This is a note to let you know that I've just added the patch titled iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid to the 3.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch and it can be found in the queue-3.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001 From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Date: Wed, 17 Sep 2014 11:45:17 -0700 Subject: iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> commit b53b0d99d6fbf7d44330395349a895521cfdbc96 upstream. This patch fixes a bug in iscsit_logout_post_handler_diffcid() where a pointer used as storage for list_for_each_entry() was incorrectly being used to determine if no matching entry had been found. This patch changes iscsit_logout_post_handler_diffcid() to key off bool conn_found to determine if the function needs to exit early. Reported-by: Joern Engel <joern@xxxxxxxxx> Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/target/iscsi/iscsi_target.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -4540,6 +4540,7 @@ static void iscsit_logout_post_handler_d { struct iscsi_conn *l_conn; struct iscsi_session *sess = conn->sess; + bool conn_found = false; if (!sess) return; @@ -4548,12 +4549,13 @@ static void iscsit_logout_post_handler_d list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { if (l_conn->cid == cid) { iscsit_inc_conn_usage_count(l_conn); + conn_found = true; break; } } spin_unlock_bh(&sess->conn_lock); - if (!l_conn) + if (!conn_found) return; if (l_conn->sock) Patches currently in stable-queue which might be from nab@xxxxxxxxxxxxxxx are queue-3.16/target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch queue-3.16/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch queue-3.16/target-fix-inverted-logic-in-se_dev_alua_support_state_store.patch queue-3.16/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch queue-3.16/target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html