--- /dev/null
+From 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 12 Jun 2014 12:45:02 -0700
+Subject: target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream.
+
+This patch fixes a NULL pointer dereference regression bug that was
+introduced with:
+
+commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sat May 17 06:49:22 2014 -0400
+
+ target: fix memory leak on XCOPY
+
+Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is
+called with a valid se_cmd->cmd_kref, a NULL pointer dereference
+is triggered because the XCOPY passthrough commands don't have
+an associated se_session pointer.
+
+To address this bug, go ahead and checking for a NULL se_sess pointer
+within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd()
+to release the XCOPY's xcopy_pt_cmd memory.
+
+Reported-by: Thomas Glanzmann <thomas@glanzmann.de>
+Cc: Thomas Glanzmann <thomas@glanzmann.de>
+Cc: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2342,6 +2342,10 @@ static void target_release_cmd_kref(stru
+ */
+ int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
+ {
++ if (!se_sess) {
++ se_cmd->se_tfo->release_cmd(se_cmd);
++ return 1;
++ }
+ return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
+ &se_sess->sess_cmd_lock);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
