diff options
| author | Mike Christie <michael.christie@oracle.com> | 2023-03-21 03:06:18 +0100 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2023-04-04 17:01:58 +0200 |
| commit | e508efc3ae7e44eb3caf595a086bfd3824da5b9a (patch) | |
| tree | f203cdbff4a4eb68d4ffd551cbcde361ba3b5fa6 /fs/crypto | |
| parent | virtio-blk: fix ZBD probe in kernels without ZBD support (diff) | |
| download | linux-e508efc3ae7e44eb3caf595a086bfd3824da5b9a.tar.xz linux-e508efc3ae7e44eb3caf595a086bfd3824da5b9a.zip | |
vhost-scsi: Fix vhost_scsi struct use after free
If vhost_scsi_setup_vq_cmds fails we leave the tpg->vhost_scsi pointer
set. If the device is freed and then the user unmaps the LUN, the call to
vhost_scsi_port_unlink -> vhost_scsi_hotunplug will see the that
tpg->vhost_scsi is still set and try to use it.
This has us clear the vhost_scsi pointer in the failure path. It also
has us take tv_tpg_mutex in this failure path, because tv_tpg_vhost_count
is accessed under this mutex in vhost_scsi_drop_nexus and in the future
we will want to serialize access to tpg->vhost_scsi with that mutex
instead of the vhost_scsi_mutex.
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Message-Id: <20230321020624.13323-2-michael.christie@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'fs/crypto')
0 files changed, 0 insertions, 0 deletions