Patch "ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception" has been added to the 3.3-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception

to the 3.3-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ib_srpt-fix-srpt_handle_cmd-send_ioctx-ioctx_kref-leak-on-exception.patch
and it can be found in the queue-3.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 187e70a554e0f0717a65998bc9199945cbbd4692 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <n...@linux-iscsi.org>
Date: Sat, 17 Mar 2012 20:12:36 -0700
Subject: ib_srpt: Fix srpt_handle_cmd send_ioctx->ioctx_kref leak on exception

From: Nicholas Bellinger <n...@linux-iscsi.org>

commit 187e70a554e0f0717a65998bc9199945cbbd4692 upstream.

This patch addresses a bug in srpt_handle_cmd() failure handling where
send_ioctx->kref is being leaked with the local extra reference after init,
causing the expected kref_put() in srpt_handle_send_comp() to not be the final
call to invoke srpt_put_send_ioctx_kref() -> transport_generic_free_cmd() and
perform se_cmd descriptor memory release.

It also fixes a SCF_SCSI_RESERVATION_CONFLICT handling bug where this code
is incorrectly falling through to transport_handle_cdb_direct() after
invoking srpt_queue_status() to send SAM_STAT_RESERVATION_CONFLICT status.

Note this patch is for >= v3.3 mainline code, and current lio-core.git
code has already been converted to target_submit_cmd() + se_cmd->cmd_kref usage,
and internal ioctx->kref usage has been removed.  I'm including this patch
now into target-pending/for-next with a CC' for v3.3 stable.

Cc: Bart Van Assche <bvanass...@acm.org>
Cc: Roland Dreier <rol...@purestorage.com>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/infiniband/ulp/srpt/ib_srpt.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1750,6 +1750,7 @@ static int srpt_handle_cmd(struct srpt_r
                       srp_cmd->tag);
                cmd->se_cmd_flags |= SCF_SCSI_CDB_EXCEPTION;
                cmd->scsi_sense_reason = TCM_INVALID_CDB_FIELD;
+               kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
                goto send_sense;
        }
 
@@ -1757,15 +1758,19 @@ static int srpt_handle_cmd(struct srpt_r
        cmd->data_direction = dir;
        unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_cmd->lun,
                                       sizeof(srp_cmd->lun));
-       if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0)
+       if (transport_lookup_cmd_lun(cmd, unpacked_lun) < 0) {
+               kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
                goto send_sense;
+       }
        ret = transport_generic_allocate_tasks(cmd, srp_cmd->cdb);
-       if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT)
-               srpt_queue_status(cmd);
-       else if (cmd->se_cmd_flags & SCF_SCSI_CDB_EXCEPTION)
-               goto send_sense;
-       else
-               WARN_ON_ONCE(ret);
+       if (ret < 0) {
+               kref_put(&send_ioctx->kref, srpt_put_send_ioctx_kref);
+               if (cmd->se_cmd_flags & SCF_SCSI_RESERVATION_CONFLICT) {
+                       srpt_queue_status(cmd);
+                       return 0;
+               } else
+                       goto send_sense;
+       }
 
        transport_handle_cdb_direct(cmd);
        return 0;


Patches currently in stable-queue which might be from n...@linux-iscsi.org are

queue-3.3/iscsi-target-fix-dynamic-explict-nodeacl-pointer-reference.patch
queue-3.3/target-don-t-set-wbus16-or-sync-bits-in-inquiry-response.patch
queue-3.3/target-fix-use-after-free-in-target_report_luns.patch
queue-3.3/target-fix-16-bit-target-ports-for-set-target-port-groups-emulation.patch
queue-3.3/target-prevent-null-pointer-dereference-in-target_report_luns.patch
queue-3.3/tcm_fc-fix-fc_exch-memory-leak-in-ft_send_resp_status.patch
queue-3.3/tcm_loop-set-residual-field-for-scsi-commands.patch
queue-3.3/target-set-peripheral-device-type-consistently-in-inquiry-response.patch
queue-3.3/target-fix-up-handling-of-short-inquiry-buffers.patch
queue-3.3/iscsi-target-fix-iscsit_alloc_buffs-failure-cases.patch
queue-3.3/ib_srpt-fix-srpt_handle_cmd-send_ioctx-ioctx_kref-leak-on-exception.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html