On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote: > On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote: > > scsiback_release_cmd() must not dereference se_cmd->se_tmr_req > > because that memory is freed by target_free_cmd_mem() before > > scsiback_release_cmd() is called. Fix this use-after-free by > > inlining struct scsiback_tmr into struct vscsibk_pend. > > > > Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx> > > Cc: Juergen Gross <jgross@xxxxxxxx> > > Cc: Christoph Hellwig <hch@xxxxxx> > > Cc: Hannes Reinecke <hare@xxxxxxxx> > > Cc: David Disseldorp <ddiss@xxxxxxx> > > Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx > > --- > > drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ > > 1 file changed, 9 insertions(+), 24 deletions(-) > > Applied. > Oh btw, this looks like stable material to me. So unless Juergen has any objections, adding a v3.18+ tag. -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
