[3.13.y.z extended stable] Patch "target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Jun 18 15:30:29 UTC 2014 

This is a note to let you know that I have just added a patch titled

    target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.4.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 14ef2343441940c8dc5d3a4aab2f118d7be944f0 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab at linux-iscsi.org>
Date: Thu, 12 Jun 2014 12:45:02 -0700
Subject: target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd

commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream.

This patch fixes a NULL pointer dereference regression bug that was
introduced with:

commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c
Author: Mikulas Patocka <mpatocka at redhat.com>
Date:   Sat May 17 06:49:22 2014 -0400

    target: fix memory leak on XCOPY

Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is
called with a valid se_cmd->cmd_kref, a NULL pointer dereference
is triggered because the XCOPY passthrough commands don't have
an associated se_session pointer.

To address this bug, go ahead and checking for a NULL se_sess pointer
within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd()
to release the XCOPY's xcopy_pt_cmd memory.

Reported-by: Thomas Glanzmann <thomas at glanzmann.de>
Cc: Thomas Glanzmann <thomas at glanzmann.de>
Cc: Mikulas Patocka <mpatocka at redhat.com>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/target/target_core_transport.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 3ef25bd..9095aef 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2304,6 +2304,10 @@ static void target_release_cmd_kref(struct kref *kref)
  */
 int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
 {
+	if (!se_sess) {
+		se_cmd->se_tfo->release_cmd(se_cmd);
+		return 1;
+	}
 	return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
 			&se_sess->sess_cmd_lock);
 }
--
1.9.1

More information about the kernel-team mailing list