| Message ID | 20230613144259.12890-1-rpearsonhpe@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | drivers: target: Fix error path in target_setup_session | expand |
On 6/13/23 9:43 AM, Bob Pearson wrote: > In the error exits in target_setup_session, if a branch is taken > to free_sess: transport_free_session may call to target_free_cmd_counter > and then fall through to call target_free_cmd_counter a second time. > This can, and does, sometimes cause seg faults since the data field > in cmd_cnt->refcnt has been freed in the first call. This patch > fixes this problem by simply returning after the call to > transport_free_session. The second call is redundant for those > cases. > > Fixes: 4edba7e4a8f3 ("scsi: target: Move cmd counter allocation") > Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com> > --- > drivers/target/target_core_transport.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c > index 86adff2a86ed..687adc9e086c 100644 > --- a/drivers/target/target_core_transport.c > +++ b/drivers/target/target_core_transport.c > @@ -504,6 +504,8 @@ target_setup_session(struct se_portal_group *tpg, > > free_sess: > transport_free_session(sess); > + return ERR_PTR(rc); > + > free_cnt: > target_free_cmd_counter(cmd_cnt); > return ERR_PTR(rc); Thanks. Reviewed-by: Mike Christie <michael.christie@oracle.com>
On Tue, 13 Jun 2023 09:43:00 -0500, Bob Pearson wrote: > In the error exits in target_setup_session, if a branch is taken > to free_sess: transport_free_session may call to target_free_cmd_counter > and then fall through to call target_free_cmd_counter a second time. > This can, and does, sometimes cause seg faults since the data field > in cmd_cnt->refcnt has been freed in the first call. This patch > fixes this problem by simply returning after the call to > transport_free_session. The second call is redundant for those > cases. > > [...] Applied to 6.4/scsi-fixes, thanks! [1/1] drivers: target: Fix error path in target_setup_session https://git.kernel.org/mkp/scsi/c/91271699228b
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 86adff2a86ed..687adc9e086c 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -504,6 +504,8 @@ target_setup_session(struct se_portal_group *tpg, free_sess: transport_free_session(sess); + return ERR_PTR(rc); + free_cnt: target_free_cmd_counter(cmd_cnt); return ERR_PTR(rc);
In the error exits in target_setup_session, if a branch is taken to free_sess: transport_free_session may call to target_free_cmd_counter and then fall through to call target_free_cmd_counter a second time. This can, and does, sometimes cause seg faults since the data field in cmd_cnt->refcnt has been freed in the first call. This patch fixes this problem by simply returning after the call to transport_free_session. The second call is redundant for those cases. Fixes: 4edba7e4a8f3 ("scsi: target: Move cmd counter allocation") Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com> --- drivers/target/target_core_transport.c | 2 ++ 1 file changed, 2 insertions(+)