From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 19 Jun 2023 06:57:20 +0000 (+0200)
Subject: 6.3-stable patches
X-Git-Tag: v4.14.319~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74df77b449acc4b61d80c3c25a604edcdf4a3731;p=thirdparty%2Fkernel%2Fstable-queue.git

6.3-stable patches

added patches:
	scsi-target-core-fix-error-path-in-target_setup_session.patch
---

diff --git a/queue-6.3/scsi-target-core-fix-error-path-in-target_setup_session.patch b/queue-6.3/scsi-target-core-fix-error-path-in-target_setup_session.patch
new file mode 100644
index 00000000000..c265dedce79
--- /dev/null
+++ b/queue-6.3/scsi-target-core-fix-error-path-in-target_setup_session.patch
@@ -0,0 +1,39 @@
+From 91271699228bfc66f1bc8abc0327169dc156d854 Mon Sep 17 00:00:00 2001
+From: Bob Pearson <rpearsonhpe@gmail.com>
+Date: Tue, 13 Jun 2023 09:43:00 -0500
+Subject: scsi: target: core: Fix error path in target_setup_session()
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+commit 91271699228bfc66f1bc8abc0327169dc156d854 upstream.
+
+In the error exits in target_setup_session(), if a branch is taken to
+free_sess: transport_free_session() may call to target_free_cmd_counter()
+and then fall through to call target_free_cmd_counter() a second time.
+This can, and does, sometimes cause seg faults since the data field in
+cmd_cnt->refcnt has been freed in the first call.
+
+Fix this problem by simply returning after the call to
+transport_free_session(). The second call is redundant for those cases.
+
+Fixes: 4edba7e4a8f3 ("scsi: target: Move cmd counter allocation")
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Link: https://lore.kernel.org/r/20230613144259.12890-1-rpearsonhpe@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_transport.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -504,6 +504,8 @@ target_setup_session(struct se_portal_gr
+ 
+ free_sess:
+ 	transport_free_session(sess);
++	return ERR_PTR(rc);
++
+ free_cnt:
+ 	target_free_cmd_counter(cmd_cnt);
+ 	return ERR_PTR(rc);
diff --git a/queue-6.3/series b/queue-6.3/series
index efd2c5f280a..fd43f9cf549 100644
--- a/queue-6.3/series
+++ b/queue-6.3/series
@@ -183,3 +183,4 @@ afs-fix-vlserver-probe-rtt-handling.patch
 parisc-delete-redundant-register-definitions-in-asm-assembly.h.patch
 arm64-dts-qcom-sm8550-use-the-correct-llcc-register-scheme.patch
 neighbour-delete-neigh_lookup_nodev-as-not-used.patch
+scsi-target-core-fix-error-path-in-target_setup_session.patch