scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()

BugLink: https://bugs.launchpad.net/bugs/1838824
commit 240b4cc8fd5db138b675297d4226ec46594d9b3b upstream.

Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just
queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0]
dereference can dereference already freed request leading to kernel crashes
or other issues (which one of our customers observed). Store cmd->cmnd[0]
in a local variable before unlocking adapter->hw_lock to fix the issue.

CC: <stable@vger.kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/drivers/scsi/vmw_pvscsi.c b/drivers/scsi/vmw_pvscsi.c
index 890b8aaf95e10b815a6621ae4177a17706954c99..64eb8ffb2ddfa57d7874affa79a656515ced9ea7 100644 (file)
--- a/drivers/scsi/vmw_pvscsi.c
+++ b/drivers/scsi/vmw_pvscsi.c
@@ -763,6 +763,7 @@ static int pvscsi_queue_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd
        struct pvscsi_adapter *adapter = shost_priv(host);
        struct pvscsi_ctx *ctx;
        unsigned long flags;
+       unsigned char op;
 
        spin_lock_irqsave(&adapter->hw_lock, flags);
 
@@ -775,13 +776,14 @@ static int pvscsi_queue_lck(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd
        }
 
        cmd->scsi_done = done;
+       op = cmd->cmnd[0];
 
        dev_dbg(&cmd->device->sdev_gendev,
-               "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, cmd->cmnd[0]);
+               "queued cmd %p, ctx %p, op=%x\n", cmd, ctx, op);
 
        spin_unlock_irqrestore(&adapter->hw_lock, flags);
 
-       pvscsi_kick_io(adapter, cmd->cmnd[0]);
+       pvscsi_kick_io(adapter, op);
 
        return 0;
 }