From patchwork Tue Dec  6 19:40:55 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 703311
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3tYBnq5yhDz9s9c;
	Wed,  7 Dec 2016 06:41:19 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=canonical-com.20150623.gappssmtp.com
	header.i=@canonical-com.20150623.gappssmtp.com
	header.b="u71v/oKl"; dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1cELc5-0000Id-7w; Tue, 06 Dec 2016 19:41:17 +0000
Received: from mail-io0-f177.google.com ([209.85.223.177])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <tim.gardner@canonical.com>)
	id 1cELc0-0000Ga-3I
	for kernel-team@lists.ubuntu.com; Tue, 06 Dec 2016 19:41:12 +0000
Received: by mail-io0-f177.google.com with SMTP id c21so618283205ioj.1
	for <kernel-team@lists.ubuntu.com>;
	Tue, 06 Dec 2016 11:41:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=SIfDRh31DTwHnSBEE9lhL2/WVASRgzOCbenyRPvIu8c=;
	b=u71v/oKlLjzmYHLcKE6inQvmu47Ir520BEjAvMO8Yxmzlhfm1jbOi4LGbZ06T39xRX
	5roEGkfRhCfk9ZPdus4xWKcID0gkpqdjas/iovXEHFPYpWF+oPjY4WuSn3aPIvLDwR/J
	KWzY955cxaBr3us1eObhVwfKqYCs8muDjOcCswGVYGUyHF5zBj29pmDQn86yeUD0KfN/
	th9nx6LSbgjema2fRFFQwyl4efPKukZwRNL6NZJKB8nnNPlah726BfxIPs5ts8o/usaZ
	5IGN7cStpXCjJmb0CYoUEmmS9S+k9k6/VePQmVbkIkOjghxDnlfASAHio9DRsla9BCmn
	WWVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=SIfDRh31DTwHnSBEE9lhL2/WVASRgzOCbenyRPvIu8c=;
	b=KZgQXuSy9A95CH+K88GOlr0DP7Mz4T9cfWTlUHIe2T8aZTVaq06TdlVQV14es28WB0
	ndbrY1WZDmkHOddshGSEy4CjVENvIIlxEr5lPlI1DrYu+tFYOyos0kC+44E5tDAsNwac
	hKRfxtwHY7xPWh7aLJKQ93CBHBb+45VWhPdQeAuKc/Wj4Kl8DSNKAZsrZH8woYSOe60H
	GhTzQJAkO5lEKBixPg3tvwlQCUwYfoiYSfuy3ie5FanOYJ2srljSEcsjRcr2K+/n2E0o
	9wdubomf4uNl0IsBAeC8xxcBr2T1YuVZW72DyD2FqlUNtZoEuBW+k5Ae0BzbLaM4T4I1
	3Z+A==
X-Gm-Message-State: 
 AKaTC02xX8960ZobGcFxHa1nBTFx+GQHz4VZJgVinoJpJpvO7KDLoZI/4OPc8aIJX8GDgGBy
X-Received: by 10.107.28.129 with SMTP id c123mr56811888ioc.11.1481053267066;
	Tue, 06 Dec 2016 11:41:07 -0800 (PST)
Received: from localhost.localdomain
	(host-174-45-44-32.hln-mt.client.bresnan.net. [174.45.44.32])
	by smtp.gmail.com with ESMTPSA id
	t20sm1968119ita.7.2016.12.06.11.41.06
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 06 Dec 2016 11:41:06 -0800 (PST)
From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 4/4] UBUNTU: SAUCE: (no-up) target/user: Fix use-after-free
	of tcmu_cmds if they are expired
Date: Tue,  6 Dec 2016 12:40:55 -0700
Message-Id: <1481053255-24175-5-git-send-email-tim.gardner@canonical.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1481053255-24175-1-git-send-email-tim.gardner@canonical.com>
References: <1481053255-24175-1-git-send-email-tim.gardner@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Andy Grover <agrover@redhat.com>

BugLink: http://bugs.launchpad.net/bugs/1646204

Don't free the cmd in tcmu_check_expired_cmd, it's still referenced by
an entry in our cmd_id->cmd idr. If userspace ever resumes processing,
tcmu_handle_completions() will use the now-invalid cmd pointer.

Instead, don't free cmd. It will be freed by tcmu_handle_completion() if
userspace ever recovers, or tcmu_free_device if not.

Cc: stable@vger.kernel.org
Reported-by: Bryant G Ly <bgly@us.ibm.com>
Signed-off-by: Andy Grover <agrover@redhat.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 drivers/target/target_core_user.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index f383561..cbc2ac9 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -668,8 +668,6 @@ static int tcmu_check_expired_cmd(int id, void *p, void *data)
 	target_complete_cmd(cmd->se_cmd, SAM_STAT_CHECK_CONDITION);
 	cmd->se_cmd = NULL;
 
-	kmem_cache_free(tcmu_cmd_cache, cmd);
-
 	return 0;
 }