Patch "scsi: target: pscsi: Fix bio_put() for error case" has been added to the 6.6-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 26 Feb 2024 13:08:41 +0100

This is a note to let you know that I've just added the patch titled

    scsi: target: pscsi: Fix bio_put() for error case

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-target-pscsi-fix-bio_put-for-error-case.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From de959094eb2197636f7c803af0943cb9d3b35804 Mon Sep 17 00:00:00 2001
From: Naohiro Aota <naohiro.aota@xxxxxxx>
Date: Wed, 14 Feb 2024 23:43:56 +0900
Subject: scsi: target: pscsi: Fix bio_put() for error case

From: Naohiro Aota <naohiro.aota@xxxxxxx>

commit de959094eb2197636f7c803af0943cb9d3b35804 upstream.

As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc
wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()
and kfree(). That is not done properly for the error case, hitting WARN and
NULL pointer dereference in bio_free().

Fixes: 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc wrapper")
CC: stable@xxxxxxxxxxxxxxx # 6.1+
Signed-off-by: Naohiro Aota <naohiro.aota@xxxxxxx>
Link: https://lore.kernel.org/r/20240214144356.101814-1-naohiro.aota@xxxxxxx
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@xxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/target/target_core_pscsi.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/target/target_core_pscsi.c
+++ b/drivers/target/target_core_pscsi.c
@@ -907,12 +907,15 @@ new_bio:
 
 	return 0;
 fail:
-	if (bio)
-		bio_put(bio);
+	if (bio) {
+		bio_uninit(bio);
+		kfree(bio);
+	}
 	while (req->bio) {
 		bio = req->bio;
 		req->bio = bio->bi_next;
-		bio_put(bio);
+		bio_uninit(bio);
+		kfree(bio);
 	}
 	req->biotail = NULL;
 	return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;


Patches currently in stable-queue which might be from naohiro.aota@xxxxxxx are

queue-6.6/scsi-target-pscsi-fix-bio_put-for-error-case.patch







