-	atomic_set(&tmr->tmr_complete, 1);
-	wake_up(&tmr->tmr_wait);
+	atomic_set(&pending_req->tmr_complete, 1);
+	wake_up(&pending_req->tmr_wait);
 }
 
 static void scsiback_aborted_task(struct se_cmd *se_cmd)

[15/33] xen/scsiback: Fix a use-after-free

Commit Message

Comments

Patch