target: fix use-after-free with PSCSI sense data The pointer to the sense buffer is fetched by transport_get_sense_data, but this is called by target_complete_ok_work long after pscsi_req_done has freed the struct that contains it. Pass instead the fabric's sense buffer to transport_complete, and copy the data to it directly in transport_complete. Setting SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

commit: d5829eac5f7cfff89c6d1cf11717eee97cf030d0 [log] [tgz]
author: Paolo Bonzini <pbonzini@redhat.com> Wed Sep 05 17:09:15 2012 +0200
committer: Nicholas Bellinger <nab@linux-iscsi.org> Wed Sep 05 17:20:28 2012 -0700
tree: 9acff1b99c654235b5ad4534735fdaf03a9c5a45
parent: 27a2709912ac19c755d34c79fe11994b0bf8082b [diff] [blame]
diff --git a/include/target/target_core_backend.h b/include/target/target_core_backend.h
index f1405d33..941c84bf 100644
--- a/include/target/target_core_backend.h
+++ b/include/target/target_core_backend.h

@@ -23,7 +23,9 @@
 	struct se_device *(*create_virtdevice)(struct se_hba *,
 				struct se_subsystem_dev *, void *);
 	void (*free_device)(void *);
-	int (*transport_complete)(struct se_cmd *cmd, struct scatterlist *);
+	void (*transport_complete)(struct se_cmd *cmd,
+				   struct scatterlist *,
+				   unsigned char *);
 
 	int (*parse_cdb)(struct se_cmd *cmd);
 	ssize_t (*check_configfs_dev_params)(struct se_hba *,
commit	d5829eac5f7cfff89c6d1cf11717eee97cf030d0	[log] [tgz]
author	Paolo Bonzini <pbonzini@redhat.com>	Wed Sep 05 17:09:15 2012 +0200
committer	Nicholas Bellinger <nab@linux-iscsi.org>	Wed Sep 05 17:20:28 2012 -0700
tree	9acff1b99c654235b5ad4534735fdaf03a9c5a45
parent	27a2709912ac19c755d34c79fe11994b0bf8082b [diff] [blame]