From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Hi Guys,
This patch was committed to backports in the last weeks, but did not
make it into lio-core-2.6.git.. Thanks to Roland for spotting this
one!
--nab
---------------------------------------------------------------------
This patch adds a direct call to transport_generic_free_cmd() in
tcm_qla2xxx_free_cmd() to handle the tcm_qla2xxx_handle_cmd() ->
transport_get_lun_for_cmd() lookup failure case where we do not
expect cmd->se_cmd.se_dev to have been set.
This fixes a NULL pointer dereference bug for se_cmd->se_dev in
transport_generic_free_cmd_intr() that was initially reported
during an WRITE_PROTECT failure in transport_get_lun_for_cmd().
Reported-by: Chris Worley <cworley@xxxxxxxxxxxx>
Signed-off-by: Nicholas A. Bellinger <nab@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
index b12494a..10ec659 100644
--- a/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
+++ b/drivers/target/tcm_qla2xxx/tcm_qla2xxx_fabric.c
@@ -390,6 +390,17 @@ u32 tcm_qla2xxx_tpg_get_inst_index(struct se_portal_group *se_tpg)
void tcm_qla2xxx_free_cmd(struct qla_tgt_cmd *cmd)
{
barrier();
+ /*
+ * Handle tcm_qla2xxx_handle_cmd() -> transport_get_lun_for_cmd()
+ * failure case where cmd->se_cmd.se_dev was not assigned, and
+ * a call to transport_generic_free_cmd_intr() is not possible..
+ */
+ if (!cmd->se_cmd.se_dev) {
+ atomic_set(&cmd->cmd_stop_free, 1);
+ transport_generic_free_cmd(&cmd->se_cmd, 0, 0);
+ return;
+ }
+
transport_generic_free_cmd_intr(&cmd->se_cmd);
}
--
1.7.2.5
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
