Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bc88a575 authored by Bart Van Assche's avatar Bart Van Assche Committed by Greg Kroah-Hartman
Browse files

target/iscsi: Fix iSCSI task reassignment handling 



commit 59b6986dbfcdab96a971f9663221849de79a7556 upstream.

Allocate a task management request structure for all task management
requests, including task reassignment. This change avoids that the
se_tmr->response assignment dereferences an uninitialized se_tmr
pointer.

Reported-by: default avatarMoshe David <mdavid@infinidat.com>
Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Cc: Moshe David <mdavid@infinidat.com>
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 86fa2408

drivers/target/iscsi/iscsi_target.c

+7 −12
Original line number Diff line number Diff line
@@ -1749,7 +1749,7 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, 
	struct iscsi_tm *hdr;

	int out_of_order_cmdsn = 0, ret;

	bool sess_ref = false;

	u8 function;

	u8 function, tcm_function = TMR_UNKNOWN;



	hdr			= (struct iscsi_tm *) buf;

	hdr->flags &= ~ISCSI_FLAG_CMD_FINAL;
@@ -1795,10 +1795,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, 
	 * LIO-Target $FABRIC_MOD

	 */

	if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {



		u8 tcm_function;

		int ret;



		transport_init_se_cmd(&cmd->se_cmd,

				      &lio_target_fabric_configfs->tf_ops,

				      conn->sess->se_sess, 0, DMA_NONE,
@@ -1835,15 +1831,14 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, 
			return iscsit_add_reject_cmd(cmd,

				ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);

		}



		ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req,

					 tcm_function, GFP_KERNEL);

	}

	ret = core_tmr_alloc_req(&cmd->se_cmd, cmd->tmr_req, tcm_function,

				 GFP_KERNEL);

	if (ret < 0)

		return iscsit_add_reject_cmd(cmd,

				ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);



	cmd->tmr_req->se_tmr_req = cmd->se_cmd.se_tmr_req;

	}



	cmd->iscsi_opcode	= ISCSI_OP_SCSI_TMFUNC;

	cmd->i_state		= ISTATE_SEND_TASKMGTRSP;

include/target/target_core_base.h

+1 −0
Original line number Diff line number Diff line
@@ -231,6 +231,7 @@ enum tcm_tmreq_table { 
	TMR_LUN_RESET		= 5,

	TMR_TARGET_WARM_RESET	= 6,

	TMR_TARGET_COLD_RESET	= 7,

	TMR_UNKNOWN		= 0xff,

};



/* fabric independent task management response values */