mirror of
https://github.com/torvalds/linux
synced 2024-09-20 02:57:25 +00:00
057085e522
This patch addresses a race + use after free where the first stage of COMPARE_AND_WRITE in compare_and_write_callback() is rescheduled after the backend sends the secondary WRITE, resulting in second stage compare_and_write_post() callback completing in target_complete_ok_work() before the first can return. Because current code depends on checking se_cmd->se_cmd_flags after return from se_cmd->transport_complete_callback(), this results in first stage having SCF_COMPARE_AND_WRITE_POST set, which incorrectly falls through into second stage CAW processing code, eventually triggering a NULL pointer dereference due to use after free. To address this bug, pass in a new *post_ret parameter into se_cmd->transport_complete_callback(), and depend upon this value instead of ->se_cmd_flags to determine when to return or fall through into ->queue_status() code for CAW. Cc: Sagi Grimberg <sagig@mellanox.com> Cc: <stable@vger.kernel.org> # v3.12+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> |
||
|---|---|---|
| .. | ||
| iscsi | ||
| loopback | ||
| sbp | ||
| tcm_fc | ||
| Kconfig | ||
| Makefile | ||
| target_core_alua.c | ||
| target_core_alua.h | ||
| target_core_configfs.c | ||
| target_core_device.c | ||
| target_core_fabric_configfs.c | ||
| target_core_fabric_lib.c | ||
| target_core_file.c | ||
| target_core_file.h | ||
| target_core_hba.c | ||
| target_core_iblock.c | ||
| target_core_iblock.h | ||
| target_core_internal.h | ||
| target_core_pr.c | ||
| target_core_pr.h | ||
| target_core_pscsi.c | ||
| target_core_pscsi.h | ||
| target_core_rd.c | ||
| target_core_rd.h | ||
| target_core_sbc.c | ||
| target_core_spc.c | ||
| target_core_stat.c | ||
| target_core_tmr.c | ||
| target_core_tpg.c | ||
| target_core_transport.c | ||
| target_core_ua.c | ||
| target_core_ua.h | ||
| target_core_user.c | ||
| target_core_xcopy.c | ||
| target_core_xcopy.h | ||