linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Mike Christie <michael.christie@oracle.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	nab@linux-iscsi.org, linux-scsi@vger.kernel.org,
	target-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 11/14] scsi: target: Fix alua_tg_pt_gps_count tracking
Date: Tue,  9 Nov 2021 17:23:40 -0500	[thread overview]
Message-ID: <20211109222343.1235902-11-sashal@kernel.org> (raw)
In-Reply-To: <20211109222343.1235902-1-sashal@kernel.org>

From: Mike Christie <michael.christie@oracle.com>

[ Upstream commit 1283c0d1a32bb924324481586b5d6e8e76f676ba ]

We can't free the tg_pt_gp in core_alua_set_tg_pt_gp_id() because it's
still accessed via configfs. Its release must go through the normal
configfs/refcount process.

The max alua_tg_pt_gps_count check should probably have been done in
core_alua_allocate_tg_pt_gp(), but with the current code userspace could
have created 0x0000ffff + 1 groups, but only set the id for 0x0000ffff.
Then it could have deleted a group with an ID set, and then set the ID for
that extra group and it would work ok.

It's unlikely, but just in case this patch continues to allow that type of
behavior, and just fixes the kfree() while in use bug.

Link: https://lore.kernel.org/r/20210930020422.92578-4-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/target/target_core_alua.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c
index 928127642574b..18e67230fc6a3 100644
--- a/drivers/target/target_core_alua.c
+++ b/drivers/target/target_core_alua.c
@@ -1711,7 +1711,6 @@ int core_alua_set_tg_pt_gp_id(
 		pr_err("Maximum ALUA alua_tg_pt_gps_count:"
 			" 0x0000ffff reached\n");
 		spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
-		kmem_cache_free(t10_alua_tg_pt_gp_cache, tg_pt_gp);
 		return -ENOSPC;
 	}
 again:
-- 
2.33.0


  parent reply	other threads:[~2021-11-09 22:42 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-09 22:23 [PATCH AUTOSEL 4.14 01/14] arm64: zynqmp: Fix serial compatible string Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 02/14] scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 03/14] arm64: dts: rockchip: add Coresight debug range for RK3399 Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 04/14] usb: musb: tusb6010: check return value after calling platform_get_resource() Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 05/14] scsi: advansys: Fix kernel pointer leak Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 06/14] ARM: dts: omap: fix gpmc,mux-add-data type Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 07/14] usb: host: ohci-tmio: check return value after calling platform_get_resource() Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 08/14] tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 09/14] MIPS: sni: Fix the build Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 10/14] scsi: target: Fix ordered tag handling Sasha Levin
2021-11-09 22:23 ` Sasha Levin [this message]
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 12/14] powerpc/5200: dts: fix memory node unit name Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 13/14] ALSA: gus: fix null pointer dereference on pointer block Sasha Levin
2021-11-09 22:23 ` [PATCH AUTOSEL 4.14 14/14] powerpc/dcr: Use cmplwi instead of 3-argument cmpli Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211109222343.1235902-11-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=michael.christie@oracle.com \
    --cc=nab@linux-iscsi.org \
    --cc=stable@vger.kernel.org \
    --cc=target-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).