In the previous commit 602bcf212637 ("ata: libata: Improve CDL resource
management"), the ata_cdl structure was added and the ata_cdl structure
memory was allocated with kzalloc(). Because of this, if CDL is not
supported, dev->cdl is a NULL pointer, so additional work should never
be done.
However, even if CDL is not supported now, if spg is ALL_SUB_MPAGES,
dereferencing dev->cdl will result in a NULL pointer dereference.
Therefore, I think it is appropriate to check dev->flags in
ata_scsiop_mode_sense() if spg is ALL_SUB_MPAGES to see if CDL is supported.
Reported-by: syzbot+37757dc11ee77ef850bb@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+37757dc11ee77ef850bb@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 602bcf212637 ("ata: libata: Improve CDL resource management")
Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
---
drivers/ata/libata-scsi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index 3328a6febc13..6f5527f12b0e 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -2442,7 +2442,9 @@ static unsigned int ata_scsiop_mode_sense(struct ata_scsi_args *args, u8 *rbuf)
if (spg) {
switch (spg) {
case ALL_SUB_MPAGES:
- break;
+ if (dev->flags & ATA_DFLAG_CDL)
+ break;
+ fallthrough;
case CDL_T2A_SUB_MPAGE:
case CDL_T2B_SUB_MPAGE:
case ATA_FEATURE_SUB_MPAGE:
--
