From 0655c3e76a9f35bf8cd1b0216743f24f7a87baa2 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Mon, 18 Mar 2019 00:23:05 +0000 Subject: [PATCH] iscsi-scst: Fix a use-after-free Avoid that KASAN reports the following complaint: BUG: KASAN: slab-out-of-bounds in f/0xdc4 [iscsi_scst] Read of size 8 at addr ffff888be35fd0ec by task iscsiwr0_71/3289 CPU: 42 PID: 3289 Comm: iscsiwr0_71 Tainted: G sos.debug #1 Hardware name: To be filled by O.E.M. Call Trace: dump_stack+0x8e/0xc8 print_address_description+0x73/0x238 kasan_report+0x228/0x251 check_memory_region+0x126/0x12c __asan_loadN+0xf/0x11 write_data+0x5df/0xdc4 [iscsi_scst] iscsi_do_send+0x20/0x67 [iscsi_scst] iscsi_send+0x1f0/0x574 [iscsi_scst] scst_do_job_wr+0x2ef/0x549 [iscsi_scst] istwr+0x366/0x4a2 [iscsi_scst] kthread+0x1df/0x1ef ret_from_fork+0x3a/0x50 Allocated by task 3063: save_stack_trace+0x1b/0x1d kasan_kmalloc.part.1+0x62/0xee kasan_kmalloc+0x7f/0x8b kasan_slab_alloc+0x12/0x14 kmem_cache_alloc+0x13d/0x27a mempool_alloc_slab+0x15/0x17 mempool_alloc+0xdb/0x1f3 scst_alloc_aen+0x96/0x223 [scst] scst_gen_aen_or_ua+0x16b/0x3d2 [scst] scst_capacity_data_changed+0x147/0x1cd [scst] vdev_size_process_store+0x1b5/0x1f4 [scst_vdisk] scst_process_sysfs_works+0x187/0x2a1 [scst] sysfs_work_thread_fn+0x301/0x42b [scst] kthread+0x1df/0x1ef ret_from_fork+0x3a/0x50 Reported-by: Marc Smith git-svn-id: http://svn.code.sf.net/p/scst/svn/trunk@8056 d57e44dd-8a1f-0410-8b47-8ef2f437770f --- iscsi-scst/kernel/nthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/iscsi-scst/kernel/nthread.c b/iscsi-scst/kernel/nthread.c index d936d53a1..0392a029f 100644 --- a/iscsi-scst/kernel/nthread.c +++ b/iscsi-scst/kernel/nthread.c @@ -1189,7 +1189,8 @@ retry: sock = conn->sock; - if ((write_cmnd->parent_req->scst_cmd != NULL) && + if (write_cmnd->parent_req->scst_cmd && + write_cmnd->parent_req->scst_state != ISCSI_CMD_STATE_AEN && scst_cmd_get_dh_data_buff_alloced(write_cmnd->parent_req->scst_cmd)) sock_sendpage = sock_no_sendpage; else