From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 Jun 2014 23:16:43 +0000 (-0700)
Subject: 3.15-stable patches
X-Git-Tag: v3.4.95~50
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7653b972a78153a0d72ac5932710521c58025edd;p=thirdparty%2Fkernel%2Fstable-queue.git

3.15-stable patches

added patches:
	target-fix-null-pointer-dereference-for-xcopy-in-target_put_sess_cmd.patch
---

diff --git a/queue-3.15/series b/queue-3.15/series
index 56fe527ace8..7cec2665cee 100644
--- a/queue-3.15/series
+++ b/queue-3.15/series
@@ -1 +1,2 @@
 rtc-rtc-at91rm9200-fix-infinite-wait-for-ackupd-irq.patch
+target-fix-null-pointer-dereference-for-xcopy-in-target_put_sess_cmd.patch
diff --git a/queue-3.15/target-fix-null-pointer-dereference-for-xcopy-in-target_put_sess_cmd.patch b/queue-3.15/target-fix-null-pointer-dereference-for-xcopy-in-target_put_sess_cmd.patch
new file mode 100644
index 00000000000..52ef0559820
--- /dev/null
+++ b/queue-3.15/target-fix-null-pointer-dereference-for-xcopy-in-target_put_sess_cmd.patch
@@ -0,0 +1,50 @@
+From 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 12 Jun 2014 12:45:02 -0700
+Subject: target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 0ed6e189e3f6ac3a25383ed5cc8b0ac24c9b97b7 upstream.
+
+This patch fixes a NULL pointer dereference regression bug that was
+introduced with:
+
+commit 1e1110c43b1cda9fe77fc4a04835e460550e6b3c
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date:   Sat May 17 06:49:22 2014 -0400
+
+    target: fix memory leak on XCOPY
+
+Now that target_put_sess_cmd() -> kref_put_spinlock_irqsave() is
+called with a valid se_cmd->cmd_kref, a NULL pointer dereference
+is triggered because the XCOPY passthrough commands don't have
+an associated se_session pointer.
+
+To address this bug, go ahead and checking for a NULL se_sess pointer
+within target_put_sess_cmd(), and call se_cmd->se_tfo->release_cmd()
+to release the XCOPY's xcopy_pt_cmd memory.
+
+Reported-by: Thomas Glanzmann <thomas@glanzmann.de>
+Cc: Thomas Glanzmann <thomas@glanzmann.de>
+Cc: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2407,6 +2407,10 @@ static void target_release_cmd_kref(stru
+  */
+ int target_put_sess_cmd(struct se_session *se_sess, struct se_cmd *se_cmd)
+ {
++	if (!se_sess) {
++		se_cmd->se_tfo->release_cmd(se_cmd);
++		return 1;
++	}
+ 	return kref_put_spinlock_irqsave(&se_cmd->cmd_kref, target_release_cmd_kref,
+ 			&se_sess->sess_cmd_lock);
+ }