git.proxmox.com Git - mirror

author	Stefan Hajnoczi <stefanha@redhat.com>
	Sat, 3 Feb 2018 06:16:21 +0000 (07:16 +0100)
committer	Paolo Bonzini <pbonzini@redhat.com>
	Fri, 11 Jan 2019 12:57:24 +0000 (13:57 +0100)
commit	c100448790b8494ca69f89a88c5833d767a87dc1
tree	eaff76b7e1bd8c224871b48bd8c370eddc211bf9	tree
parent	83d11973fa78be5bf0fd0e00791245e974fe4af3	commit \| diff

block/iscsi: fix ioctl cancel use-after-free

iscsi_aio_cancel() does not increment the request's reference count,
causing a use-after-free when ABORT TASK finishes after the request has
already completed.

There are some additional issues with iscsi_aio_cancel():
1. Several ABORT TASKs may be sent for the same task if
iscsi_aio_cancel() is invoked multiple times. It's better to avoid
this just in case the command identifier is reused.
2. The iscsilun->mutex protection is missing in iscsi_aio_cancel().

Reported-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20180203061621.7033-4-stefanha@redhat.com>
Reviewed-by: Felipe Franciosi <felipe@nutanix.com>
Tested-by: Sreejith Mohanan <sreejit.mohanan@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>