--- /dev/null
+From 8ae757d09c45102b347a1bc2867f54ffc1ab8fda Mon Sep 17 00:00:00 2001
+From: Joern Engel <joern@logfs.org>
+Date: Tue, 2 Sep 2014 17:49:54 -0400
+Subject: iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure
+
+From: Joern Engel <joern@logfs.org>
+
+commit 8ae757d09c45102b347a1bc2867f54ffc1ab8fda upstream.
+
+In iscsi_copy_param_list() a failed iscsi_param_list memory allocation
+currently invokes iscsi_release_param_list() to cleanup, and will promptly
+trigger a NULL pointer dereference.
+
+Instead, go ahead and return for the first iscsi_copy_param_list()
+failure case.
+
+Found by coverity.
+
+Signed-off-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -603,7 +603,7 @@ int iscsi_copy_param_list(
+ param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL);
+ if (!param_list) {
+ pr_err("Unable to allocate memory for struct iscsi_param_list.\n");
+- goto err_out;
++ return -1;
+ }
+ INIT_LIST_HEAD(¶m_list->param_list);
+ INIT_LIST_HEAD(¶m_list->extra_response_list);
--- /dev/null
+From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed, 17 Sep 2014 11:45:17 -0700
+Subject: iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit b53b0d99d6fbf7d44330395349a895521cfdbc96 upstream.
+
+This patch fixes a bug in iscsit_logout_post_handler_diffcid() where
+a pointer used as storage for list_for_each_entry() was incorrectly
+being used to determine if no matching entry had been found.
+
+This patch changes iscsit_logout_post_handler_diffcid() to key off
+bool conn_found to determine if the function needs to exit early.
+
+Reported-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4453,6 +4453,7 @@ static void iscsit_logout_post_handler_d
+ {
+ struct iscsi_conn *l_conn;
+ struct iscsi_session *sess = conn->sess;
++ bool conn_found = false;
+
+ if (!sess)
+ return;
+@@ -4461,12 +4462,13 @@ static void iscsit_logout_post_handler_d
+ list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) {
+ if (l_conn->cid == cid) {
+ iscsit_inc_conn_usage_count(l_conn);
++ conn_found = true;
+ break;
+ }
+ }
+ spin_unlock_bh(&sess->conn_lock);
+
+- if (!l_conn)
++ if (!conn_found)
+ return;
+
+ if (l_conn->sock)
--- /dev/null
+From d07f1e8600ccb885c8f4143402b8912f7d827bcb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 1 Sep 2014 20:27:29 +0300
+Subject: NFC: microread: Potential overflows in microread_target_discovered()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d07f1e8600ccb885c8f4143402b8912f7d827bcb upstream.
+
+Smatch says that skb->data is untrusted so we need to check to make sure
+that the memcpy() doesn't overflow.
+
+Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/microread/microread.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/nfc/microread/microread.c
++++ b/drivers/nfc/microread/microread.c
+@@ -501,9 +501,13 @@ static void microread_target_discovered(
+ targets->sens_res =
+ be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]);
+ targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK];
+- memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
+- skb->data[MICROREAD_EMCF_A_LEN]);
+ targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN];
++ if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
++ r = -EINVAL;
++ goto exit_free;
++ }
++ memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
++ targets->nfcid1_len);
+ break;
+ case MICROREAD_GATE_ID_MREAD_ISO_A_3:
+ targets->supported_protocols =
+@@ -511,9 +515,13 @@ static void microread_target_discovered(
+ targets->sens_res =
+ be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]);
+ targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK];
+- memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
+- skb->data[MICROREAD_EMCF_A3_LEN]);
+ targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN];
++ if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
++ r = -EINVAL;
++ goto exit_free;
++ }
++ memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
++ targets->nfcid1_len);
+ break;
+ case MICROREAD_GATE_ID_MREAD_ISO_B:
+ targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK;
--- /dev/null
+From db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 Mon Sep 17 00:00:00 2001
+From: Mike Christie <michaelc@cs.wisc.edu>
+Date: Wed, 3 Sep 2014 00:00:39 -0500
+Subject: SCSI: libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
+
+From: Mike Christie <michaelc@cs.wisc.edu>
+
+commit db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 upstream.
+
+This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
+This function is used by iscsi drivers and userspace to send iscsi PDUs/
+commands. For login commands, we have a set buffer size. For all other
+commands we do not support data buffers.
+
+This was reported by Dan Carpenter here:
+http://www.spinics.net/lists/linux-scsi/msg66838.html
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
+Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libiscsi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn
+ return NULL;
+ }
+
++ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) {
++ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN);
++ return NULL;
++ }
++
+ task = conn->login_task;
+ } else {
+ if (session->state != ISCSI_STATE_LOGGED_IN)
+ return NULL;
+
++ if (data_size != 0) {
++ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode);
++ return NULL;
++ }
++
+ BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE);
+ BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED);
+
iio-adc-ad_sigma_delta-fix-indio_dev-trig-assignment.patch
iio-magnetometer-bugfix-magnetometers-gain-values.patch
iio-inkern-fix-overwritten-eprobe_defer-in-of_iio_channel_get_by_name.patch
+target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch
+target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch
+iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch
+iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch
+nfc-microread-potential-overflows-in-microread_target_discovered.patch
+scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch
--- /dev/null
+From 0fc4ea701fcf5bc51ace4e288af5be741465f776 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@mellanox.com>
+Date: Wed, 2 Jul 2014 16:19:25 +0300
+Subject: Target/iser: Don't put isert_conn inside disconnected handler
+
+From: Sagi Grimberg <sagig@mellanox.com>
+
+commit 0fc4ea701fcf5bc51ace4e288af5be741465f776 upstream.
+
+disconnected_handler is invoked on several CM events (such
+as DISCONNECTED, DEVICE_REMOVAL, TIMEWAIT_EXIT...). Since
+multiple events can occur while before isert_free_conn is
+invoked, we might put all isert_conn references and free
+the connection too early.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -583,7 +583,6 @@ isert_disconnect_work(struct work_struct
+
+ wake_up:
+ complete(&isert_conn->conn_wait);
+- isert_put_conn(isert_conn);
+ }
+
+ static void
+@@ -2266,6 +2265,7 @@ static void isert_wait_conn(struct iscsi
+ wait_for_completion(&isert_conn->conn_wait_comp_err);
+
+ wait_for_completion(&isert_conn->conn_wait);
++ isert_put_conn(isert_conn);
+ }
+
+ static void isert_free_conn(struct iscsi_conn *conn)
--- /dev/null
+From c2f88b17a1d97ca4ecd96cc22333a7a4f1407d39 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@mellanox.com>
+Date: Wed, 2 Jul 2014 16:19:24 +0300
+Subject: Target/iser: Get isert_conn reference once got to connected_handler
+
+From: Sagi Grimberg <sagig@mellanox.com>
+
+commit c2f88b17a1d97ca4ecd96cc22333a7a4f1407d39 upstream.
+
+In case the connection didn't reach connected state, disconnected
+handler will never be invoked thus the second kref_put on
+isert_conn will be missing.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -404,7 +404,6 @@ isert_connect_request(struct rdma_cm_id
+ init_completion(&isert_conn->conn_wait);
+ init_completion(&isert_conn->conn_wait_comp_err);
+ kref_init(&isert_conn->conn_kref);
+- kref_get(&isert_conn->conn_kref);
+ mutex_init(&isert_conn->conn_mutex);
+
+ cma_id->context = isert_conn;
+@@ -530,7 +529,9 @@ isert_connect_release(struct isert_conn
+ static void
+ isert_connected_handler(struct rdma_cm_id *cma_id)
+ {
+- return;
++ struct isert_conn *isert_conn = cma_id->context;
++
++ kref_get(&isert_conn->conn_kref);
+ }
+
+ static void
projects / thirdparty / kernel / stable-queue.git / commitdiff
