linux-brain

Linux kernel source tree for SHARP Brain series (PW-SH1 or later)

Go to file

Steffen Maier f45ab6e7d9 scsi: zfcp: Fix use-after-free in request timeout handlers commit 2d9a2c5f581be3991ba67fa9e7497c711220ea8e upstream. Before v4.15 commit `75492a5156` ("s390/scsi: Convert timers to use timer_setup()"), we intentionally only passed zfcp_adapter as context argument to zfcp_fsf_request_timeout_handler(). Since we only trigger adapter recovery, it was unnecessary to sync against races between timeout and (late) completion. Likewise, we only passed zfcp_erp_action as context argument to zfcp_erp_timeout_handler(). Since we only wakeup an ERP action, it was unnecessary to sync against races between timeout and (late) completion. Meanwhile the timeout handlers get timer_list as context argument and do a timer-specific container-of to zfcp_fsf_req which can have been freed. Fix it by making sure that any request timeout handlers, that might just have started before del_timer(), are completed by using del_timer_sync() instead. This ensures the request free happens afterwards. Space time diagram of potential use-after-free: Basic idea is to have 2 or more pending requests whose timeouts run out at almost the same time. req 1 timeout ERP thread req 2 timeout ---------------- ---------------- --------------------------------------- zfcp_fsf_request_timeout_handler fsf_req = from_timer(fsf_req, t, timer) adapter = fsf_req->adapter zfcp_qdio_siosl(adapter) zfcp_erp_adapter_reopen(adapter,...) zfcp_erp_strategy ... zfcp_fsf_req_dismiss_all list_for_each_entry_safe zfcp_fsf_req_complete 1 del_timer 1 zfcp_fsf_req_free 1 zfcp_fsf_req_complete 2 zfcp_fsf_request_timeout_handler del_timer 2 fsf_req = from_timer(fsf_req, t, timer) zfcp_fsf_req_free 2 adapter = fsf_req->adapter ^^^^^^^ already freed Link: https://lore.kernel.org/r/20200813152856.50088-1-maier@linux.ibm.com Fixes: `75492a5156` ("s390/scsi: Convert timers to use timer_setup()") Cc: <stable@vger.kernel.org> #4.15+ Suggested-by: Julian Wiedmann <jwi@linux.ibm.com> Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Steffen Maier <maier@linux.ibm.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-08-26 10:40:52 +02:00
Documentation	kbuild: support LLVM=1 to switch the default tools to Clang/LLVM	2020-08-26 10:40:47 +02:00
LICENSES	LICENSES: Rename other to deprecated	2019-05-03 06:34:32 -06:00
arch	x86/boot: kbuild: allow readelf executable to be specified	2020-08-26 10:40:46 +02:00
block	iocost: Fix check condition of iocg abs_vdebt	2020-08-19 08:15:58 +02:00
certs	PKCS#7: Refactor verify_pkcs7_signature()	2019-08-05 18:40:18 -04:00
crypto	crypto: algif_aead - fix uninitialized ctx->init	2020-08-21 13:05:38 +02:00
drivers	scsi: zfcp: Fix use-after-free in request timeout handlers	2020-08-26 10:40:52 +02:00
fs	jbd2: add the missing unlock_buffer() in the error path of jbd2_write_superblock()	2020-08-26 10:40:52 +02:00
include	iommu/vt-d: Enforce PASID devTLB field mask	2020-08-21 13:05:34 +02:00
init	x86: Fix early boot crash on gcc-10, third try	2020-05-20 08:20:34 +02:00
ipc	ipc/util.c: sysvipc_find_ipc() incorrectly updates position index	2020-05-20 08:20:16 +02:00
kernel	uprobes: __replace_page() avoid BUG in munlock_vma_page()	2020-08-26 10:40:51 +02:00
lib	test_kmod: avoid potential double free in trigger_config_run_type()	2020-08-21 13:05:37 +02:00
mm	mm, page_alloc: fix core hung in free_pcppages_bulk()	2020-08-26 10:40:51 +02:00
net	can: j1939: socket: j1939_sk_bind(): make sure ml_priv is allocated	2020-08-26 10:40:50 +02:00
samples	bpf: Fix fds_example SIGSEGV error	2020-08-19 08:16:03 +02:00
scripts	recordmcount: Fix build failure on non arm64	2020-08-21 13:05:36 +02:00
security	Smack: prevent underflow in smk_set_cipso()	2020-08-19 08:16:16 +02:00
sound	ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion	2020-08-26 10:40:50 +02:00
tools	perf probe: Fix memory leakage when the probe point is not found	2020-08-26 10:40:48 +02:00
usr	initramfs: restore default compression behavior	2020-04-08 09:08:38 +02:00
virt	KVM: arm64: Don't inherit exec permission across page-table levels	2020-08-05 09:59:51 +02:00
.clang-format	clang-format: Update with the latest for_each macro list	2019-08-31 10:00:51 +02:00
.cocciconfig	…
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	Modules updates for v5.4	2019-09-22 10:34:46 -07:00
.mailmap	ARM: SoC fixes	2019-11-10 13:41:59 -08:00
COPYING	COPYING: use the new text with points to the license files	2018-03-23 12:41:45 -06:00
CREDITS	MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer	2019-10-10 08:12:51 -07:00
Kbuild	kbuild: do not descend to ./Kbuild when cleaning	2019-08-21 21:03:58 +09:00
Kconfig	docs: kbuild: convert docs to ReST and rename to *.rst	2019-06-14 14:21:21 -06:00
MAINTAINERS	Documentation/llvm: add documentation on building w/ Clang/LLVM	2020-08-26 10:40:46 +02:00
Makefile	kbuild: support LLVM=1 to switch the default tools to Clang/LLVM	2020-08-26 10:40:47 +02:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.