On Sat, 2019-08-10 at 18:55 -0500, Mike Christie wrote:
> On 08/10/2019 04:19 PM, Dmitry Fomichev wrote:
> > In tcmu_handle_completion() function, the variable called read_len is
> > always initialized with a value taken from se_cmd structure. If this
> > function is called to complete an expired (timed out) out command, the
> > session command pointed by se_cmd is likely to be already deallocated by
> > the target core at that moment. As the result, this access triggers a
> > use-after-free warning from KASAN.
> >
> > This patch fixes the code not to touch se_cmd when completing timed out
> > TCMU commands. It also resets the pointer to se_cmd at the time when the
> > TCMU_CMD_BIT_EXPIRED flag is set because it is going to become invalid
> > after calling target_complete_cmd() later in the same function,
> > tcmu_check_expired_cmd().
> >
> > Signed-off-by: Dmitry Fomichev <dmitry.fomic...@wdc.com>
> > ---
> > drivers/target/target_core_user.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/target/target_core_user.c
> > b/drivers/target/target_core_user.c
> > index 04eda111920e..a0231491fa36 100644
> > --- a/drivers/target/target_core_user.c
> > +++ b/drivers/target/target_core_user.c
> > @@ -1132,14 +1132,16 @@ static void tcmu_handle_completion(struct tcmu_cmd
> > *cmd, struct tcmu_cmd_entry *
> > struct se_cmd *se_cmd = cmd->se_cmd;
> > struct tcmu_dev *udev = cmd->tcmu_dev;
> > bool read_len_valid = false;
> > - uint32_t read_len = se_cmd->data_length;
> > + uint32_t read_len;
> >
> > /*
> > * cmd has been completed already from timeout, just reclaim
> > * data area space and free cmd
> > */
> > - if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags))
> > + if (test_bit(TCMU_CMD_BIT_EXPIRED, &cmd->flags)) {
> > + WARN_ON_ONCE(se_cmd);
>
> If you are adding a warn here, I think you want to also add a warn in
> tcmu_reset_ring where there is another code path we do the same sequence
> of operations where we check the bit then access the se_cmd after if not
> set.
>
Mike,
Good point, thanks. I am going to send out the updated version of the patch.
Dmitry
