releases/3.16.75/scsi-vmw_pscsi-fix-use-after-free-in-pvscsi_queue_lck.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Jan Kara <jack@suse.cz>
 Date: Wed, 19 Jun 2019 09:05:41 +0200
 Subject: scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()

 commit 240b4cc8fd5db138b675297d4226ec46594d9b3b upstream.

 Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just
 queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0]
 dereference can dereference already freed request leading to kernel crashes
 or other issues (which one of our customers observed). Store cmd->cmnd[0]
 in a local variable before unlocking adapter->hw_lock to fix the issue.

 Signed-off-by: Jan Kara <jack@suse.cz>
 Reviewed-by: Ewan D. Milne <emilne@redhat.com>
 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  drivers/scsi/vmw_pvscsi.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/drivers/scsi/vmw_pvscsi.c
 +++ b/drivers/scsi/vmw_pvscsi.c
 @@ -754,6 +754,7 @@ static int pvscsi_queue_lck(struct scsi_
  	struct pvscsi_adapter *adapter = shost_priv(host);
  	struct pvscsi_ctx *ctx;
  	unsigned long flags;
 +	unsigned char op;

  	spin_lock_irqsave(&adapter->hw_lock, flags);

 @@ -766,13 +767,14 @@ static int pvscsi_queue_lck(struct scsi_
  	}

  	cmd->scsi_done = done;
 +	op = cmd->cmnd[0];

  	dev_dbg(&cmd->device->sdev_gendev,
 -		"queued cmd %p, ctx %p, op=%x\n", cmd, ctx, cmd->cmnd[0]);
 +		"queued cmd %p, ctx %p, op=%x\n", cmd, ctx, op);

  	spin_unlock_irqrestore(&adapter->hw_lock, flags);

 -	pvscsi_kick_io(adapter, cmd->cmnd[0]);
 +	pvscsi_kick_io(adapter, op);

  	return 0;
  }
	From: Jan Kara <jack@suse.cz>
	Date: Wed, 19 Jun 2019 09:05:41 +0200
	Subject: scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()

	commit 240b4cc8fd5db138b675297d4226ec46594d9b3b upstream.

	Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just
	queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0]
	dereference can dereference already freed request leading to kernel crashes
	or other issues (which one of our customers observed). Store cmd->cmnd[0]
	in a local variable before unlocking adapter->hw_lock to fix the issue.

	Signed-off-by: Jan Kara <jack@suse.cz>
	Reviewed-by: Ewan D. Milne <emilne@redhat.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	drivers/scsi/vmw_pvscsi.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/drivers/scsi/vmw_pvscsi.c
	+++ b/drivers/scsi/vmw_pvscsi.c
	@@ -754,6 +754,7 @@ static int pvscsi_queue_lck(struct scsi_
	struct pvscsi_adapter *adapter = shost_priv(host);
	struct pvscsi_ctx *ctx;
	unsigned long flags;
	+ unsigned char op;

	spin_lock_irqsave(&adapter->hw_lock, flags);

	@@ -766,13 +767,14 @@ static int pvscsi_queue_lck(struct scsi_
	}

	cmd->scsi_done = done;
	+ op = cmd->cmnd[0];

	dev_dbg(&cmd->device->sdev_gendev,
	- "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, cmd->cmnd[0]);
	+ "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, op);

	spin_unlock_irqrestore(&adapter->hw_lock, flags);

	- pvscsi_kick_io(adapter, cmd->cmnd[0]);
	+ pvscsi_kick_io(adapter, op);

	return 0;
	}