aboutsummaryrefslogtreecommitdiffstats
path: root/include/target
diff options
context:
space:
mode:
authorPaolo Bonzini <pbonzini@redhat.com>2012-09-05 11:09:15 -0400
committerNicholas Bellinger <nab@linux-iscsi.org>2012-09-05 20:20:28 -0400
commitd5829eac5f7cfff89c6d1cf11717eee97cf030d0 (patch)
tree9acff1b99c654235b5ad4534735fdaf03a9c5a45 /include/target
parent27a2709912ac19c755d34c79fe11994b0bf8082b (diff)
target: fix use-after-free with PSCSI sense data
The pointer to the sense buffer is fetched by transport_get_sense_data, but this is called by target_complete_ok_work long after pscsi_req_done has freed the struct that contains it. Pass instead the fabric's sense buffer to transport_complete, and copy the data to it directly in transport_complete. Setting SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'include/target')
-rw-r--r--include/target/target_core_backend.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h
index f1405d335a9..941c84bf106 100644
--- a/include/target/target_core_backend.h
+++ b/include/target/target_core_backend.h
@@ -23,7 +23,9 @@ struct se_subsystem_api {
23 struct se_device *(*create_virtdevice)(struct se_hba *, 23 struct se_device *(*create_virtdevice)(struct se_hba *,
24 struct se_subsystem_dev *, void *); 24 struct se_subsystem_dev *, void *);
25 void (*free_device)(void *); 25 void (*free_device)(void *);
26 int (*transport_complete)(struct se_cmd *cmd, struct scatterlist *); 26 void (*transport_complete)(struct se_cmd *cmd,
27 struct scatterlist *,
28 unsigned char *);
27 29
28 int (*parse_cdb)(struct se_cmd *cmd); 30 int (*parse_cdb)(struct se_cmd *cmd);
29 ssize_t (*check_configfs_dev_params)(struct se_hba *, 31 ssize_t (*check_configfs_dev_params)(struct se_hba *,