linux/drivers/target
Andy Grover 8489218aef target/tcm_fc: Fix use-after-free of ft_tpg
commit 2c42be2dd4 upstream.

ft_del_tpg checks tpg->tport is set before unlinking the tpg from the
tport when the tpg is being removed. Set this pointer in ft_tport_create,
or the unlinking won't happen in ft_del_tpg and tport->tpg will reference
a deleted object.

This patch sets tpg->tport in ft_tport_create, because that's what
ft_del_tpg checks, and is the only way to get back to the tport to
clear tport->tpg.

The bug was occuring when:

- lport created, tport (our per-lport, per-provider context) is
  allocated.
  tport->tpg = NULL
- tpg created
- a PRLI is received. ft_tport_create is called, tpg is found and
  tport->tpg is set
- tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not
  set, tport->tpg is not cleared and points at freed memory
- Future calls to ft_tport_create return tport via first conditional,
  instead of searching for new tpg by calling ft_lport_find_tpg.
  tport->tpg is still invalid, and will access freed memory.

see https://bugzilla.redhat.com/show_bug.cgi?id=1071340

Signed-off-by: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-06 07:59:29 -07:00
..
iscsi iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug 2014-05-06 07:59:29 -07:00
loopback tcm_loop: Enable DIF/DIX modes in SCSI host LLD 2014-01-19 02:22:06 +00:00
sbp target: Remove TF_CIT_TMPL macro 2013-10-16 13:35:02 -07:00
tcm_fc target/tcm_fc: Fix use-after-free of ft_tpg 2014-05-06 07:59:29 -07:00
Kconfig target/iblock: Add blk_integrity + BIP passthrough support 2014-01-18 10:14:22 +00:00
Makefile target: Add support for EXTENDED_COPY copy offload emulation 2013-09-10 16:48:43 -07:00
target_core_alua.c target: Fix 32-bit + CONFIG_LBDAF=n link error w/ sector_div 2014-02-12 15:11:02 -08:00
target_core_alua.h target_core_alua: Referrals configfs integration 2014-01-09 21:48:35 -08:00
target_core_configfs.c target/configfs: Expose protection device attributes 2014-01-18 09:57:47 +00:00
target_core_device.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_fabric_configfs.c target: Fix sizeof in kmalloc for some default_groups arrays 2013-12-16 12:42:20 -08:00
target_core_fabric_lib.c target: Update copyright ownership/year information to 2013 2013-09-10 20:23:36 -07:00
target_core_file.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_file.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_hba.c target: Update copyright ownership/year information to 2013 2013-09-10 20:23:36 -07:00
target_core_iblock.c target/iblock: Fix double bioset_integrity_free bug 2014-05-06 07:59:29 -07:00
target_core_iblock.h
target_core_internal.h target/configfs: Expose protection device attributes 2014-01-18 09:57:47 +00:00
target_core_pr.c target: Fix free-after-use regression in PR unregister 2014-02-12 15:11:01 -08:00
target_core_pr.h drivers: target: Move prototype declaration of function to header file target_core_pr.h 2014-01-09 21:48:36 -08:00
target_core_pscsi.c target/pscsi: fix return value check 2013-10-25 10:42:09 -07:00
target_core_pscsi.h
target_core_rd.c target/rd: T10-Dif: RAM disk is allocating more space than required. 2014-05-06 07:59:29 -07:00
target_core_rd.h target/rd: Add support for protection SGL setup + release 2014-01-19 02:22:05 +00:00
target_core_sbc.c Target/sbc: Initialize COMPARE_AND_WRITE write_sg scatterlist 2014-05-06 07:59:29 -07:00
target_core_spc.c target: Fix missing length check in spc_emulate_evpd_83() 2014-02-12 15:11:04 -08:00
target_core_stat.c target: Convert se_device statistics to atomic_long_t 2013-11-13 18:34:55 -08:00
target_core_tmr.c target: Convert se_device statistics to atomic_long_t 2013-11-13 18:34:55 -08:00
target_core_tpg.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-01-31 15:31:23 -08:00
target_core_transport.c target: Add DIF sense codes in transport_generic_request_failure 2014-02-23 16:31:24 -08:00
target_core_ua.c target: Remove unused ua_dev_list member in struct se_ua 2013-12-16 12:39:04 -08:00
target_core_ua.h target core: rename (ex,im)plict -> (ex,im)plicit 2013-11-20 11:24:40 -08:00
target_core_xcopy.c drivers: target: Move prototype declaration of function to header file target_core_pr.h 2014-01-09 21:48:36 -08:00
target_core_xcopy.h target: Add support for EXTENDED_COPY copy offload emulation 2013-09-10 16:48:43 -07:00