Patch "target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 18 Dec 2017 13:58:51 +0100

This is a note to let you know that I've just added the patch titled

    target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Mon Dec 18 13:28:59 CET 2017
From: Bart Van Assche <bart.vanassche@xxxxxxx>
Date: Tue, 31 Oct 2017 11:03:17 -0700
Subject: target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()

From: Bart Van Assche <bart.vanassche@xxxxxxx>


[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]

Avoid that cmd->se_cmd.se_tfo is read after a command has already been
freed.

Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: Mike Christie <mchristi@xxxxxxxxxx>
Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/target/iscsi/iscsi_target.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -834,6 +834,7 @@ static int iscsit_add_reject_from_cmd(
 	unsigned char *buf)
 {
 	struct iscsi_conn *conn;
+	const bool do_put = cmd->se_cmd.se_tfo != NULL;
 
 	if (!cmd->conn) {
 		pr_err("cmd->conn is NULL for ITT: 0x%08x\n",
@@ -864,7 +865,7 @@ static int iscsit_add_reject_from_cmd(
 	 * Perform the kref_put now if se_cmd has already been setup by
 	 * scsit_setup_scsi_cmd()
 	 */
-	if (cmd->se_cmd.se_tfo != NULL) {
+	if (do_put) {
 		pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n");
 		target_put_sess_cmd(&cmd->se_cmd);
 	}


Patches currently in stable-queue which might be from bart.vanassche@xxxxxxx are

queue-4.14/ib-core-fix-endianness-annotation-in-rdma_is_multicast_addr.patch
queue-4.14/target-iscsi-detect-conn_cmd_list-corruption-early.patch
queue-4.14/target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch
queue-4.14/rdma-cma-avoid-triggering-undefined-behavior.patch
queue-4.14/scsi-core-fix-a-scsi_show_rq-null-pointer-dereference.patch
queue-4.14/blk-mq-sched-dispatch-from-scheduler-iff-progress-is-made-in-dispatch.patch






