From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 19 Jun 2023 06:56:58 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v4.14.319~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=323d65c1c6c95806ff396295477c5d61046a9dc0;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	scsi-target-core-fix-error-path-in-target_setup_session.patch
---

diff --git a/queue-6.1/scsi-target-core-fix-error-path-in-target_setup_session.patch b/queue-6.1/scsi-target-core-fix-error-path-in-target_setup_session.patch
new file mode 100644
index 00000000000..6e374dc1024
--- /dev/null
+++ b/queue-6.1/scsi-target-core-fix-error-path-in-target_setup_session.patch
@@ -0,0 +1,44 @@
+From 91271699228bfc66f1bc8abc0327169dc156d854 Mon Sep 17 00:00:00 2001
+From: Bob Pearson <rpearsonhpe@gmail.com>
+Date: Tue, 13 Jun 2023 09:43:00 -0500
+Subject: scsi: target: core: Fix error path in target_setup_session()
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+commit 91271699228bfc66f1bc8abc0327169dc156d854 upstream.
+
+In the error exits in target_setup_session(), if a branch is taken to
+free_sess: transport_free_session() may call to target_free_cmd_counter()
+and then fall through to call target_free_cmd_counter() a second time.
+This can, and does, sometimes cause seg faults since the data field in
+cmd_cnt->refcnt has been freed in the first call.
+
+Fix this problem by simply returning after the call to
+transport_free_session(). The second call is redundant for those cases.
+
+Fixes: 4edba7e4a8f3 ("scsi: target: Move cmd counter allocation")
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Link: https://lore.kernel.org/r/20230613144259.12890-1-rpearsonhpe@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 86adff2a86ed..687adc9e086c 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -504,6 +504,8 @@ target_setup_session(struct se_portal_group *tpg,
+ 
+ free_sess:
+ 	transport_free_session(sess);
++	return ERR_PTR(rc);
++
+ free_cnt:
+ 	target_free_cmd_counter(cmd_cnt);
+ 	return ERR_PTR(rc);
+-- 
+2.41.0
+
diff --git a/queue-6.1/series b/queue-6.1/series
index efffe12b659..69fb78b8a79 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -159,3 +159,4 @@ net-sched-act_api-move-tca_ext_warn_msg-to-the-correct-hierarchy.patch
 revert-net-sched-act_api-move-tca_ext_warn_msg-to-the-correct-hierarchy.patch
 net-sched-act_api-add-specific-ext_warn_msg-for-tc-action.patch
 neighbour-delete-neigh_lookup_nodev-as-not-used.patch
+scsi-target-core-fix-error-path-in-target_setup_session.patch