[3.13.y.z extended stable] Patch "iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu Oct 9 20:51:35 UTC 2014 

This is a note to let you know that I have just added a patch titled

    iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 5b32c6ece57132c013cf75320f1d8d941b33d062 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab at linux-iscsi.org>
Date: Wed, 17 Sep 2014 11:45:17 -0700
Subject: iscsi-target: Fix memory corruption in
 iscsit_logout_post_handler_diffcid

commit b53b0d99d6fbf7d44330395349a895521cfdbc96 upstream.

This patch fixes a bug in iscsit_logout_post_handler_diffcid() where
a pointer used as storage for list_for_each_entry() was incorrectly
being used to determine if no matching entry had been found.

This patch changes iscsit_logout_post_handler_diffcid() to key off
bool conn_found to determine if the function needs to exit early.

Reported-by: Joern Engel <joern at logfs.org>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/target/iscsi/iscsi_target.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 6c727b9..bc45c3a 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4512,6 +4512,7 @@ static void iscsit_logout_post_handler_diffcid(
 {
 	struct iscsi_conn *l_conn;
 	struct iscsi_session *sess = conn->sess;
+	bool conn_found = false;

 	if (!sess)
 		return;
@@ -4520,12 +4521,13 @@ static void iscsit_logout_post_handler_diffcid(
 	list_for_each_entry(l_conn, &sess->sess_conn_list, conn_list) {
 		if (l_conn->cid == cid) {
 			iscsit_inc_conn_usage_count(l_conn);
+			conn_found = true;
 			break;
 		}
 	}
 	spin_unlock_bh(&sess->conn_lock);

-	if (!l_conn)
+	if (!conn_found)
 		return;

 	if (l_conn->sock)
--
1.9.1

More information about the kernel-team mailing list