This is a note to let you know that I've just added the patch titled scsi: sd: Fix potential NULL pointer dereference to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-sd-fix-potential-null-pointer-dereference.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 5b8f2a9a838e0536bce900eabaa2c1ee30a81ffb Author: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx> Date: Wed Jun 1 15:25:43 2022 +0900 scsi: sd: Fix potential NULL pointer dereference [ Upstream commit 05fbde3a77a4f1d62e4c4428f384288c1f1a0be5 ] If sd_probe() sees an early error before sdkp->device is initialized, sd_zbc_release_disk() is called. This causes a NULL pointer dereference when sd_is_zoned() is called inside that function. Avoid this by removing the call to sd_zbc_release_disk() in sd_probe() error path. This change is safe and does not result in zone information memory leakage because the zone information for a zoned disk is allocated only when sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set, resulting in sd_disk_release() being called when needed to cleanup a disk zone information using sd_zbc_release_disk(). Link: https://lore.kernel.org/r/20220601062544.905141-2-damien.lemoal@xxxxxxxxxxxxxxxxxx Fixes: 89d947561077 ("sd: Implement support for ZBC devices") Reported-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx> Suggested-by: Christoph Hellwig <hch@xxxxxx> Reviewed-by: Christoph Hellwig <hch@xxxxxx> Signed-off-by: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 56e291708587..bd068d3bb455 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3511,7 +3511,6 @@ static int sd_probe(struct device *dev) out_put: put_disk(gd); out_free: - sd_zbc_release_disk(sdkp); kfree(sdkp); out: scsi_autopm_put_device(sdp);