summaryrefslogtreecommitdiff
path: root/include/drm
diff options
context:
space:
mode:
authorDmitry Fomichev <dmitry.fomichev@wdc.com>2019-08-11 21:25:10 +0300
committerMartin K. Petersen <martin.petersen@oracle.com>2019-08-15 04:58:55 +0300
commita86a75865ff4d8c05f355d1750a5250aec89ab15 (patch)
treeb5389c79415919888ee79500f0415ec121ab97f3 /include/drm
parent26fa656e9a0cbccddf7db132ea020d2169dbe46e (diff)
downloadlinux-a86a75865ff4d8c05f355d1750a5250aec89ab15.tar.xz
scsi: target: tcmu: avoid use-after-free after command timeout
In tcmu_handle_completion() function, the variable called read_len is always initialized with a value taken from se_cmd structure. If this function is called to complete an expired (timed out) out command, the session command pointed by se_cmd is likely to be already deallocated by the target core at that moment. As the result, this access triggers a use-after-free warning from KASAN. This patch fixes the code not to touch se_cmd when completing timed out TCMU commands. It also resets the pointer to se_cmd at the time when the TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid after calling target_complete_cmd() later in the same function, tcmu_check_expired_cmd(). Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com> Acked-by: Mike Christie <mchristi@redhat.com> Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'include/drm')
0 files changed, 0 insertions, 0 deletions