a86a75865f
In tcmu_handle_completion() function, the variable called read_len is always initialized with a value taken from se_cmd structure. If this function is called to complete an expired (timed out) out command, the session command pointed by se_cmd is likely to be already deallocated by the target core at that moment. As the result, this access triggers a use-after-free warning from KASAN. This patch fixes the code not to touch se_cmd when completing timed out TCMU commands. It also resets the pointer to se_cmd at the time when the TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid after calling target_complete_cmd() later in the same function, tcmu_check_expired_cmd(). Signed-off-by: Dmitry Fomichev <dmitry.fomichev@wdc.com> Acked-by: Mike Christie <mchristi@redhat.com> Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
||
|---|---|---|
| .. | ||
| iscsi | ||
| loopback | ||
| sbp | ||
| tcm_fc | ||
| Kconfig | ||
| Makefile | ||
| target_core_alua.c | ||
| target_core_alua.h | ||
| target_core_configfs.c | ||
| target_core_device.c | ||
| target_core_fabric_configfs.c | ||
| target_core_fabric_lib.c | ||
| target_core_file.c | ||
| target_core_file.h | ||
| target_core_hba.c | ||
| target_core_iblock.c | ||
| target_core_iblock.h | ||
| target_core_internal.h | ||
| target_core_pr.c | ||
| target_core_pr.h | ||
| target_core_pscsi.c | ||
| target_core_pscsi.h | ||
| target_core_rd.c | ||
| target_core_rd.h | ||
| target_core_sbc.c | ||
| target_core_spc.c | ||
| target_core_stat.c | ||
| target_core_tmr.c | ||
| target_core_tpg.c | ||
| target_core_transport.c | ||
| target_core_ua.c | ||
| target_core_ua.h | ||
| target_core_user.c | ||
| target_core_xcopy.c | ||
| target_core_xcopy.h | ||