Patch "scsi: target: Fix alua_tg_pt_gps_count tracking" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 21 Nov 2021 18:15:36 -0500

This is a note to let you know that I've just added the patch titled

    scsi: target: Fix alua_tg_pt_gps_count tracking

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-target-fix-alua_tg_pt_gps_count-tracking.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 28ea1b072f7e29004aef53854ac02dbb69e0e374
Author: Mike Christie <michael.christie@xxxxxxxxxx>
Date:   Wed Sep 29 21:04:20 2021 -0500

    scsi: target: Fix alua_tg_pt_gps_count tracking
    
    [ Upstream commit 1283c0d1a32bb924324481586b5d6e8e76f676ba ]
    
    We can't free the tg_pt_gp in core_alua_set_tg_pt_gp_id() because it's
    still accessed via configfs. Its release must go through the normal
    configfs/refcount process.
    
    The max alua_tg_pt_gps_count check should probably have been done in
    core_alua_allocate_tg_pt_gp(), but with the current code userspace could
    have created 0x0000ffff + 1 groups, but only set the id for 0x0000ffff.
    Then it could have deleted a group with an ID set, and then set the ID for
    that extra group and it would work ok.
    
    It's unlikely, but just in case this patch continues to allow that type of
    behavior, and just fixes the kfree() while in use bug.
    
    Link: https://lore.kernel.org/r/20210930020422.92578-4-michael.christie@xxxxxxxxxx
    Signed-off-by: Mike Christie <michael.christie@xxxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c
index 385e4cf9cfa63..0fc3135d3e4f6 100644
--- a/drivers/target/target_core_alua.c
+++ b/drivers/target/target_core_alua.c
@@ -1702,7 +1702,6 @@ int core_alua_set_tg_pt_gp_id(
 		pr_err("Maximum ALUA alua_tg_pt_gps_count:"
 			" 0x0000ffff reached\n");
 		spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
-		kmem_cache_free(t10_alua_tg_pt_gp_cache, tg_pt_gp);
 		return -ENOSPC;
 	}
 again:






