On 03/02/16 06:03, Nicholas A. Bellinger wrote: > Hi Juergen, > > On Tue, 2016-02-02 at 17:31 +0100, Juergen Gross wrote: >> On 30/01/16 08:05, Nicholas A. Bellinger wrote: >>> From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> >>> >>> Cc: Juergen Gross <jgross@xxxxxxxx> >>> Cc: Hannes Reinecke <hare@xxxxxxx> >>> Cc: David Vrabel <david.vrabel@xxxxxxxxxx> >>> Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> >> >> Sorry, with your patches applied xen-scsiback isn't working any more. >> I've tried multiple times with and without your patches. Without the >> patches everything is fine, while with the patches applied I get the >> warnings shown in the attached log. I just passed through a DVD drive >> and did "eject" in the domain. >> > > Thanks for testing. :) You're welcome. :-) > > So it looks like a left-over memset of pending_req->se_cmd memory in > scsiback_cmd_exec() was clobbering the saved percpu_ida map_tag from > scsiback_get_pend_req(), resulting in a use-after-free. > > Please verify with the following: Thanks, is working now! With that change you can add my: Acked-by: Juergen Gross <jgross@xxxxxxxx> Tested-by: Juergen Gross <jgross@xxxxxxxx> to the xen-scsiback related patches. Juergen > > diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c > index eaf9e21..c3f55a2 100644 > --- a/drivers/xen/xen-scsiback.c > +++ b/drivers/xen/xen-scsiback.c > @@ -400,10 +400,6 @@ static void scsiback_cmd_exec(struct vscsibk_pend *pending_req) > struct se_session *sess = pending_req->v2p->tpg->tpg_nexus->tvn_se_sess; > int rc; > > - memset(pending_req->sense_buffer, 0, VSCSIIF_SENSE_BUFFERSIZE); > - > - memset(se_cmd, 0, sizeof(*se_cmd)); > - > scsiback_get(pending_req->info); > se_cmd->tag = pending_req->rqid; > rc = target_submit_cmd_map_sgls(se_cmd, sess, pending_req->cmnd, > > > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
