From 85036b70c040d8cbab371021f5aa97d770582e4c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 1 May 2014 20:10:35 -0700 Subject: [PATCH] 3.4-stable patches added patches: target-tcm_fc-fix-use-after-free-of-ft_tpg.patch --- queue-3.4/series | 1 + ...-tcm_fc-fix-use-after-free-of-ft_tpg.patch | 52 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 queue-3.4/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch diff --git a/queue-3.4/series b/queue-3.4/series index c7578a1cb8d..230d405d513 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -26,3 +26,4 @@ ib-ehca-returns-an-error-on-ib_copy_to_udata-failure.patch ib_srpt-use-correct-ib_sg_dma-primitives.patch scsi-arcmsr-upper-32-of-dma-address-lost.patch iscsi-target-fix-erl-2-async_event-connection-pointer-bug.patch +target-tcm_fc-fix-use-after-free-of-ft_tpg.patch diff --git a/queue-3.4/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch b/queue-3.4/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch new file mode 100644 index 00000000000..ca1ac63c950 --- /dev/null +++ b/queue-3.4/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch @@ -0,0 +1,52 @@ +From 2c42be2dd4f6586728dba5c4e197afd5cfaded78 Mon Sep 17 00:00:00 2001 +From: Andy Grover +Date: Fri, 4 Apr 2014 16:44:37 -0700 +Subject: target/tcm_fc: Fix use-after-free of ft_tpg + +From: Andy Grover + +commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream. + +ft_del_tpg checks tpg->tport is set before unlinking the tpg from the +tport when the tpg is being removed. Set this pointer in ft_tport_create, +or the unlinking won't happen in ft_del_tpg and tport->tpg will reference +a deleted object. + +This patch sets tpg->tport in ft_tport_create, because that's what +ft_del_tpg checks, and is the only way to get back to the tport to +clear tport->tpg. + +The bug was occuring when: + +- lport created, tport (our per-lport, per-provider context) is + allocated. + tport->tpg = NULL +- tpg created +- a PRLI is received. ft_tport_create is called, tpg is found and + tport->tpg is set +- tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not + set, tport->tpg is not cleared and points at freed memory +- Future calls to ft_tport_create return tport via first conditional, + instead of searching for new tpg by calling ft_lport_find_tpg. + tport->tpg is still invalid, and will access freed memory. + +see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 + +Signed-off-by: Andy Grover +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/tcm_fc/tfc_sess.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/tcm_fc/tfc_sess.c ++++ b/drivers/target/tcm_fc/tfc_sess.c +@@ -69,6 +69,7 @@ static struct ft_tport *ft_tport_create( + + if (tport) { + tport->tpg = tpg; ++ tpg->tport = tport; + return tport; + } + -- 2.47.3