releases/4.14.68/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sun Aug 26 09:13:00 CEST 2018
 From: Varun Prakash <varun@chelsio.com>
 Date: Wed, 11 Jul 2018 22:09:52 +0530
 Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF

 From: Varun Prakash <varun@chelsio.com>

 [ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ]

 In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the
 opcode, it is possible that task->hdr is NULL.

 There are two cases based on opcode argument:

 1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
 after iscsi_check_tmf_restrictions()

 iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu().

 Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign
 it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL
 pointer dereference.

 2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the
 memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or
 invalid.

 This patch fixes this issue by removing task->hdr->opcode from the printk
 statement.

 Signed-off-by: Varun Prakash <varun@chelsio.com>
 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/scsi/libiscsi.c |   12 ++++++------
  1 file changed, 6 insertions(+), 6 deletions(-)

 --- a/drivers/scsi/libiscsi.c
 +++ b/drivers/scsi/libiscsi.c
 @@ -284,11 +284,11 @@ static int iscsi_check_tmf_restrictions(
  		 */
  		if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
  			iscsi_conn_printk(KERN_INFO, conn,
 -					  "task [op %x/%x itt "
 +					  "task [op %x itt "
  					  "0x%x/0x%x] "
  					  "rejected.\n",
 -					  task->hdr->opcode, opcode,
 -					  task->itt, task->hdr_itt);
 +					  opcode, task->itt,
 +					  task->hdr_itt);
  			return -EACCES;
  		}
  		/*
 @@ -297,10 +297,10 @@ static int iscsi_check_tmf_restrictions(
  		 */
  		if (conn->session->fast_abort) {
  			iscsi_conn_printk(KERN_INFO, conn,
 -					  "task [op %x/%x itt "
 +					  "task [op %x itt "
  					  "0x%x/0x%x] fast abort.\n",
 -					  task->hdr->opcode, opcode,
 -					  task->itt, task->hdr_itt);
 +					  opcode, task->itt,
 +					  task->hdr_itt);
  			return -EACCES;
  		}
  		break;
	From foo@baz Sun Aug 26 09:13:00 CEST 2018
	From: Varun Prakash <varun@chelsio.com>
	Date: Wed, 11 Jul 2018 22:09:52 +0530
	Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF

	From: Varun Prakash <varun@chelsio.com>

	[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ]

	In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the
	opcode, it is possible that task->hdr is NULL.

	There are two cases based on opcode argument:

	1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called
	after iscsi_check_tmf_restrictions()

	iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu().

	Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign
	it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL
	pointer dereference.

	2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the
	memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or
	invalid.

	This patch fixes this issue by removing task->hdr->opcode from the printk
	statement.

	Signed-off-by: Varun Prakash <varun@chelsio.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/scsi/libiscsi.c \| 12 ++++++------
	1 file changed, 6 insertions(+), 6 deletions(-)

	--- a/drivers/scsi/libiscsi.c
	+++ b/drivers/scsi/libiscsi.c
	@@ -284,11 +284,11 @@ static int iscsi_check_tmf_restrictions(
	*/
	if (opcode != ISCSI_OP_SCSI_DATA_OUT) {
	iscsi_conn_printk(KERN_INFO, conn,
	- "task [op %x/%x itt "
	+ "task [op %x itt "
	"0x%x/0x%x] "
	"rejected.\n",
	- task->hdr->opcode, opcode,
	- task->itt, task->hdr_itt);
	+ opcode, task->itt,
	+ task->hdr_itt);
	return -EACCES;
	}
	/*
	@@ -297,10 +297,10 @@ static int iscsi_check_tmf_restrictions(
	*/
	if (conn->session->fast_abort) {
	iscsi_conn_printk(KERN_INFO, conn,
	- "task [op %x/%x itt "
	+ "task [op %x itt "
	"0x%x/0x%x] fast abort.\n",
	- task->hdr->opcode, opcode,
	- task->itt, task->hdr_itt);
	+ opcode, task->itt,
	+ task->hdr_itt);
	return -EACCES;
	}
	break;