From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> 3.12-stable review patch. If anyone has any objections, please let me know. =============== commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream. This patch fixes a NULL pointer dereference regression bug that was introduced with: commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c Author: Mikulas Patocka <mpatocka@xxxxxxxxxx> Date: Sat May 17 06:49:22 2014 -0400 target: fix memory leak on XCOPY Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is called with a valid se_cmd->cmd_kref, a NULL pointer dereference is triggered because the XCOPY passthrough commands don't have an associated se_session pointer. To address this bug, go ahead and checking for a NULL se_sess pointer within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd() to release the XCOPY's xcopy_pt_cmd memory. Reported-by: Thomas Glanzmann <thomas@xxxxxxxxxxxx> Cc: Thomas Glanzmann <thomas@xxxxxxxxxxxx> Cc: Mikulas Patocka <mpatocka@xxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx # 3.12+ Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Signed-off-by: Jiri Slaby <jslaby@xxxxxxx> --- drivers/target/target_core_transport.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 179141e03cb3..edacb8d0d6b8 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -2343,6 +2343,10 @@ static void target_release_cmd_kref(struct kref *kref) */ int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd) { + if (!se_sess) { + se_cmd->se_tfo->release_cmd(se_cmd); + return 1; + } return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref, &se_sess->sess_cmd_lock); } -- 2.0.0 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html