Patch "scsi: target: core: Fix null-ptr-deref in target_alloc_device()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 22 Oct 2024 13:55:23 -0400

This is a note to let you know that I've just added the patch titled

    scsi: target: core: Fix null-ptr-deref in target_alloc_device()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-target-core-fix-null-ptr-deref-in-target_alloc_.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit dbfc7797847f1ca6334ce3d936a72fd810d9a8f5
Author: Wang Hai <wanghai38@xxxxxxxxxx>
Date:   Fri Oct 11 19:34:44 2024 +0800

    scsi: target: core: Fix null-ptr-deref in target_alloc_device()
    
    [ Upstream commit fca6caeb4a61d240f031914413fcc69534f6dc03 ]
    
    There is a null-ptr-deref issue reported by KASAN:
    
    BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
    ...
     kasan_report+0xb9/0xf0
     target_alloc_device+0xbc4/0xbe0 [target_core_mod]
     core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
     target_core_init_configfs+0x205/0x420 [target_core_mod]
     do_one_initcall+0xdd/0x4e0
    ...
     entry_SYSCALL_64_after_hwframe+0x76/0x7e
    
    In target_alloc_device(), if allocing memory for dev queues fails, then
    dev will be freed by dev->transport->free_device(), but dev->transport
    is not initialized at that time, which will lead to a null pointer
    reference problem.
    
    Fixing this bug by freeing dev with hba->backend->ops->free_device().
    
    Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU")
    Signed-off-by: Wang Hai <wanghai38@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20241011113444.40749-1-wanghai38@xxxxxxxxxx
    Reviewed-by: Mike Christie <michael.christie@xxxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
index d4185c1bed8a8..1fcac654cfaa4 100644
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -724,7 +724,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
 
 	dev->queues = kcalloc(nr_cpu_ids, sizeof(*dev->queues), GFP_KERNEL);
 	if (!dev->queues) {
-		dev->transport->free_device(dev);
+		hba->backend->ops->free_device(dev);
 		return NULL;
 	}
 







