scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
authorJan Kara <jack@suse.cz>
Wed, 19 Jun 2019 07:05:41 +0000 (09:05 +0200)
committerMartin K. Petersen <martin.petersen@oracle.com>
Thu, 20 Jun 2019 20:34:02 +0000 (16:34 -0400)
Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just
queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0]
dereference can dereference already freed request leading to kernel crashes
or other issues (which one of our customers observed). Store cmd->cmnd[0]
in a local variable before unlocking adapter->hw_lock to fix the issue.

CC: <stable@vger.kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/vmw_pvscsi.c

index ecee4b3ff0739dee24445a351a106a754a3ae6a0..377b07b2feebc261c08920f309261e8302217b03 100644 (file)
@@ -763,6 +763,7 @@ static int pvscsi_queue_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd
        struct pvscsi_adapter *adapter = shost_priv(host);
        struct pvscsi_ctx *ctx;
        unsigned long flags;
+       unsigned char op;
 
        spin_lock_irqsave(&adapter->hw_lock, flags);
 
@@ -775,13 +776,14 @@ static int pvscsi_queue_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd
        }
 
        cmd->scsi_done = done;
+       op = cmd->cmnd[0];
 
        dev_dbg(&cmd->device->sdev_gendev,
-               "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, cmd->cmnd[0]);
+               "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, op);
 
        spin_unlock_irqrestore(&adapter->hw_lock, flags);
 
-       pvscsi_kick_io(adapter, cmd->cmnd[0]);
+       pvscsi_kick_io(adapter, op);
 
        return 0;
 }