Patch "target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE" has been added to the 3.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 10 Nov 2014 11:37:49 +0900

This is a note to let you know that I've just added the patch titled

    target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001
From: Quinn Tran <quinn.tran@xxxxxxxxxx>
Date: Thu, 25 Sep 2014 06:22:28 -0400
Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE

From: Quinn Tran <quinn.tran@xxxxxxxxxx>

commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream.

During temporary resource starvation at lower transport layer, command
is placed on queue full retry path, which expose this problem.  The TCM
queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
cmd twice to lower layer.  The 1st time led to cmd normal free path.
The 2nd time cause Null pointer access.

This regression bug was originally introduced v3.1-rc code in the
following commit:

commit e057f53308a5f071556ee80586b99ee755bf07f5
Author: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Date:   Mon Oct 17 13:56:41 2011 -0400

    target: remove the transport_qf_callback se_cmd callback

Signed-off-by: Quinn Tran <quinn.tran@xxxxxxxxxx>
Signed-off-by: Saurav Kashyap <saurav.kashyap@xxxxxxxxxx>
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/target/target_core_transport.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1855,8 +1855,7 @@ static void transport_complete_qf(struct
 	if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
 		trace_target_cmd_complete(cmd);
 		ret = cmd->se_tfo->queue_status(cmd);
-		if (ret)
-			goto out;
+		goto out;
 	}
 
 	switch (cmd->data_direction) {


Patches currently in stable-queue which might be from quinn.tran@xxxxxxxxxx are

queue-3.14/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







