]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 17e0959) | patch
scsi: target: Fix alua_tg_pt_gps_count tracking
authorMike Christie <michael.christie@oracle.com>
Thu, 30 Sep 2021 02:04:20 +0000 (21:04 -0500)
committerAndrea Righi <andrea.righi@canonical.com>
Tue, 4 Jan 2022 08:48:46 +0000 (09:48 +0100)
commit7cba97e954bd588994f1ea0d7153722f125b8eef
treecefc02b8f3b5aa9037b1c6bc6d948339e1b6aabatree
parent17e095904418aca3f3254a635bcc7afc4901ad88commit | diff
scsi: target: Fix alua_tg_pt_gps_count tracking

BugLink: https://bugs.launchpad.net/bugs/1952579
[ Upstream commit 1283c0d1a32bb924324481586b5d6e8e76f676ba ]

We can't free the tg_pt_gp in core_alua_set_tg_pt_gp_id() because it's
still accessed via configfs. Its release must go through the normal
configfs/refcount process.

The max alua_tg_pt_gps_count check should probably have been done in
core_alua_allocate_tg_pt_gp(), but with the current code userspace could
have created 0x0000ffff + 1 groups, but only set the id for 0x0000ffff.
Then it could have deleted a group with an ID set, and then set the ID for
that extra group and it would work ok.

It's unlikely, but just in case this patch continues to allow that type of
behavior, and just fixes the kfree() while in use bug.

Link: https://lore.kernel.org/r/20210930020422.92578-4-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
drivers/target/target_core_alua.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror