From patchwork Mon Sep 21 22:25:53 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 520655 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 19FC2140771; Tue, 22 Sep 2015 08:26:24 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Ze9XQ-0003kf-FQ; Mon, 21 Sep 2015 22:26:20 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Ze9X2-0003Tt-BS for kernel-team@lists.ubuntu.com; Mon, 21 Sep 2015 22:25:56 +0000 Received: from 1.general.kamal.us.vpn ([10.172.68.52] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1Ze9X1-0006mM-O3; Mon, 21 Sep 2015 22:25:55 +0000 Received: from kamal by fourier with local (Exim 4.82) (envelope-from ) id 1Ze9Wz-0004Lc-H8; Mon, 21 Sep 2015 15:25:53 -0700 From: Kamal Mostafa To: Alexei Potashnik Subject: [3.19.y-ckt stable] Patch "target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT" has been added to staging queue Date: Mon, 21 Sep 2015 15:25:53 -0700 Message-Id: <1442874353-16682-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 1.9.1 X-Extended-Stable: 3.19 Cc: Spencer Baugh , Kamal Mostafa , kernel-team@lists.ubuntu.com, Nicholas Bellinger X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT to the linux-3.19.y-queue branch of the 3.19.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.19.y-queue This patch is scheduled to be released in version 3.19.8-ckt7. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.19.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From 59d5c4a84e122ca7c0ea0e51daf0002c53977275 Mon Sep 17 00:00:00 2001 From: Alexei Potashnik Date: Tue, 21 Jul 2015 15:07:56 -0700 Subject: target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT commit 9547308bda296b6f69876c840a0291fcfbeddbb8 upstream. Make sure all non-READ SCSI commands get targ_xfer_tag initialized to 0xffffffff, not just WRITEs. Double-free of a TUR cmd object occurs under the following scenario: 1. TUR received (targ_xfer_tag is uninitialized and left at 0) 2. TUR status sent 3. First unsolicited NOPIN is sent to initiator (gets targ_xfer_tag of 0) 4. NOPOUT for NOPIN (with TTT=0) arrives - its ExpStatSN acks TUR status, TUR is queued for removal - LIO tries to find NOPIN with TTT=0, but finds the same TUR instead, TUR is queued for removal for the 2nd time (Drop unbalanced conditional bracket usage - nab) Signed-off-by: Alexei Potashnik Signed-off-by: Spencer Baugh Signed-off-by: Nicholas Bellinger [ luis: backported to 3.16: - kept brackets as they are needed in 3.16 kernel ] Signed-off-by: Luis Henriques Signed-off-by: Kamal Mostafa --- drivers/target/iscsi/iscsi_target.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.9.1 diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index 4e08d63..0c508a4 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -967,7 +967,7 @@ int iscsit_setup_scsi_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, if (cmd->targ_xfer_tag == 0xFFFFFFFF) cmd->targ_xfer_tag = conn->sess->targ_xfer_tag++; spin_unlock_bh(&conn->sess->ttt_lock); - } else if (hdr->flags & ISCSI_FLAG_CMD_WRITE) + } else cmd->targ_xfer_tag = 0xFFFFFFFF; cmd->cmd_sn = be32_to_cpu(hdr->cmdsn); cmd->exp_stat_sn = be32_to_cpu(hdr->exp_statsn);