scsi: scsi_dh_alua: Fix possible null-ptr-deref [Linux 4.14.129]

scsi: scsi_dh_alua: Fix possible null-ptr-deref [Linux 4.14.129]

This Linux kernel change "scsi: scsi_dh_alua: Fix possible null-ptr-deref" is included in the Linux 4.14.129 release. This change is authored by YueHaibing <yuehaibing [at] huawei.com> on Mon May 27 22:22:09 2019 +0800. The commit for this change in Linux stable tree is b7f53af (patch) which is from upstream commit 12e750b. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 12e750b.

scsi: scsi_dh_alua: Fix possible null-ptr-deref

[ Upstream commit 12e750bc62044de096ab9a95201213fd912b9994 ]

If alloc_workqueue fails in alua_init, it should return -ENOMEM, otherwise
it will trigger null-ptr-deref while unloading module which calls
destroy_workqueue dereference
wq->lock like this:

BUG: KASAN: null-ptr-deref in __lock_acquire+0x6b4/0x1ee0
Read of size 8 at addr 0000000000000080 by task syz-executor.0/7045

CPU: 0 PID: 7045 Comm: syz-executor.0 Tainted: G         C        5.1.0+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
Call Trace:
 dump_stack+0xa9/0x10e
 __kasan_report+0x171/0x18d
 ? __lock_acquire+0x6b4/0x1ee0
 kasan_report+0xe/0x20
 __lock_acquire+0x6b4/0x1ee0
 lock_acquire+0xb4/0x1b0
 __mutex_lock+0xd8/0xb90
 drain_workqueue+0x25/0x290
 destroy_workqueue+0x1f/0x3f0
 __x64_sys_delete_module+0x244/0x330
 do_syscall_64+0x72/0x2a0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reported-by: Hulk Robot <[email protected]>
Fixes: 03197b61c5ec ("scsi_dh_alua: Use workqueue for RTPG")
Signed-off-by: YueHaibing <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/scsi/device_handler/scsi_dh_alua.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
index 0962fd5..09c6a16 100644
--- a/drivers/scsi/device_handler/scsi_dh_alua.c
+++ b/drivers/scsi/device_handler/scsi_dh_alua.c
@@ -1151,10 +1151,8 @@ static int __init alua_init(void)
    int r;

    kaluad_wq = alloc_workqueue("kaluad", WQ_MEM_RECLAIM, 0);
-   if (!kaluad_wq) {
-       /* Temporary failure, bypass */
-       return SCSI_DH_DEV_TEMP_BUSY;
-   }
+   if (!kaluad_wq)
+       return -ENOMEM;

    r = scsi_register_device_handler(&alua_dh);
    if (r != 0) {

Leave a Reply

Your email address will not be published. Required fields are marked *