diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2012-09-05 17:09:15 +0200 |
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-09-05 17:20:28 -0700 |
| commit | d5829eac5f7cfff89c6d1cf11717eee97cf030d0 (patch) | |
| tree | 9acff1b99c654235b5ad4534735fdaf03a9c5a45 /include/target/target_core_backend.h | |
| parent | target: simplify code around transport_get_sense_data (diff) | |
| download | linux-d5829eac5f7cfff89c6d1cf11717eee97cf030d0.tar.gz linux-d5829eac5f7cfff89c6d1cf11717eee97cf030d0.zip | |
target: fix use-after-free with PSCSI sense data
The pointer to the sense buffer is fetched by transport_get_sense_data,
but this is called by target_complete_ok_work long after pscsi_req_done
has freed the struct that contains it.
Pass instead the fabric's sense buffer to transport_complete,
and copy the data to it directly in transport_complete. Setting
SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'include/target/target_core_backend.h')
| -rw-r--r-- | include/target/target_core_backend.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h index f1405d335a96..941c84bf1065 100644 --- a/include/target/target_core_backend.h +++ b/include/target/target_core_backend.h @@ -23,7 +23,9 @@ struct se_subsystem_api { struct se_device *(*create_virtdevice)(struct se_hba *, struct se_subsystem_dev *, void *); void (*free_device)(void *); - int (*transport_complete)(struct se_cmd *cmd, struct scatterlist *); + void (*transport_complete)(struct se_cmd *cmd, + struct scatterlist *, + unsigned char *); int (*parse_cdb)(struct se_cmd *cmd); ssize_t (*check_configfs_dev_params)(struct se_hba *, |