Hi Juergen,
On Tue, 2016-02-02 at 17:31 +0100, Juergen Gross wrote:
> On 30/01/16 08:05, Nicholas A. Bellinger wrote:
> > From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
> >
> > Cc: Juergen Gross <jgross@xxxxxxxx>
> > Cc: Hannes Reinecke <hare@xxxxxxx>
> > Cc: David Vrabel <david.vrabel@xxxxxxxxxx>
> > Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
>
> Sorry, with your patches applied xen-scsiback isn't working any more.
> I've tried multiple times with and without your patches. Without the
> patches everything is fine, while with the patches applied I get the
> warnings shown in the attached log. I just passed through a DVD drive
> and did "eject" in the domain.
>
Thanks for testing. :)
So it looks like a left-over memset of pending_req->se_cmd memory in
scsiback_cmd_exec() was clobbering the saved percpu_ida map_tag from
scsiback_get_pend_req(), resulting in a use-after-free.
Please verify with the following:
diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c
index eaf9e21..c3f55a2 100644
--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -400,10 +400,6 @@ static void scsiback_cmd_exec(struct vscsibk_pend *pending_req)
struct se_session *sess = pending_req->v2p->tpg->tpg_nexus->tvn_se_sess;
int rc;
- memset(pending_req->sense_buffer, 0, VSCSIIF_SENSE_BUFFERSIZE);
-
- memset(se_cmd, 0, sizeof(*se_cmd));
-
scsiback_get(pending_req->info);
se_cmd->tag = pending_req->rqid;
rc = target_submit_cmd_map_sgls(se_cmd, sess, pending_req->cmnd,
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
