diff options
| author | Stefan Hajnoczi <stefanha@redhat.com> | 2018-02-03 07:16:21 +0100 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2019-01-11 13:57:24 +0100 |
| commit | c100448790b8494ca69f89a88c5833d767a87dc1 (patch) | |
| tree | eaff76b7e1bd8c224871b48bd8c370eddc211bf9 /vl.c | |
| parent | 83d11973fa78be5bf0fd0e00791245e974fe4af3 (diff) | |
| download | qemu-c100448790b8494ca69f89a88c5833d767a87dc1.zip qemu-c100448790b8494ca69f89a88c5833d767a87dc1.tar.gz qemu-c100448790b8494ca69f89a88c5833d767a87dc1.tar.bz2 | |
block/iscsi: fix ioctl cancel use-after-free
iscsi_aio_cancel() does not increment the request's reference count,
causing a use-after-free when ABORT TASK finishes after the request has
already completed.
There are some additional issues with iscsi_aio_cancel():
1. Several ABORT TASKs may be sent for the same task if
iscsi_aio_cancel() is invoked multiple times. It's better to avoid
this just in case the command identifier is reused.
2. The iscsilun->mutex protection is missing in iscsi_aio_cancel().
Reported-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20180203061621.7033-4-stefanha@redhat.com>
Reviewed-by: Felipe Franciosi <felipe@nutanix.com>
Tested-by: Sreejith Mohanan <sreejit.mohanan@nutanix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'vl.c')
0 files changed, 0 insertions, 0 deletions