[3.16.y-ckt extended stable] Patch "target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Mon Nov 10 11:31:08 UTC 2014 

This is a note to let you know that I have just added a patch titled

    target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt1.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From c1ab3b961d7a818937bac9c6d632050e0c1eb843 Mon Sep 17 00:00:00 2001
From: Quinn Tran <quinn.tran at qlogic.com>
Date: Thu, 25 Sep 2014 06:22:28 -0400
Subject: target: Fix queue full status NULL pointer for
 SCF_TRANSPORT_TASK_SENSE

commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream.

During temporary resource starvation at lower transport layer, command
is placed on queue full retry path, which expose this problem.  The TCM
queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
cmd twice to lower layer.  The 1st time led to cmd normal free path.
The 2nd time cause Null pointer access.

This regression bug was originally introduced v3.1-rc code in the
following commit:

commit e057f53308a5f071556ee80586b99ee755bf07f5
Author: Christoph Hellwig <hch at infradead.org>
Date:   Mon Oct 17 13:56:41 2011 -0400

    target: remove the transport_qf_callback se_cmd callback

Signed-off-by: Quinn Tran <quinn.tran at qlogic.com>
Signed-off-by: Saurav Kashyap <saurav.kashyap at qlogic.com>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/target/target_core_transport.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 7fa62fc93e0b..ab610146681d 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1877,8 +1877,7 @@ static void transport_complete_qf(struct se_cmd *cmd)
 	if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
 		trace_target_cmd_complete(cmd);
 		ret = cmd->se_tfo->queue_status(cmd);
-		if (ret)
-			goto out;
+		goto out;
 	}

 	switch (cmd->data_direction) {
--
2.1.0

More information about the kernel-team mailing list