diff options
| author | Dmitry Fomichev <[email protected]> | 2019-08-11 11:25:10 -0700 |
|---|---|---|
| committer | Martin K. Petersen <[email protected]> | 2019-08-14 21:58:55 -0400 |
| commit | a86a75865ff4d8c05f355d1750a5250aec89ab15 (patch) | |
| tree | b5389c79415919888ee79500f0415ec121ab97f3 /tools/perf/util/trace-event-scripting.c | |
| parent | 26fa656e9a0cbccddf7db132ea020d2169dbe46e (diff) | |
scsi: target: tcmu: avoid use-after-free after command timeout
In tcmu_handle_completion() function, the variable called read_len is
always initialized with a value taken from se_cmd structure. If this
function is called to complete an expired (timed out) out command, the
session command pointed by se_cmd is likely to be already deallocated by
the target core at that moment. As the result, this access triggers a
use-after-free warning from KASAN.
This patch fixes the code not to touch se_cmd when completing timed out
TCMU commands. It also resets the pointer to se_cmd at the time when the
TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
after calling target_complete_cmd() later in the same function,
tcmu_check_expired_cmd().
Signed-off-by: Dmitry Fomichev <[email protected]>
Acked-by: Mike Christie <[email protected]>
Reviewed-by: Damien Le Moal <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Diffstat (limited to 'tools/perf/util/trace-event-scripting.c')
0 files changed, 0 insertions, 0 deletions