diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2012-09-05 17:09:15 +0200 | 
|---|---|---|
| committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2012-09-05 17:20:28 -0700 | 
| commit | d5829eac5f7cfff89c6d1cf11717eee97cf030d0 (patch) | |
| tree | 9acff1b99c654235b5ad4534735fdaf03a9c5a45 /arch/m32r/lib/usercopy.c | |
| parent | 27a2709912ac19c755d34c79fe11994b0bf8082b (diff) | |
target: fix use-after-free with PSCSI sense data
The pointer to the sense buffer is fetched by transport_get_sense_data,
but this is called by target_complete_ok_work long after pscsi_req_done
has freed the struct that contains it.
Pass instead the fabric's sense buffer to transport_complete,
and copy the data to it directly in transport_complete.  Setting
SCF_TRANSPORT_TASK_SENSE also becomes a duty of transport_complete.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'arch/m32r/lib/usercopy.c')
0 files changed, 0 insertions, 0 deletions
