[v3,1/2] scsi: sd: Fix potential NULL pointer dereference

Message ID	20220601062544.905141-2-damien.lemoal@opensource.wdc.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <linux-scsi-owner@kernel.org> IronPort-SDR: e0wrfbQ3qDTamBlkUOiHW/JpnGRyXKozFUIr7Bzm9UJ7PU8Zc2i9t/RtDvRZnqapElFqc6XHJX ypVmmzrA5ruSs4rkIkrvwpohs4VTpg92ElcjVum81IetGVvarLSfdd8Wy6kEycmCGOFjfnGylV VHnzLcXyuoRxCQvq0/Hd75BORlqX23lfjC6Q61poGxhXQqT4i4UTLrBRRbIO5VRN9sXnJOIPsP gqoaONflosUQLDzayBTJ31QjxEq/UDB7ShODdFTeU4tYkWPXl5MZ2aCPypKX+aCPDgKKiHh8Gw HkfhULfcBCkvaFJHN8w6qnZK IronPort-SDR: zH1LVs5kk+wTFZkoi9VnG0I8MqKqpmbu+8/yntMzgsjnaxF4MCMsxdDdNvIKSqvjKqEibM8YcG 1MoC4xrjy3kw059OuWhaK/MhVPxWhOvgycVFj/arwL7ION7NmdDp7q7hcNuP4RiI7EO2B/92If 2URh1s3whe3b5rKVCTgjPwFMEkoVr72JBbfrYLLtHdTc5AlnGfemEobk53r96VGjFKvOPBdpUa ztKlb+qMf/s1kG2zIXKbSc5kJBAjsvU9Bea+GIUkPdVcbUTRChTJd0mMzV0Otimm/1IMpRZjl/ qyA= WDCIronportException: Internal From: Damien Le Moal <damien.lemoal@opensource.wdc.com> To: linux-scsi@vger.kernel.org, "Martin K . Petersen" <martin.petersen@oracle.com> Cc: Dongliang Mu <mudongliangabcd@gmail.com> Subject: [PATCH v3 1/2] scsi: sd: Fix potential NULL pointer dereference Date: Wed, 1 Jun 2022 15:25:43 +0900 Message-Id: <20220601062544.905141-2-damien.lemoal@opensource.wdc.com> In-Reply-To: <20220601062544.905141-1-damien.lemoal@opensource.wdc.com> References: <20220601062544.905141-1-damien.lemoal@opensource.wdc.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk
Series	sd_zbc fixes \| expand [v3,0/2] sd_zbc fixes [v3,1/2] scsi: sd: Fix potential NULL pointer dereference [v3,2/2] scsi: sd_zbc: prevent zone information memory leak

Message ID

20220601062544.905141-2-damien.lemoal@opensource.wdc.com (mailing list archive)

State

Accepted

Headers

IronPort-SDR: 
 e0wrfbQ3qDTamBlkUOiHW/JpnGRyXKozFUIr7Bzm9UJ7PU8Zc2i9t/RtDvRZnqapElFqc6XHJX
 ypVmmzrA5ruSs4rkIkrvwpohs4VTpg92ElcjVum81IetGVvarLSfdd8Wy6kEycmCGOFjfnGylV
 VHnzLcXyuoRxCQvq0/Hd75BORlqX23lfjC6Q61poGxhXQqT4i4UTLrBRRbIO5VRN9sXnJOIPsP
 gqoaONflosUQLDzayBTJ31QjxEq/UDB7ShODdFTeU4tYkWPXl5MZ2aCPypKX+aCPDgKKiHh8Gw
 HkfhULfcBCkvaFJHN8w6qnZK
IronPort-SDR: 
 zH1LVs5kk+wTFZkoi9VnG0I8MqKqpmbu+8/yntMzgsjnaxF4MCMsxdDdNvIKSqvjKqEibM8YcG
 1MoC4xrjy3kw059OuWhaK/MhVPxWhOvgycVFj/arwL7ION7NmdDp7q7hcNuP4RiI7EO2B/92If
 2URh1s3whe3b5rKVCTgjPwFMEkoVr72JBbfrYLLtHdTc5AlnGfemEobk53r96VGjFKvOPBdpUa
 ztKlb+qMf/s1kG2zIXKbSc5kJBAjsvU9Bea+GIUkPdVcbUTRChTJd0mMzV0Otimm/1IMpRZjl/
 qyA=
WDCIronportException: Internal
From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
To: linux-scsi@vger.kernel.org,
        "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: Dongliang Mu <mudongliangabcd@gmail.com>
Subject: [PATCH v3 1/2] scsi: sd: Fix potential NULL pointer dereference
Date: Wed,  1 Jun 2022 15:25:43 +0900
Message-Id: <20220601062544.905141-2-damien.lemoal@opensource.wdc.com>
In-Reply-To: <20220601062544.905141-1-damien.lemoal@opensource.wdc.com>
References: <20220601062544.905141-1-damien.lemoal@opensource.wdc.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Series

sd_zbc fixes | expand

Commit Message

Damien Le Moal June 1, 2022, 6:25 a.m. UTC

If sd_probe() sees an early error before sdkp->device is initialized,
sd_zbc_release_disk() is called. This causes a NULL pointer dereference
when sd_is_zoned() is called inside that function. Avoid this by
removing the call to sd_zbc_release_disk() in sd_probe() error path.

This chnage is safe and does not result in zone information memory
leakage because the zone information for a zoned disk is allocated only
when sd_revalidate_disk() is called, at which point sdkp->disk_dev is
fully set, resulting in sd_disk_release() being called when needed to
cleanup a disk zone information using sd_zbc_release_disk().

Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
Suggested-by: Christoph Hellwig <hch@lst.de>
Fixes: 89d947561077 ("sd: Implement support for ZBC device")
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
---
 drivers/scsi/sd.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Christoph Hellwig June 1, 2022, 3:26 p.m. UTC | #1

On Wed, Jun 01, 2022 at 03:25:43PM +0900, Damien Le Moal wrote:
> If sd_probe() sees an early error before sdkp->device is initialized,
> sd_zbc_release_disk() is called. This causes a NULL pointer dereference
> when sd_is_zoned() is called inside that function. Avoid this by
> removing the call to sd_zbc_release_disk() in sd_probe() error path.
> 
> This chnage is safe and does not result in zone information memory
> leakage because the zone information for a zoned disk is allocated only
> when sd_revalidate_disk() is called, at which point sdkp->disk_dev is
> fully set, resulting in sd_disk_release() being called when needed to
> cleanup a disk zone information using sd_zbc_release_disk().

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 749316462075..dabdc0eeb3dc 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3542,7 +3542,6 @@  static int sd_probe(struct device *dev)
  out_put:
 	put_disk(gd);
  out_free:
-	sd_zbc_release_disk(sdkp);
 	kfree(sdkp);
  out:
 	scsi_autopm_put_device(sdp);

[v3,1/2] scsi: sd: Fix potential NULL pointer dereference

Commit Message

Comments

Patch