From 5f60e06880754ad60cf585a3f889c75c5785b5b0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 3 Oct 2014 10:11:43 -0700 Subject: [PATCH] 3.10-stable patches added patches: iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch nfc-microread-potential-overflows-in-microread_target_discovered.patch scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch --- ...ter-in-iscsi_copy_param_list-failure.patch | 37 +++++++++++++ ...n-iscsit_logout_post_handler_diffcid.patch | 49 +++++++++++++++++ ...flows-in-microread_target_discovered.patch | 55 +++++++++++++++++++ ...fer-overrun-in-__iscsi_conn_send_pdu.patch | 52 ++++++++++++++++++ queue-3.10/series | 6 ++ ...ert_conn-inside-disconnected-handler.patch | 41 ++++++++++++++ ...erence-once-got-to-connected_handler.patch | 42 ++++++++++++++ 7 files changed, 282 insertions(+) create mode 100644 queue-3.10/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch create mode 100644 queue-3.10/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch create mode 100644 queue-3.10/nfc-microread-potential-overflows-in-microread_target_discovered.patch create mode 100644 queue-3.10/scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch create mode 100644 queue-3.10/target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch create mode 100644 queue-3.10/target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch diff --git a/queue-3.10/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch b/queue-3.10/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch new file mode 100644 index 00000000000..8dec01a49bb --- /dev/null +++ b/queue-3.10/iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch @@ -0,0 +1,37 @@ +From 8ae757d09c45102b347a1bc2867f54ffc1ab8fda Mon Sep 17 00:00:00 2001 +From: Joern Engel +Date: Tue, 2 Sep 2014 17:49:54 -0400 +Subject: iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure + +From: Joern Engel + +commit 8ae757d09c45102b347a1bc2867f54ffc1ab8fda upstream. + +In iscsi_copy_param_list() a failed iscsi_param_list memory allocation +currently invokes iscsi_release_param_list() to cleanup, and will promptly +trigger a NULL pointer dereference. + +Instead, go ahead and return for the first iscsi_copy_param_list() +failure case. + +Found by coverity. + +Signed-off-by: Joern Engel +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_parameters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -603,7 +603,7 @@ int iscsi_copy_param_list( + param_list = kzalloc(sizeof(struct iscsi_param_list), GFP_KERNEL); + if (!param_list) { + pr_err("Unable to allocate memory for struct iscsi_param_list.\n"); +- goto err_out; ++ return -1; + } + INIT_LIST_HEAD(¶m_list->param_list); + INIT_LIST_HEAD(¶m_list->extra_response_list); diff --git a/queue-3.10/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch b/queue-3.10/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch new file mode 100644 index 00000000000..ba4254f4cee --- /dev/null +++ b/queue-3.10/iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch @@ -0,0 +1,49 @@ +From b53b0d99d6fbf7d44330395349a895521cfdbc96 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 17 Sep 2014 11:45:17 -0700 +Subject: iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid + +From: Nicholas Bellinger + +commit b53b0d99d6fbf7d44330395349a895521cfdbc96 upstream. + +This patch fixes a bug in iscsit_logout_post_handler_diffcid() where +a pointer used as storage for list_for_each_entry() was incorrectly +being used to determine if no matching entry had been found. + +This patch changes iscsit_logout_post_handler_diffcid() to key off +bool conn_found to determine if the function needs to exit early. + +Reported-by: Joern Engel +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4453,6 +4453,7 @@ static void iscsit_logout_post_handler_d + { + struct iscsi_conn *l_conn; + struct iscsi_session *sess = conn->sess; ++ bool conn_found = false; + + if (!sess) + return; +@@ -4461,12 +4462,13 @@ static void iscsit_logout_post_handler_d + list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) { + if (l_conn->cid == cid) { + iscsit_inc_conn_usage_count(l_conn); ++ conn_found = true; + break; + } + } + spin_unlock_bh(&sess->conn_lock); + +- if (!l_conn) ++ if (!conn_found) + return; + + if (l_conn->sock) diff --git a/queue-3.10/nfc-microread-potential-overflows-in-microread_target_discovered.patch b/queue-3.10/nfc-microread-potential-overflows-in-microread_target_discovered.patch new file mode 100644 index 00000000000..14523070bf9 --- /dev/null +++ b/queue-3.10/nfc-microread-potential-overflows-in-microread_target_discovered.patch @@ -0,0 +1,55 @@ +From d07f1e8600ccb885c8f4143402b8912f7d827bcb Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 1 Sep 2014 20:27:29 +0300 +Subject: NFC: microread: Potential overflows in microread_target_discovered() + +From: Dan Carpenter + +commit d07f1e8600ccb885c8f4143402b8912f7d827bcb upstream. + +Smatch says that skb->data is untrusted so we need to check to make sure +that the memcpy() doesn't overflow. + +Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread') +Signed-off-by: Dan Carpenter +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/microread/microread.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/nfc/microread/microread.c ++++ b/drivers/nfc/microread/microread.c +@@ -501,9 +501,13 @@ static void microread_target_discovered( + targets->sens_res = + be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]); + targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK]; +- memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], +- skb->data[MICROREAD_EMCF_A_LEN]); + targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN]; ++ if (targets->nfcid1_len > sizeof(targets->nfcid1)) { ++ r = -EINVAL; ++ goto exit_free; ++ } ++ memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], ++ targets->nfcid1_len); + break; + case MICROREAD_GATE_ID_MREAD_ISO_A_3: + targets->supported_protocols = +@@ -511,9 +515,13 @@ static void microread_target_discovered( + targets->sens_res = + be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]); + targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK]; +- memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], +- skb->data[MICROREAD_EMCF_A3_LEN]); + targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN]; ++ if (targets->nfcid1_len > sizeof(targets->nfcid1)) { ++ r = -EINVAL; ++ goto exit_free; ++ } ++ memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], ++ targets->nfcid1_len); + break; + case MICROREAD_GATE_ID_MREAD_ISO_B: + targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK; diff --git a/queue-3.10/scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch b/queue-3.10/scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch new file mode 100644 index 00000000000..7ef2901ee3d --- /dev/null +++ b/queue-3.10/scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch @@ -0,0 +1,52 @@ +From db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Wed, 3 Sep 2014 00:00:39 -0500 +Subject: SCSI: libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu + +From: Mike Christie + +commit db9bfd64b14a3a8f1868d2164518fdeab1b26ad1 upstream. + +This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu. +This function is used by iscsi drivers and userspace to send iscsi PDUs/ +commands. For login commands, we have a set buffer size. For all other +commands we do not support data buffers. + +This was reported by Dan Carpenter here: +http://www.spinics.net/lists/linux-scsi/msg66838.html + +Reported-by: Dan Carpenter +Signed-off-by: Mike Christie +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libiscsi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -717,11 +717,21 @@ __iscsi_conn_send_pdu(struct iscsi_conn + return NULL; + } + ++ if (data_size > ISCSI_DEF_MAX_RECV_SEG_LEN) { ++ iscsi_conn_printk(KERN_ERR, conn, "Invalid buffer len of %u for login task. Max len is %u\n", data_size, ISCSI_DEF_MAX_RECV_SEG_LEN); ++ return NULL; ++ } ++ + task = conn->login_task; + } else { + if (session->state != ISCSI_STATE_LOGGED_IN) + return NULL; + ++ if (data_size != 0) { ++ iscsi_conn_printk(KERN_ERR, conn, "Can not send data buffer of len %u for op 0x%x\n", data_size, opcode); ++ return NULL; ++ } ++ + BUG_ON(conn->c_stage == ISCSI_CONN_INITIAL_STAGE); + BUG_ON(conn->c_stage == ISCSI_CONN_STOPPED); + diff --git a/queue-3.10/series b/queue-3.10/series index 475a715973a..962c527444d 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -83,3 +83,9 @@ iio-st_sensors-fix-indio_dev-trig-assignment.patch iio-adc-ad_sigma_delta-fix-indio_dev-trig-assignment.patch iio-magnetometer-bugfix-magnetometers-gain-values.patch iio-inkern-fix-overwritten-eprobe_defer-in-of_iio_channel_get_by_name.patch +target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch +target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch +iscsi-target-avoid-null-pointer-in-iscsi_copy_param_list-failure.patch +iscsi-target-fix-memory-corruption-in-iscsit_logout_post_handler_diffcid.patch +nfc-microread-potential-overflows-in-microread_target_discovered.patch +scsi-libiscsi-fix-potential-buffer-overrun-in-__iscsi_conn_send_pdu.patch diff --git a/queue-3.10/target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch b/queue-3.10/target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch new file mode 100644 index 00000000000..ed3eb17e9ad --- /dev/null +++ b/queue-3.10/target-iser-don-t-put-isert_conn-inside-disconnected-handler.patch @@ -0,0 +1,41 @@ +From 0fc4ea701fcf5bc51ace4e288af5be741465f776 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 2 Jul 2014 16:19:25 +0300 +Subject: Target/iser: Don't put isert_conn inside disconnected handler + +From: Sagi Grimberg + +commit 0fc4ea701fcf5bc51ace4e288af5be741465f776 upstream. + +disconnected_handler is invoked on several CM events (such +as DISCONNECTED, DEVICE_REMOVAL, TIMEWAIT_EXIT...). Since +multiple events can occur while before isert_free_conn is +invoked, we might put all isert_conn references and free +the connection too early. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -583,7 +583,6 @@ isert_disconnect_work(struct work_struct + + wake_up: + complete(&isert_conn->conn_wait); +- isert_put_conn(isert_conn); + } + + static void +@@ -2266,6 +2265,7 @@ static void isert_wait_conn(struct iscsi + wait_for_completion(&isert_conn->conn_wait_comp_err); + + wait_for_completion(&isert_conn->conn_wait); ++ isert_put_conn(isert_conn); + } + + static void isert_free_conn(struct iscsi_conn *conn) diff --git a/queue-3.10/target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch b/queue-3.10/target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch new file mode 100644 index 00000000000..c967d27c18e --- /dev/null +++ b/queue-3.10/target-iser-get-isert_conn-reference-once-got-to-connected_handler.patch @@ -0,0 +1,42 @@ +From c2f88b17a1d97ca4ecd96cc22333a7a4f1407d39 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 2 Jul 2014 16:19:24 +0300 +Subject: Target/iser: Get isert_conn reference once got to connected_handler + +From: Sagi Grimberg + +commit c2f88b17a1d97ca4ecd96cc22333a7a4f1407d39 upstream. + +In case the connection didn't reach connected state, disconnected +handler will never be invoked thus the second kref_put on +isert_conn will be missing. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -404,7 +404,6 @@ isert_connect_request(struct rdma_cm_id + init_completion(&isert_conn->conn_wait); + init_completion(&isert_conn->conn_wait_comp_err); + kref_init(&isert_conn->conn_kref); +- kref_get(&isert_conn->conn_kref); + mutex_init(&isert_conn->conn_mutex); + + cma_id->context = isert_conn; +@@ -530,7 +529,9 @@ isert_connect_release(struct isert_conn + static void + isert_connected_handler(struct rdma_cm_id *cma_id) + { +- return; ++ struct isert_conn *isert_conn = cma_id->context; ++ ++ kref_get(&isert_conn->conn_kref); + } + + static void -- 2.47.3