Re: Null Pointer Dereference in sd_zbc_release_disk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2022/05/27 14:51, Dongliang Mu wrote:

Hi maintainers,

I found a NPD(Null Pointer Dereference) in sd_zbc_release_disk function.

There are two definitions of sd_zbc_release_disk:

#ifdef CONFIG_BLK_DEV_ZONED
void sd_zbc_release_disk(struct scsi_disk *sdkp);
#else /* CONFIG_BLK_DEV_ZONED */
static inline void sd_zbc_release_disk(struct scsi_disk *sdkp) {}
#endif

When CONFIG_BLK_DEV_ZONED=y, the function implementation is as follows:

void sd_zbc_release_disk(struct scsi_disk *sdkp)
{
    if (sd_is_zoned(sdkp))
        sd_zbc_clear_zone_info(sdkp);
}

static inline int sd_is_zoned(struct scsi_disk *sdkp)
{
    return sdkp->zoned == 1 || sdkp->device->type == TYPE_ZBC;
}

In drivers/scsi/sd.c, sd_probe() allocates sdkp with kzalloc(). If
errors occurred before the assignment "sdkp->device", after the
allocation, it will triggers a NPD in sd_is_zoned.

I am not familiar with kernel configuration. Does anyone have a
suggestion to fix this NPD?

I really appreciate any help you can provide.


Can you try this patch:

From 875899a114bce34f9549857ce87ea309b366b1cb Mon Sep 17 00:00:00 2001
From: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 May 2022 16:07:20 +0900
Subject: [PATCH] scsi: sd_zbc: Fix potential NULL pointer dereference

If sd_probe() sees an error before sdkp->device is initialized,
sd_zbc_release_disk() is called, which causes a NULL pointer dereference
when sd_is_zoned() is called. Avoid this by turning
sd_zbc_release_disk() into a nop if sdkp->device is NULL.

Reported-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Signed-off-by: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx>
---
 drivers/scsi/sd_zbc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
index 5b9fad70aa88..236a766c8de4 100644
--- a/drivers/scsi/sd_zbc.c
+++ b/drivers/scsi/sd_zbc.c
@@ -804,7 +804,7 @@ static void sd_zbc_clear_zone_info(struct scsi_disk *sdkp) 

 void sd_zbc_release_disk(struct scsi_disk *sdkp)
 {
-	if (sd_is_zoned(sdkp))
+	if (sdkp->device && sd_is_zoned(sdkp))
 		sd_zbc_clear_zone_info(sdkp);
 }

--
2.36.1


--
Damien Le Moal
Western Digital Research
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux