block/iscsi: fix ioctl cancel use-after-free - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Stefan Hajnoczi <stefanha@redhat.com>	2018-02-03 07:16:21 +0100
committer	Paolo Bonzini <pbonzini@redhat.com>	2019-01-11 13:57:24 +0100
commit	c100448790b8494ca69f89a88c5833d767a87dc1 (patch)
tree	eaff76b7e1bd8c224871b48bd8c370eddc211bf9 /hw/scsi/esp.c
parent	83d11973fa78be5bf0fd0e00791245e974fe4af3 (diff)
download	focaccia-qemu-c100448790b8494ca69f89a88c5833d767a87dc1.tar.gz focaccia-qemu-c100448790b8494ca69f89a88c5833d767a87dc1.zip

block/iscsi: fix ioctl cancel use-after-free

iscsi_aio_cancel() does not increment the request's reference count,
causing a use-after-free when ABORT TASK finishes after the request has
already completed.

There are some additional issues with iscsi_aio_cancel():
1. Several ABORT TASKs may be sent for the same task if
   iscsi_aio_cancel() is invoked multiple times.  It's better to avoid
   this just in case the command identifier is reused.
2. The iscsilun->mutex protection is missing in iscsi_aio_cancel().

Reported-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20180203061621.7033-4-stefanha@redhat.com>
Reviewed-by: Felipe Franciosi <felipe@nutanix.com>
Tested-by: Sreejith Mohanan <sreejit.mohanan@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Diffstat (limited to 'hw/scsi/esp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: