--- /dev/null
+From 91271699228bfc66f1bc8abc0327169dc156d854 Mon Sep 17 00:00:00 2001
+From: Bob Pearson <rpearsonhpe@gmail.com>
+Date: Tue, 13 Jun 2023 09:43:00 -0500
+Subject: scsi: target: core: Fix error path in target_setup_session()
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+commit 91271699228bfc66f1bc8abc0327169dc156d854 upstream.
+
+In the error exits in target_setup_session(), if a branch is taken to
+free_sess: transport_free_session() may call to target_free_cmd_counter()
+and then fall through to call target_free_cmd_counter() a second time.
+This can, and does, sometimes cause seg faults since the data field in
+cmd_cnt->refcnt has been freed in the first call.
+
+Fix this problem by simply returning after the call to
+transport_free_session(). The second call is redundant for those cases.
+
+Fixes: 4edba7e4a8f3 ("scsi: target: Move cmd counter allocation")
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Link: https://lore.kernel.org/r/20230613144259.12890-1-rpearsonhpe@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 86adff2a86ed..687adc9e086c 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -504,6 +504,8 @@ target_setup_session(struct se_portal_group *tpg,
+
+ free_sess:
+ transport_free_session(sess);
++ return ERR_PTR(rc);
++
+ free_cnt:
+ target_free_cmd_counter(cmd_cnt);
+ return ERR_PTR(rc);
+--
+2.41.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
