[3.13.y.z extended stable] Patch "tcm_fc: Fix free-after-use regression in ft_free_cmd" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jun 17 21:42:24 UTC 2014 

This is a note to let you know that I have just added a patch titled

    tcm_fc: Fix free-after-use regression in ft_free_cmd

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.4.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 7642231758bbb81597e346d608c454edaba620e0 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab at linux-iscsi.org>
Date: Mon, 12 May 2014 12:18:32 -0700
Subject: tcm_fc: Fix free-after-use regression in ft_free_cmd

commit ed8ec8f707ed4760c124d47b27c93df8ec5b1eba upstream.

This patch fixes a free-after-use regression in ft_free_cmd(), where
ft_sess_put() is called with cmd->sess after percpu_ida_free() has
already released the tag.

Fix this bug by saving the ft_sess pointer ahead of percpu_ida_free(),
and pass it directly to ft_sess_put().

The regression was originally introduced in v3.13-rc1 commit:

  commit 5f544cfac956971099e906f94568bc3fd1a7108a
  Author: Nicholas Bellinger <nab at daterainc.com>
  Date:   Mon Sep 23 12:12:42 2013 -0700

      tcm_fc: Convert to per-cpu command map pre-allocation of ft_cmd

Reported-by: Jun Wu <jwu at stormojo.com>
Cc: Mark Rustad <mark.d.rustad at intel.com>
Cc: Robert Love <robert.w.love at intel.com>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/target/tcm_fc/tfc_cmd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/target/tcm_fc/tfc_cmd.c b/drivers/target/tcm_fc/tfc_cmd.c
index 8b2c1aa..d22cdc7 100644
--- a/drivers/target/tcm_fc/tfc_cmd.c
+++ b/drivers/target/tcm_fc/tfc_cmd.c
@@ -90,18 +90,18 @@ static void ft_free_cmd(struct ft_cmd *cmd)
 {
 	struct fc_frame *fp;
 	struct fc_lport *lport;
-	struct se_session *se_sess;
+	struct ft_sess *sess;

 	if (!cmd)
 		return;
-	se_sess = cmd->sess->se_sess;
+	sess = cmd->sess;
 	fp = cmd->req_frame;
 	lport = fr_dev(fp);
 	if (fr_seq(fp))
 		lport->tt.seq_release(fr_seq(fp));
 	fc_frame_free(fp);
-	percpu_ida_free(&se_sess->sess_tag_pool, cmd->se_cmd.map_tag);
-	ft_sess_put(cmd->sess);	/* undo get from lookup at recv */
+	percpu_ida_free(&sess->se_sess->sess_tag_pool, cmd->se_cmd.map_tag);
+	ft_sess_put(sess);	/* undo get from lookup at recv */
 }

 void ft_release_cmd(struct se_cmd *se_cmd)
--
1.9.1

More information about the kernel-team mailing list