Files · c100448790b8494ca69f89a88c5833d767a87dc1 · Anton / libtcg

block/iscsi: fix ioctl cancel use-after-free

Stefan Hajnoczi authored 7 years ago

iscsi_aio_cancel() does not increment the request's reference count,
causing a use-after-free when ABORT TASK finishes after the request has
already completed.

There are some additional issues with iscsi_aio_cancel():
1. Several ABORT TASKs may be sent for the same task if
   iscsi_aio_cancel() is invoked multiple times.  It's better to avoid
   this just in case the command identifier is reused.
2. The iscsilun->mutex protection is missing in iscsi_aio_cancel().

Reported-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20180203061621.7033-4-stefanha@redhat.com>
Reviewed-by: Felipe Franciosi <felipe@nutanix.com>
Tested-by: Sreejith Mohanan <sreejit.mohanan@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

c1004487

History

c1004487 7 years ago

History

Name	Last commit	Last update
accel
audio
backends
block
bsd-user
chardev
contrib
crypto
default-configs
disas
docs
fpu
fsdev
gdb-xml
hw
include
io
libdecnumber
linux-headers
linux-user
migration
nbd
net
pc-bios
po
qapi
qga
qobject
qom
replay
roms
scripts
scsi
slirp
stubs
target
tcg
tests
trace
ui
util
.dir-locals.el
.editorconfig
.exrc
.gdbinit
.gitignore
.gitmodules
.gitpublish
.mailmap
.shippable.yml
.travis.yml
CODING_STYLE
COPYING
COPYING.LIB
Changelog
HACKING
LICENSE
MAINTAINERS
Makefile
Makefile.objs
Makefile.target
README
VERSION
arch_init.c
balloon.c
block.c
blockdev-nbd.c
blockdev.c
blockjob.c
bootdevice.c
bt-host.c
bt-vhci.c
configure
cpus-common.c
cpus.c
device-hotplug.c
device_tree.c
disas.c
dma-helpers.c
dump.c
exec.c
gdbstub.c
gitdm.config
hmp-commands-info.hx
hmp-commands.hx
hmp.c
hmp.h
ioport.c
iothread.c
job-qmp.c
job.c
memory.c
memory_ldst.inc.c
memory_mapping.c
module-common.c
monitor.c
numa.c
os-posix.c
os-win32.c
qdev-monitor.c

README