releases/3.16.54/target-iscsi-fix-iscsi-task-reassignment-handling.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Bart Van Assche <bart.vanassche@sandisk.com>
 Date: Thu, 5 Jan 2017 12:39:57 +0100
 Subject: target/iscsi: Fix iSCSI task reassignment handling

 commit 59b6986dbfcdab96a971f9663221849de79a7556 upstream.

 Allocate a task management request structure for all task management
 requests, including task reassignment. This change avoids that the
 se_tmr->response assignment dereferences an uninitialized se_tmr
 pointer.

 Reported-by: Moshe David <mdavid@infinidat.com>
 Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
 Reviewed-by: Hannes Reinecke <hare@suse.com>
 Reviewed-by: Christoph Hellwig <hch@lst.de>
 Cc: Moshe David <mdavid@infinidat.com>
 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
 [bwh: Backported to 3.16:
  - Add definition of TMR_UNKNOWN
  - Adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/drivers/target/iscsi/iscsi_target.c
 +++ b/drivers/target/iscsi/iscsi_target.c
 @@ -1754,7 +1754,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
  	struct iscsi_tm *hdr;
  	int out_of_order_cmdsn = 0, ret;
  	bool sess_ref = false;
 -	u8 function;
 +	u8 function, tcm_function = TMR_UNKNOWN;

  	hdr			= (struct iscsi_tm *) buf;
  	hdr->flags &= ~ISCSI_FLAG_CMD_FINAL;
 @@ -1800,10 +1800,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
  	 * LIO-Target $FABRIC_MOD
  	 */
  	if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
 -
 -		u8 tcm_function;
 -		int ret;
 -
  		transport_init_se_cmd(&cmd->se_cmd,
  				      &lio_target_fabric_configfs->tf_ops,
  				      conn->sess->se_sess, 0, DMA_NONE,
 @@ -1840,15 +1836,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
  			return iscsit_add_reject_cmd(cmd,
  				ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
  		}
 -
 -		ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req,
 -					 tcm_function, GFP_KERNEL);
 -		if (ret < 0)
 -			return iscsit_add_reject_cmd(cmd,
 +	}
 +	ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function,
 +				 GFP_KERNEL);
 +	if (ret < 0)
 +		return iscsit_add_reject_cmd(cmd,
  				ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);

 -		cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req;
 -	}
 +	cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req;

  	cmd->iscsi_opcode	= ISCSI_OP_SCSI_TMFUNC;
  	cmd->i_state		= ISTATE_SEND_TASKMGTRSP;
 --- a/include/target/target_core_base.h
 +++ b/include/target/target_core_base.h
 @@ -230,6 +230,7 @@ enum tcm_tmreq_table {
  	TMR_LUN_RESET		= 5,
  	TMR_TARGET_WARM_RESET	= 6,
  	TMR_TARGET_COLD_RESET	= 7,
 +	TMR_UNKNOWN		= 0xff,
  };

  /* fabric independent task management response values */
	From: Bart Van Assche <bart.vanassche@sandisk.com>
	Date: Thu, 5 Jan 2017 12:39:57 +0100
	Subject: target/iscsi: Fix iSCSI task reassignment handling

	commit 59b6986dbfcdab96a971f9663221849de79a7556 upstream.

	Allocate a task management request structure for all task management
	requests, including task reassignment. This change avoids that the
	se_tmr->response assignment dereferences an uninitialized se_tmr
	pointer.

	Reported-by: Moshe David <mdavid@infinidat.com>
	Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
	Reviewed-by: Hannes Reinecke <hare@suse.com>
	Reviewed-by: Christoph Hellwig <hch@lst.de>
	Cc: Moshe David <mdavid@infinidat.com>
	Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
	[bwh: Backported to 3.16:
	- Add definition of TMR_UNKNOWN
	- Adjust context]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	--- a/drivers/target/iscsi/iscsi_target.c
	+++ b/drivers/target/iscsi/iscsi_target.c
	@@ -1754,7 +1754,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
	struct iscsi_tm *hdr;
	int out_of_order_cmdsn = 0, ret;
	bool sess_ref = false;
	- u8 function;
	+ u8 function, tcm_function = TMR_UNKNOWN;

	hdr = (struct iscsi_tm *) buf;
	hdr->flags &= ~ISCSI_FLAG_CMD_FINAL;
	@@ -1800,10 +1800,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
	* LIO-Target $FABRIC_MOD
	*/
	if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
	-
	- u8 tcm_function;
	- int ret;
	-
	transport_init_se_cmd(&cmd->se_cmd,
	&lio_target_fabric_configfs->tf_ops,
	conn->sess->se_sess, 0, DMA_NONE,
	@@ -1840,15 +1836,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_
	return iscsit_add_reject_cmd(cmd,
	ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
	}
	-
	- ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req,
	- tcm_function, GFP_KERNEL);
	- if (ret < 0)
	- return iscsit_add_reject_cmd(cmd,
	+ }
	+ ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function,
	+ GFP_KERNEL);
	+ if (ret < 0)
	+ return iscsit_add_reject_cmd(cmd,
	ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);

	- cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req;
	- }
	+ cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req;

	cmd->iscsi_opcode = ISCSI_OP_SCSI_TMFUNC;
	cmd->i_state = ISTATE_SEND_TASKMGTRSP;
	--- a/include/target/target_core_base.h
	+++ b/include/target/target_core_base.h
	@@ -230,6 +230,7 @@ enum tcm_tmreq_table {
	TMR_LUN_RESET = 5,
	TMR_TARGET_WARM_RESET = 6,
	TMR_TARGET_COLD_RESET = 7,
	+ TMR_UNKNOWN = 0xff,
	};

	/* fabric independent task management response values */