From patchwork Tue May 23 23:48:36 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bart Van Assche X-Patchwork-Id: 9744453 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id AEDFF60380 for ; Tue, 23 May 2017 23:49:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A1E8628818 for ; Tue, 23 May 2017 23:49:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9692B28854; Tue, 23 May 2017 23:49:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC2B828818 for ; Tue, 23 May 2017 23:49:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030730AbdEWXtf (ORCPT ); Tue, 23 May 2017 19:49:35 -0400 Received: from esa3.hgst.iphmx.com ([216.71.153.141]:1647 "EHLO esa3.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1765542AbdEWXtO (ORCPT ); Tue, 23 May 2017 19:49:14 -0400 X-IronPort-AV: E=Sophos;i="5.38,383,1491235200"; d="scan'208";a="19876948" Received: from mail-by2nam03lp0049.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) ([216.32.180.49]) by ob1.hgst.iphmx.com with ESMTP; 24 May 2017 07:49:06 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharedspace.onmicrosoft.com; s=selector1-sharedspace-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9cHUw/1MEQ18dj6zb+G52lK8O6G/uBbmPxgFzp3oi20=; b=RGBc4ArDoknY1fXtq7dKqV05u2Md4OXlDRxSjcTAeUX1uAPnteLARtVPNr0Nl7+021YGlJ14mnHWlB6DygLazGLxQ4WYgi0y4Jwz882WoZAFI8Op4ZNfv9r6dSBy+QauvF9iROGDOqfdmpVBCsgivvN+z1oMg5ctTX6ewG+La4w= Received: from DM2PR04CA061.namprd04.prod.outlook.com (10.141.154.179) by BN6PR04MB0499.namprd04.prod.outlook.com (10.173.201.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.16; Tue, 23 May 2017 23:49:04 +0000 Received: from CO1NAM04FT053.eop-NAM04.prod.protection.outlook.com (2a01:111:f400:7e4d::203) by DM2PR04CA061.outlook.office365.com (2a01:111:e400:243c::51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14 via Frontend Transport; Tue, 23 May 2017 23:49:04 +0000 Authentication-Results: spf=pass (sender IP is 63.163.107.225) smtp.mailfrom=sandisk.com; lst.de; dkim=none (message not signed) header.d=none;lst.de; dmarc=bestguesspass action=none header.from=sandisk.com; Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates 63.163.107.225 as permitted sender) receiver=protection.outlook.com; client-ip=63.163.107.225; helo=milsmgep14.sandisk.com; Received: from milsmgep14.sandisk.com (63.163.107.225) by CO1NAM04FT053.mail.protection.outlook.com (10.152.91.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1075.5 via Frontend Transport; Tue, 23 May 2017 23:49:03 +0000 Received: from MILHUBIP03.sdcorp.global.sandisk.com (Unknown_Domain [10.201.67.162]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id FC.64.19026.E6AC4295; Tue, 23 May 2017 16:49:02 -0700 (PDT) Received: from milsmgip12.sandisk.com (10.177.8.100) by MILHUBIP03.sdcorp.global.sandisk.com (10.177.9.96) with Microsoft SMTP Server id 14.3.319.2; Tue, 23 May 2017 16:48:58 -0700 X-AuditID: 0ac94371-41ba798000004a52-08-5924ca6e2495 Received: from exp-402881.sdcorp.global.sandisk.com ( [10.177.9.6]) by (Symantec Messaging Gateway) with SMTP id 1D.F2.18148.A6AC4295; Tue, 23 May 2017 16:48:58 -0700 (PDT) From: Bart Van Assche To: Nicholas Bellinger CC: , Bart Van Assche , Juergen Gross , "Christoph Hellwig" , Hannes Reinecke , David Disseldorp , Subject: [PATCH 15/33] xen/scsiback: Fix a use-after-free Date: Tue, 23 May 2017 16:48:36 -0700 Message-ID: <20170523234854.21452-16-bart.vanassche@sandisk.com> X-Mailer: git-send-email 2.12.2 In-Reply-To: <20170523234854.21452-1-bart.vanassche@sandisk.com> References: <20170523234854.21452-1-bart.vanassche@sandisk.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLLMWRmVeSWpSXmKPExsXCddJ5kW7eKZVIg/f3tSy+/p/OYrHgzV42 i5WrjzJZzLlpZNG2+gyjRevSt0wW37dMZnJg97i//QiTx+EPV1g8dt9sYPNYv+Uqi8fm09Ue nzfJBbBFcdmkpOZklqUW6dslcGU0z1rHXvBGquL+7nOMDYwHxLoYOTgkBEwkfhzV72Lk4hAS WMok8fXzInYIZwejxLveDUAOJ1jRhwVdjBCJjYwS/eeOsIIk2ASMJL69n8kCYosI6EjMuvsC rJtZ4A+jxJF3HYwgCWEBS4m+hVPBGlgEVCVunJgMZvMKOEgcmXSdEWKDvMTZLTuZQWxOoPjK PduYQc4TErCXuPxdGWSmhMAyVonDy2YwQ/QKSpyc+QRsMbOAhMTBFy/A4kIC6hInl8xnmsAo NAtJ2SwkZQsYmVYxiuVm5hTnpqcWGJroFSfmpWQWZ+sl5+duYoREQuEOxte3vQ8xCnAwKvHw JjioRAqxJpYVV+YeYpTgYFYS4V2+ASjEm5JYWZValB9fVJqTWnyIUZqDRUmcN0t2aoSQQHpi SWp2ampBahFMlomDU6qBccbma9oXLX6WRDtPWeFuz9gQXRx68ZmvfImNxbS0xrPCW9823nvX MlvtVt3qwJxDUn4Hz3vMzF/g8uHFjcS02GgH7q93fn9/4byw+98chsAZi2X9595f/4HxUn/M i8jKnl9GSlez7oUxnjTb5dYxO+D2d41eR+XlTO4GCwtdP/1W3Vr8JuzbCiWW4oxEQy3mouJE APd9WwOAAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLJMWRmVeSWpSXmKPExsXCtZGTTTfrlEqkwbGfGhYHf7YxWnz9P53F YsGbvWwWK1cfZbKYc9PIom31GUaL1qVvmSy+b5nM5MDhcX/7ESaPwx+usHjsvtnA5jFtzXkm j/VbrrJ4bD5d7fF5k1wAexSXTUpqTmZZapG+XQJXRvOsdewFb6Qq7u8+x9jAeECsi5GTQ0LA ROLDgi7GLkYuDiGB9YwSLZu2sIAk2ASMJL69nwlmiwjoSMy6+4IdpIhZ4B+jxM5zB8ESwgKW En0Lp7KC2CwCqhI3TkwGs3kFHCSWzHjJCrFBXuLslp3MIDYnUHzlnm1ANgfQNnuJy9+VJzBy L2BkWMUolpuZU5ybnllgaKRXnJiXklmcrZecn7uJERJAUTsYr080P8TIxMEp1cBo+O9ZhuO9 BQpNjvlH97E3nhHJZIs184pa0bVnfccBzqTqyPIfIsUTP3Zq9z1vfrdxXbq/2Ik/36YtK1IK PrFJPfOjkErUl+myKu9reXl2yUtP0+HZ9tnwQEShZszVzRt18sTfVLCXf5igZSP/lGsGexn7 vWbb3BgRB4+7WksWv7y1LuqfxAwlluKMREMt5qLiRAA5h+0Q0AEAAA== MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:63.163.107.225; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39850400002)(39400400002)(39840400002)(39410400002)(39450400003)(39860400002)(2980300002)(438002)(199003)(189002)(9170700003)(4326008)(230783001)(50226002)(8676002)(72206003)(48376002)(305945005)(2906002)(81166006)(5003940100001)(478600001)(1076002)(356003)(5660300001)(86362001)(8936002)(6666003)(38730400002)(53936002)(2950100002)(54906002)(50986999)(6916009)(47776003)(110136004)(77096006)(50466002)(33646002)(76176999)(36756003)(106466001)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR04MB0499; H:milsmgep14.sandisk.com; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; CO1NAM04FT053; 1:8PAgy1ofCVP2PHl1+j2owEKSQ6VwHAIs1K29MEyPYeHuo4xYcrRgVZrHSax7s+YTi9nSadVIaAKoCSPnnkHD6/yVjaQXiNaIBx7cCqEcE/NID5POV0hY1on2Nn2E8LhCjDckwv4I5lxcVxg5Jmziqa/ChqC/77V/ReBhtwYrAsfseaLN+YTzVJKDDL8bby/MKrxqR84HOUw8Qdtw06AqsUU/Azm9dG6ZhseK1exP34WA4QpMe9U+CS59g3Mueg2ejRGrhVw76YAN+jTve68ln3hGbagmu5S13WjGIEA2DLiGIMm73zwfQhgOFKAEuepq13lFk3Tp78CVmy/mjTAHz8KB6ngM+mw2aVT/UfYloHkVt7ki9fTFaJxzqCM5pPlliw0UqTfeIuTgswuBpwp5pimwkCWuKUoO2RuwzmUEHw+v670frfPARInfnnnNP+jioXAKJNsXiBJ4s9jz+Hzlb18JqHMOE/HWHoMX4sYG6akPNRmtx/9EtQ+LkNQV5EuBz/R+YPSQ5jL5trDcWwV2XLX/Q06OJaZL6/QEZHtk29k= X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 06324e06-0543-46d7-4843-08d4a2364aff X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254075)(201703131423075)(201703031133081); SRVR:BN6PR04MB0499; X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 3:+ha89nR3xVxhFnkId7kDB3KjvCHkVWO9kykqZbKFLdR0qP02IjH4QTqgDKaNQg6rsWTwRcq7cCFMBmJe3YeXrJhMHehFR7KPFH5+KXnhfDJOXMS3JNra+NJSfOkcbcIFMmplaaTCfIJIpFpJO0w9rvhIKuzilLsZqLT/xIbT4lRnoqilOxzlAxCBCXoZNuUda6YK+j9zJLhNx3wM7Nb4nudKeeiaWq1+TiEslM51aKct+3nCoftJX05aNlh28npJQCqHBQoVB2UDV/BdSteU5WPnSZEMCom69+pJITNLGW/DW9UvAK1ZhGMMiE8Dv6xdOFITJA2o2ze4GE+wFSX9p1dgvmcV9a0wKyuokzCVlZB/My6Qb+a9AV5vXMSiuvt0+uNL0s9R4t4kcyVrM3O/Uao/m/gsCr8GIL0CgXxlKftdabNX51bK39ExxorUmCZ59FqJzTmmmBSNfPyMEvWI/s0Pgo+zJ8d4mWO4BTvEPQjOql9t5Cdz47cKgfYUoxNg X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 25:OGzAgY3zyU/n1sXi0Yw4ltVBSPZO03bQsMcaHoHRMYx6j9Kdqnx08wZGC+0zJg9zQpzDUzTFGJpB0UbHZ49Aq+WrHAH6f7UYxorkEuC9hzNfLW0yyT4QGxiVb/Xqx6/zNJkFStIPj9AQR1+fyD4+WPv1KAH3UaYcQOhFUwfpjv8RgwMwwYF8KgvQXKt6ky1VgplEa6zVn/QpWfjhJTXtLOTKbJxMIQIQAumfcrY+QyVLd3hAFGqWrQfnhRBd3iwzlMIdFx3LTPz3b4jrGHg/6FzCisKMiS1REbdh2qJnrT34oxK40sz2MFCWqaxSOU6r7mrErhZpkiMbKUSizkyeNOv/Nq9UwzBCc2DqLCgR2AbRayKVOZkm1RpDzqAFZgCp8UD45yLzV/288CKVfUf7NwDzd4WUYJry2/3LCrGtqnl594+MYdTWESbYoHnFLlW31bPCsUIov237Bl9TJLmLtm9S9jAQnv/Ie0yH1ZwB+XQ=; 31:4VoxJjLD+MUTQQZsO9Uw3m3w6bY5N/N2Poqe0uUoY95kxiPxVVKKCENMCWRLVhO9qLfzm0+TMYWFznwfiiXOGN8L0TKi0zOzXkVVh7Daffp0/ex/2BucLjYyKOeqhK903FVA4agaDJiRDsM/cWCj0hizU6hz+2oxkzAzAaX/2D2I/c5CzXf7DjTqjRJsUTZ3SPbHRSMzkNJZks/+laS8sEOub1qlWqWDO+SVyEEVGtDQFfrsSQHG15kDrZNWVUP6Kk6fwM5o0F+dQBy8vGjMtQ== WDCIPOUTBOUND: EOP-TRUE X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 20:p3jzdI54RhtPKQC2WNn8UYUzx8PPPzpI42VjTJQphxz5RO+vZ7z/CCm1exLkewNaYhbiT3i5wax6jEpHnIh+Ch2K3qvpJl2Hwf5S3U84nam/m94Kf2MTfA/pGijwl6q9hZ60O1TioNLxUpjLzSOQxMnMW2FKk1xpoq120b3EZ4DCEuTyTZFieG8cuonkcY5gHNW987OyQ5zPJoB7Swiy1O6Zli32hF5iqqiDbbAH4YE8DZc4C/txYT28vallSepR69wu9uuLF0JpHEa39aJhy5hsprBTnQ4sgB7/NUMkbgvYLd87BNhFWaNKlXIvtKc0hATPz6Hl5aip0Qd/osZnltJPe29wTpW/dsnDT2XYOZk7MOA0SE45HxbNgH0XmKpLA+y/0xdOl82qDQZ9BquM5Fc8gv+V+ekdaywsNSZF3n6ryJ1Yksb3sDTC2z2Aj37wiVXUrnwG5mBmjYaz1rRCEylSGPtZ/GtNUB0y/5SxlsP0PUL4i37vKCXKGVNIdozh X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(42932892334569); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(13018025)(13016025)(8121501046)(3002001)(10201501046)(93006095)(93004095)(6055026)(6041248)(20161123555025)(20161123558100)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148); SRVR:BN6PR04MB0499; BCL:0; PCL:0; RULEID:; SRVR:BN6PR04MB0499; X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 4:5lmc5wQOZgg1UbS54sc/v/pKIDZQPPL9aCBgyxzHiwQMmFmaKIst9SnKFGZ0cbrGKR9tQ7MbWmsm7+6qG0Yx/eQunGEDo3haJB5qTQeJglRfmLIp7CABQYW0Ldd+qCJY8n0QctqnR9OZMY2HkbBacHBMSkqpSTYlO1MEiXTmro7rpYx3ZwMME8Yc0SOa75foImtsrcGaSdwGt21vTl3ku4U4ntIyPW+KzERKD1AmIPZRCjQej2HY2hXm7QyFqHkPgSXnYIKWIqCe0XhaE+SGtiBB+OpbBzdmkTa/6+AZmJAlYg9NMYXfTfHaNv/TQULTFtQhv/KDZZJ5QsiUVV06Nh2lGFBe3pVj4ocQo0v0CB9IfqIMtnXDtXlkE6FX8wqvg10GeRS16qtJ5tCTUa3vqc3aSWcJXHkUE00ZPBVLdpyYWLYnTvz/UXddPcLidcyWwbTyPX0mJlG3GjDmGXZlpTu60AUGJgiUKQSujUyglRd9jeuLf5qYYTulGiIOXHLfvd4TqTheH9OzyVzdHrkNFGQzQSQw67ie/bWvTAHLka1HBqsPh7Tax6NEuxj6mcoo3tuaVKILNp8ZR0WfX4wF0eejhfbrU9rmZKQnnQJvTijHwLsKn1dBmygHCiqaJca2H8wZjvLeO3IV8IgZ3WUFA6VZkIkdofX3+g1m0k0EjJPkoPZMo7JL30nUlmFTBucKozuxYvX2PMwNl2aFFFS7yAOXNQHtf8mL6jJcw/VqGuuZUKES1SBtut1vg4rYlDukRIDSENZQyzfxsQOorM4+/ypRg4YR5wOm2UCHAzBc3nKluLReGD5/MWQSyDvN3uJe4/2eqpX38Cfrh4/DBaN1yXq4Bd5/vs23hkWgy8gAyWSBD5GEiPN2gnmFPMmUuo/H X-Forefront-PRVS: 0316567485 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN6PR04MB0499; 23:HvGMYCgv637FId6jJaZX/tMEdIIlj90fR8xLfti/A?= =?us-ascii?Q?nct/8SmAwFgNgZig8J11DEFi0PjaEToCkCYXaib/eRxmIXUqn1TQBjYl5LGI?= =?us-ascii?Q?P/Zl/ciW3ni9i0sFJo4fjeXoRzqEHjL9YgNjPmn2IPK9WoM1NTIfzQjQx2HF?= =?us-ascii?Q?+AzlC1QcyB3PHXCP91ME+afawUMNRc0AtvViugmYBVavxoQq/+gybkGHJdpy?= =?us-ascii?Q?akXAKOi+nDpm5vrdQ1hDseeFE3/Uvwa79tlm0KcJl8lz1ENa8Usn0U0wCaxo?= =?us-ascii?Q?VKaaaTtLnxRJph3yTANYdA8tEwJsA1oTNhpoG8rHq04uES/tTSZO6xJVkCCW?= =?us-ascii?Q?UYjZ4FpVxs/qmK2ajh9AxGx6Z3dglLQe716yV3QKXEXBTnoMKwb2qe1nR3uB?= =?us-ascii?Q?Eya+nbRpmU5om9Uunk0KMqmOzkjlKNAqGiSq8oiZBPSeob8FIkdrX5ASIR7M?= =?us-ascii?Q?bWrye1zUKLYcv9YhbGvbXUxeCa9cuscf2uG9gqYh22TS2TL2y0kzj6EfZ2kr?= =?us-ascii?Q?MSnaCC7qo9z1tlfjL0syAcGoUJyquybGXVdF77gKZx/USWdgZA7FleORemGI?= =?us-ascii?Q?e+boeSnJTm/URN413gUXn0dsia0fCVGQc0C1XA8YqGrAJFtgd28L6CY9Et/k?= =?us-ascii?Q?AzO01kYLpO/CrO/2iZMzAVnnJ+szH/Q8J1VkeWczUkSbu7A+9+el5y1eve01?= =?us-ascii?Q?RS1CA4YRG+Ys+1dbgXHyCzYCKgs8vE5iX+xmNORNjcNb/aoL+QrElzrbnNC1?= =?us-ascii?Q?dSOPLBk395oYEoG0L+ITzKhQHMUvvC0nat1p8q+fLn6RrM7M139DkiavifOe?= =?us-ascii?Q?5pJe0zALORfHWbzOoOhW2TU0IjbHtkBelsP0fqXytUl3n1jbRxjs8R+ryZQI?= =?us-ascii?Q?Q5SApM1ewMJkvjI1MjGvS/VY4fQNH+ME4Ai8VVWyIJlixCiAvv+TTSGQJDq5?= =?us-ascii?Q?6TVpEenmWWN7yucRXkbP6n7RsGAEd66VuYDX1FxMJaezDb1jOzabnbDQy45r?= =?us-ascii?Q?X8vpToFJO4Ysl8JiB1vf3IzEqaaa+n5NpGJGlRMGrIO77+lRkT7Gkahnsu5F?= =?us-ascii?Q?QTGYTyoR/3FIy0Od5JOkodnbdLtzaE0z4WHJGWlqABeUU0lpUSD2tb1jpPr4?= =?us-ascii?Q?FGu3GelEFc=3D?= X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 6:FrCyXCArQjHDiTqJo1JGvYB/Xi6VMKfc21ENJ5nB2AJpDoYoyBLwARpHNtOosRGS7nBs027KQpQaS+jdwu4cF7a1DHrneb9XLfPbWiacPX5Pj0Tvlg4mAozcaazI01j8gllfu7erRCUkaPAcekQjwu/n1R4/pZdm6aNK/1Y6RX/xTddck5tyHTCe9Vm1JstLKd8mmuqobuuio5mzwk92bG6bfmodz8Nd2tzoQ9BaX1H9crNCWuA1rE99Dm49Pev9CQeDizGU5gwNfqtyUg9dcM3VaabEr1H7E9JHb3b1nds2zr3adgQMpzJli+u6D9fpMAfgFrnlkZxuDa6qZwghkK9gLrVFO4LnQnH2JGMzLyrxRjtlTQRbii31dnf7G4Y0haCv0tRpy1pjqWarzj8Cu1yEyxSCrGt6qd0l/N3dkTstqZtx9kJ+F3SbZxYTA+3bScwgs0IaWevxz4XMhX1LZe7IUsIaslGw2CALHQ8njUeQCtfHqs2e27ee7juIZH625M42vm3CJDfd+3v+YRDn0i264ycKLagIAXyFYZ7WLXc=; 5:3rs/aiYFu2JmG9taxWVA0oD3EPRIvUX7XQodM+b3PJW+JuO7S44wWW32Ic1k4A2maZst2QvAA16lxuMRoZEuWDl/YkKGmNfSLHt41QmnFNWPYpFI9d3VhsW7EYa41eXU5lXK8fJBTOjk+jpEbJNxuQ==; 24:86jvpTSt2ex/Xh54rPOl5Vq/Iylpf2G7BEooyB34MIIz4rJ45ZkdP8F1Jd5oTnyOnkiyuwMbwrlaTxMd90VvmdDUSujrStKKPE5VoG+6rkM= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; BN6PR04MB0499; 7:gUgto4su02UO9a0pc16IS6sDiTUv74Dq4DgK3cWN4dNC/IU5AYGUyJm9A6BW6ObAx3L7xXfs5PkOjREeYQEY3Ltv3dN5IbzwE72ofJQZumiAhjHcIVDCUPYwfv6hnHmjxp/6lPRTBnYHRJLhg4xZeWqeluUEs3bNIeMYW3JcrsZzPkPQzN5TYwMG8yC9A3ssoWIViPrhJGtjh2w5cNO8qNcCUMPzj7AfENss+m3eJSrmSz2+QrgwjYraLUv4YZnFePc2GLysXPy5FvQ1HatAg6f4SFP3Tmk+0T1kQkTRwA9+V42jLRoZey2QGBFMOX7xNYg5jhXdBG0ImW5Ak/xaiw==; 20:oJgMDZL0m4mmzoaEeKwTWHHy1Jc26IIqnaYK4Vw4zpqxoXmtYOEYkx3XY03VlvA7Gnk8bpp2BFL42JCy6CU4bSzr0SYhnI5khSrHZ7VI66KWN7DblYuFIOWEM8cTCM2g3i89GAKtiUa/VVL8RXbwbXvavP30qG0U0O6cFPlMH+k= X-OriginatorOrg: sandisk.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2017 23:49:03.0479 (UTC) X-MS-Exchange-CrossTenant-Id: b61c8803-16f3-4c35-9b17-6f65f441df86 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b61c8803-16f3-4c35-9b17-6f65f441df86; Ip=[63.163.107.225]; Helo=[milsmgep14.sandisk.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR04MB0499 Sender: target-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: target-devel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP scsiback_release_cmd() must not dereference se_cmd->se_tmr_req because that memory is freed by target_free_cmd_mem() before scsiback_release_cmd() is called. Fix this use-after-free by inlining struct scsiback_tmr into struct vscsibk_pend. Signed-off-by: Bart Van Assche Cc: Juergen Gross Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: David Disseldorp Cc: xen-devel@lists.xenproject.org Reviewed-by: Juergen Gross --- drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ 1 file changed, 9 insertions(+), 24 deletions(-) diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c index d6950e0802b7..980f32817305 100644 --- a/drivers/xen/xen-scsiback.c +++ b/drivers/xen/xen-scsiback.c @@ -134,9 +134,7 @@ struct vscsibk_pend { struct page *pages[VSCSI_MAX_GRANTS]; struct se_cmd se_cmd; -}; -struct scsiback_tmr { atomic_t tmr_complete; wait_queue_head_t tmr_wait; }; @@ -599,26 +597,20 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, struct scsiback_tpg *tpg = pending_req->v2p->tpg; struct scsiback_nexus *nexus = tpg->tpg_nexus; struct se_cmd *se_cmd = &pending_req->se_cmd; - struct scsiback_tmr *tmr; u64 unpacked_lun = pending_req->v2p->lun; int rc, err = FAILED; - tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL); - if (!tmr) { - target_put_sess_cmd(se_cmd); - goto err; - } - - init_waitqueue_head(&tmr->tmr_wait); + init_waitqueue_head(&pending_req->tmr_wait); rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess, &pending_req->sense_buffer[0], - unpacked_lun, tmr, act, GFP_KERNEL, + unpacked_lun, NULL, act, GFP_KERNEL, tag, TARGET_SCF_ACK_KREF); if (rc) goto err; - wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete)); + wait_event(pending_req->tmr_wait, + atomic_read(&pending_req->tmr_complete)); err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ? SUCCESS : FAILED; @@ -626,9 +618,8 @@ static void scsiback_device_action(struct vscsibk_pend *pending_req, scsiback_do_resp_with_sense(NULL, err, 0, pending_req); transport_generic_free_cmd(&pending_req->se_cmd, 1); return; + err: - if (tmr) - kfree(tmr); scsiback_do_resp_with_sense(NULL, err, 0, pending_req); } @@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(struct se_cmd *se_cmd) static void scsiback_release_cmd(struct se_cmd *se_cmd) { struct se_session *se_sess = se_cmd->se_sess; - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - - if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) { - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; - kfree(tmr); - } percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag); } @@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct se_cmd *se_cmd) static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd) { - struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; - struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; + struct vscsibk_pend *pending_req = container_of(se_cmd, + struct vscsibk_pend, se_cmd); - atomic_set(&tmr->tmr_complete, 1); - wake_up(&tmr->tmr_wait); + atomic_set(&pending_req->tmr_complete, 1); + wake_up(&pending_req->tmr_wait); } static void scsiback_aborted_task(struct se_cmd *se_cmd)