From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Thomas Glanzmann <thomas@glanzmann.de>,
Mikulas Patocka <mpatocka@redhat.com>,
Nicholas Bellinger <nab@linux-iscsi.org>
Subject: [PATCH 3.15 02/61] target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd
Date: Tue, 24 Jun 2014 11:50:45 -0400 [thread overview]
Message-ID: <20140624154952.879386077@linuxfoundation.org> (raw)
In-Reply-To: <20140624154952.751713761@linuxfoundation.org>
3.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream.
This patch fixes a NULL pointer dereference regression bug that was
introduced with:
commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: Sat May 17 06:49:22 2014 -0400
target: fix memory leak on XCOPY
Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is
called with a valid se_cmd->cmd_kref, a NULL pointer dereference
is triggered because the XCOPY passthrough commands don't have
an associated se_session pointer.
To address this bug, go ahead and checking for a NULL se_sess pointer
within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd()
to release the XCOPY's xcopy_pt_cmd memory.
Reported-by: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Thomas Glanzmann <thomas@glanzmann.de>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2407,6 +2407,10 @@ static void target_release_cmd_kref(stru
*/
int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
{
+ if (!se_sess) {
+ se_cmd->se_tfo->release_cmd(se_cmd);
+ return 1;
+ }
return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
&se_sess->sess_cmd_lock);
}
next prev parent reply other threads:[~2014-06-24 16:15 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 15:50 [PATCH 3.15 00/61] 3.15.2-stable review Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 01/61] rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq Greg Kroah-Hartman
2014-06-24 15:50 ` Greg Kroah-Hartman [this message]
2014-06-24 15:50 ` [PATCH 3.15 03/61] iscsi-target: Reject mutual authentication with reflected CHAP_C Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 04/61] ima: audit log files opened with O_DIRECT flag Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 05/61] ima: introduce ima_kernel_read() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 06/61] evm: prohibit userspace writing security.evm HMAC value Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 07/61] ipv6: Fix regression caused by efe4208 in udp_v6_mcast_next() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 08/61] net: tunnels - enable module autoloading Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 09/61] sh_eth: use RNC mode for packet reception Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 10/61] sh_eth: fix SH7619/771x support Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 11/61] net: filter: fix typo in sparc BPF JIT Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 12/61] net: filter: fix sparc32 typo Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 14/61] net: force a list_del() in unregister_netdevice_many() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 15/61] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.15 16/61] sfc: PIO:Restrict to 64bit arch and use 64-bit writes Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 17/61] ipv4: fix a race in ip4_datagram_release_cb() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 18/61] sctp: Fix sk_ack_backlog wrap-around problem Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 19/61] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 20/61] vxlan: use dev->needed_headroom instead of dev->hard_header_len Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 21/61] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 22/61] ARM: at91: fix at91_sysirq_mask_rtc for sam9x5 SoCs Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 23/61] KVM: lapic: sync highest ISR to hardware apic on EOI Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 24/61] KVM: s390: Drop pending interrupts on guest exit Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 25/61] MIPS: KVM: Allocate at least 16KB for exception handlers Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 26/61] USB: cdc-acm: fix write and suspend race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 27/61] USB: cdc-acm: fix write and resume race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 28/61] USB: cdc-acm: fix broken runtime suspend Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 29/61] USB: cdc-acm: fix runtime PM for control messages Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 30/61] USB: cdc-acm: fix shutdown and suspend race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 31/61] USB: cdc-acm: fix potential urb leak and PM imbalance in write Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 32/61] USB: cdc-acm: fix open and suspend race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 33/61] USB: cdc-acm: fix failed open not being detected Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 34/61] USB: cdc-acm: fix I/O after failed open Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 35/61] USB: cdc-acm: fix runtime PM imbalance at shutdown Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 36/61] Drivers: hv: balloon: Ensure pressure reports are posted regularly Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 38/61] ASoC: dapm: Make sure to always update the DAPM graph in _put_volsw() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 39/61] ASoC: max98090: Fix reset at resume time Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 40/61] ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 41/61] iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610 and max11611 Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 42/61] staging: iio: tsl2x7x_core: fix proximity treshold Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 43/61] iio: adc: checking for NULL instead of IS_ERR() in probe Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 44/61] iio: mxs-lradc: fix divider Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 45/61] iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 46/61] iio: Fix endianness issue in ak8975_read_axis() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 48/61] lzo: properly check for overruns Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 49/61] lz4: ensure length does not wrap Greg Kroah-Hartman
[not found] ` <CAFkuX4tQoRhsS2A5iJNWyMELs=sLhNx-m5Uq38R7fjSmGHfvvQ@mail.gmail.com>
2014-06-24 20:59 ` Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 50/61] ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 51/61] ALSA: hda/realtek - Add support of ALC891 codec Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 52/61] ALSA: hda/realtek - Add more entry for enable HP mute led Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 53/61] ALSA: hda - verify pin:converter connection on unsol event for HSW and VLV Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 55/61] ALSA: control: Protect user controls against concurrent access Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 56/61] ALSA: control: Fix replacing user controls Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 57/61] ALSA: control: Dont access controls outside of protected regions Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 58/61] ALSA: control: Handle numid overflow Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 59/61] ALSA: control: Make sure that id->index does not overflow Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 60/61] tmpfs: ZERO_RANGE and COLLAPSE_RANGE not currently supported Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.15 61/61] slab: fix oops when reading /proc/slab_allocators Greg Kroah-Hartman
2014-06-24 19:50 ` [PATCH 3.15 00/61] 3.15.2-stable review Shuah Khan
2014-06-24 19:58 ` Greg Kroah-Hartman
2014-06-25 9:00 ` Satoru Takeuchi
2014-06-26 19:09 ` Greg Kroah-Hartman
2014-06-24 23:31 ` Guenter Roeck
2014-06-26 19:09 ` Greg Kroah-Hartman
2014-06-26 20:34 ` Guenter Roeck
2014-06-25 14:20 ` Benjamin LaHaise
2014-06-25 14:27 ` Josh Boyer
2014-06-26 19:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140624154952.879386077@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
--cc=thomas@glanzmann.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).