On 03/06/17 09:04, Nicholas A. Bellinger wrote: > On Fri, 2017-06-02 at 22:40 -0700, Nicholas A. Bellinger wrote: >> On Tue, 2017-05-23 at 16:48 -0700, Bart Van Assche wrote: >>> scsiback_release_cmd() must not dereference se_cmd->se_tmr_req >>> because that memory is freed by target_free_cmd_mem() before >>> scsiback_release_cmd() is called. Fix this use-after-free by >>> inlining struct scsiback_tmr into struct vscsibk_pend. >>> >>> Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx> >>> Cc: Juergen Gross <jgross@xxxxxxxx> >>> Cc: Christoph Hellwig <hch@xxxxxx> >>> Cc: Hannes Reinecke <hare@xxxxxxxx> >>> Cc: David Disseldorp <ddiss@xxxxxxx> >>> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx >>> --- >>> drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ >>> 1 file changed, 9 insertions(+), 24 deletions(-) >> >> Applied. >> > > Oh btw, this looks like stable material to me. > > So unless Juergen has any objections, adding a v3.18+ tag. No objections from me. Juergen -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
