From 4ad6feea56850d079894a2ad32f77a5a1f48ad0c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Jun 2014 15:10:51 -0700
Subject: [PATCH] 3.10-stable patches

added patches:
	iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch
	mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
---
 ...ut_sess_cmd-for-immedatedata-failure.patch | 43 +++++++++++++++++++
 ...fix-use-after-free-in-__put_anon_vma.patch | 42 ++++++++++++++++++
 queue-3.10/series                             |  2 +
 3 files changed, 87 insertions(+)
 create mode 100644 queue-3.10/iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch
 create mode 100644 queue-3.10/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch

diff --git a/queue-3.10/iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch b/queue-3.10/iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch
new file mode 100644
index 00000000000..25bd1d8935f
--- /dev/null
+++ b/queue-3.10/iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch
@@ -0,0 +1,43 @@
+From 6cc44a6fb46e1ecc1c28125aa8fa34d317aa9ea7 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 23 May 2014 00:48:35 -0700
+Subject: iser-target: Add missing target_put_sess_cmd for ImmedateData failure
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 6cc44a6fb46e1ecc1c28125aa8fa34d317aa9ea7 upstream.
+
+This patch addresses a bug where an early exception for SCSI WRITE
+with ImmediateData=Yes was missing the target_put_sess_cmd() call
+to drop the extra se_cmd->cmd_kref reference obtained during the
+normal iscsit_setup_scsi_cmd() codepath execution.
+
+This bug was manifesting itself during session shutdown within
+isert_cq_rx_comp_err() where target_wait_for_sess_cmds() would
+end up waiting indefinately for the last se_cmd->cmd_kref put to
+occur for the failed SCSI WRITE + ImmediateData descriptors.
+
+This fix follows what traditional iscsi-target code already does
+for the same failure case within iscsit_get_immediate_data().
+
+Reported-by: Sagi Grimberg <sagig@dev.mellanox.co.il>
+Cc: Sagi Grimberg <sagig@dev.mellanox.co.il>
+Cc: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -965,6 +965,8 @@ sequence_cmd:
+ 
+ 	if (!rc && dump_payload == false && unsol_data)
+ 		iscsit_set_unsoliticed_dataout(cmd);
++	else if (dump_payload && imm_data)
++		target_put_sess_cmd(conn->sess->se_sess, &cmd->se_cmd);
+ 
+ 	return 0;
+ }
diff --git a/queue-3.10/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch b/queue-3.10/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
new file mode 100644
index 00000000000..a123ef6dd75
--- /dev/null
+++ b/queue-3.10/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
@@ -0,0 +1,42 @@
+From 624483f3ea82598ab0f62f1bdb9177f531ab1892 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Fri, 6 Jun 2014 19:09:30 +0400
+Subject: mm: rmap: fix use-after-free in __put_anon_vma
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream.
+
+While working address sanitizer for kernel I've discovered
+use-after-free bug in __put_anon_vma.
+
+For the last anon_vma, anon_vma->root freed before child anon_vma.
+Later in anon_vma_free(anon_vma) we are referencing to already freed
+anon_vma->root to check rwsem.
+
+This fixes it by freeing the child anon_vma before freeing
+anon_vma->root.
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/rmap.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1675,10 +1675,9 @@ void __put_anon_vma(struct anon_vma *ano
+ {
+ 	struct anon_vma *root = anon_vma->root;
+ 
++	anon_vma_free(anon_vma);
+ 	if (root != anon_vma && atomic_dec_and_test(&root->refcount))
+ 		anon_vma_free(root);
+-
+-	anon_vma_free(anon_vma);
+ }
+ 
+ #ifdef CONFIG_MIGRATION
diff --git a/queue-3.10/series b/queue-3.10/series
index cc2ceaed874..122237d5da0 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -31,3 +31,5 @@ usb-cdc-wdm-properly-include-types.h.patch
 usb-serial-option-add-support-for-novatel-e371-pcie-card.patch
 usb-io_ti-fix-firmware-download-on-big-endian-machines-part-2.patch
 usb-avoid-runtime-suspend-loops-for-hcds-that-can-t-handle-suspend-resume.patch
+mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
+iser-target-add-missing-target_put_sess_cmd-for-immedatedata-failure.patch
-- 
2.47.3