[SCSI] virtio_scsi: fix TMF use-after-free

Fix a use-after-free in the TMF path, where cmd may have been already freed by virtscsi_complete_free when wait_for_completion restarts executing virtscsi_tmf. Technically a race, but in practice the command will always be freed long before the completion waiter is awoken. The fix is to make callers specifying a completion responsible for freeing the command in all cases. Signed-off-by: Hu Tao <hutao@cn.fujitsu.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: Paolo Bonzini <pbonzini@redhat.com> 2012-05-04 06:32:04 -0400
committer: James Bottomley <JBottomley@Parallels.com> 2012-05-10 03:27:06 -0400
commit: e4594bb50518eb89c447be97dabd5bd99f405d71 (patch)
tree: f4e8d81b2b30cb8ab53207382c2841983954b833 /drivers/scsi
parent: 3c8d9a957d0ae62c2815393a781ab7ff4d5205e7 (diff)
1 files changed, 13 insertions, 11 deletions
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index efccd72c4a3..1b384311726 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -175,7 +175,8 @@ static void virtscsi_complete_free(void *buf)
        if (cmd->comp)
                complete_all(cmd->comp);
-        mempool_free(cmd, virtscsi_cmd_pool);
+        else
+                mempool_free(cmd, virtscsi_cmd_pool);
 }
 static void virtscsi_ctrl_done(struct virtqueue *vq)
@@ -311,21 +312,22 @@ out:
 static int virtscsi_tmf(struct virtio_scsi *vscsi, struct virtio_scsi_cmd *cmd)
 {
        DECLARE_COMPLETION_ONSTACK(comp);
-        int ret;
+        int ret = FAILED;
        cmd->comp = &comp;
-        ret = virtscsi_kick_cmd(vscsi, vscsi->ctrl_vq, cmd,
+        if (virtscsi_kick_cmd(vscsi, vscsi->ctrl_vq, cmd,
-                               sizeof cmd->req.tmf, sizeof cmd->resp.tmf,
+                              sizeof cmd->req.tmf, sizeof cmd->resp.tmf,
-                               GFP_NOIO);
+                              GFP_NOIO) < 0)
-        if (ret < 0)
+                goto out;
-                return FAILED;
        wait_for_completion(&comp);
-        if (cmd->resp.tmf.response != VIRTIO_SCSI_S_OK &&
+        if (cmd->resp.tmf.response == VIRTIO_SCSI_S_OK ||
-            cmd->resp.tmf.response != VIRTIO_SCSI_S_FUNCTION_SUCCEEDED)
+            cmd->resp.tmf.response == VIRTIO_SCSI_S_FUNCTION_SUCCEEDED)
-                return FAILED;
+                ret = SUCCESS;
-        return SUCCESS;
+out:
+        mempool_free(cmd, virtscsi_cmd_pool);
+        return ret;
 }
 static int virtscsi_device_reset(struct scsi_cmnd *sc)
author	Paolo Bonzini <pbonzini@redhat.com>	2012-05-04 06:32:04 -0400
committer	James Bottomley <JBottomley@Parallels.com>	2012-05-10 03:27:06 -0400
commit	e4594bb50518eb89c447be97dabd5bd99f405d71 (patch)
tree	f4e8d81b2b30cb8ab53207382c2841983954b833 /drivers/scsi
parent	3c8d9a957d0ae62c2815393a781ab7ff4d5205e7 (diff)