Patch "scsi: sd: Fix potential NULL pointer dereference" has been added to the 5.17-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 9 Jun 2022 10:05:48 -0400

This is a note to let you know that I've just added the patch titled

    scsi: sd: Fix potential NULL pointer dereference

to the 5.17-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-sd-fix-potential-null-pointer-dereference.patch
and it can be found in the queue-5.17 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4050b77e2fe3f26328a222d713cf90065e62a822
Author: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx>
Date:   Wed Jun 1 15:25:43 2022 +0900

    scsi: sd: Fix potential NULL pointer dereference
    
    [ Upstream commit 05fbde3a77a4f1d62e4c4428f384288c1f1a0be5 ]
    
    If sd_probe() sees an early error before sdkp->device is initialized,
    sd_zbc_release_disk() is called. This causes a NULL pointer dereference
    when sd_is_zoned() is called inside that function. Avoid this by removing
    the call to sd_zbc_release_disk() in sd_probe() error path.
    
    This change is safe and does not result in zone information memory leakage
    because the zone information for a zoned disk is allocated only when
    sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set,
    resulting in sd_disk_release() being called when needed to cleanup a disk
    zone information using sd_zbc_release_disk().
    
    Link: https://lore.kernel.org/r/20220601062544.905141-2-damien.lemoal@xxxxxxxxxxxxxxxxxx
    Fixes: 89d947561077 ("sd: Implement support for ZBC devices")
    Reported-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
    Suggested-by: Christoph Hellwig <hch@xxxxxx>
    Reviewed-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 8b5d2a4076c2..65b501859141 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3605,7 +3605,6 @@ static int sd_probe(struct device *dev)
  out_put:
 	put_disk(gd);
  out_free:
-	sd_zbc_release_disk(sdkp);
 	kfree(sdkp);
  out:
 	scsi_autopm_put_device(sdp);






