On Wed, 13 Jan 2021 11:45:08 +0900, Shin'ichiro Kawasaki wrote:
> Commit a35129024e88 ("scsi: target: tcmu: Use priv pointer in se_cmd")
> modified tcmu_free_cmd() to set NULL to priv pointer in se_cmd. However,
> se_cmd can be already freed by work queue triggered in
> target_complete_cmd(). This caused BUG KASAN use-after-free [1].
>
> To fix the bug, do not touch priv pointer in tcmu_free_cmd(). Instead,
> set NULL to priv pointer before target_complete_cmd() calls. Also, to
> avoid unnecessary priv pointer change in tcmu_queue_cmd(), modify priv
> pointer in the function only when tcmu_free_cmd() is not called.
>
> [...]
Applied to 5.11/scsi-fixes, thanks!
[1/1] scsi: target: tcmu: Fix use-after-free of se_cmd->priv
https://git.kernel.org/mkp/scsi/c/780e1384687d
--
Martin K. Petersen Oracle Linux Engineering
