Re: [PATCH 1/2] xen/scsiback: free unsubmitted command instead of double-putting it

[Juergen Gross]

On 11.06.26 14:30, Michael Bommarito wrote:
> scsiback_get_pend_req() obtains a command tag and returns a
> vscsibk_pend whose embedded se_cmd has only been memset to 0, so
> its cmd_kref is 0; the se_cmd is initialised (kref_init() via
> target_init_cmd()) only later, in scsiback_cmd_exec(), on the
> successful VSCSIIF_ACT_SCSI_CDB path. The two error paths in
> scsiback_do_cmd_fn() taken before the command is submitted -- a
> failed scsiback_gnttab_data_map() and an unknown ring_req.act --
> call transport_generic_free_cmd(&pending_req->se_cmd, 0), which
> kref_put()s a refcount of 0. That underflows it ("refcount_t:
> underflow; use-after-free") and, as the release function is not
> run, leaks the command tag.
>
> Impact: a pvSCSI guest can leak every command tag of a LUN's
> session, stopping the LUN, by submitting requests with a bad
> grant reference or an unknown request type; under panic_on_warn
> the refcount underflow panics the host.
>
> Add a helper that just returns the tag with target_free_tag() and
> sends the error response. It frees the tag while the v2p reference
> still pins the session, and snapshots the response fields
> beforehand because freeing the tag can let another ring reuse the
> pending_req slot.
>
> Fixes: 2dbcdf33dbf6 ("xen-scsiback: Convert to percpu_ida tag allocation")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>

Reviewed-by: Juergen Gross <jgross@xxxxxxxx>


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature