Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-09 06:33:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
06cc8187db
linux-stable/drivers
History
Tadeusz Struk 06cc8187db scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() 
commit 703535e6ae upstream.

No need to deduce command size in scsi_setup_scsi_cmnd() anymore as
appropriate checks have been added to scsi_fill_sghdr_rq() function and the
cmd_len should never be zero here.  The code to do that wasn't correct
anyway, as it used uninitialized cmd->cmnd, which caused a null-ptr-deref
if the command size was zero as in the trace below. Fix this by removing
the unneeded code.

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1822 Comm: repro Not tainted 5.15.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
Call Trace:
 blk_mq_dispatch_rq_list+0x7c7/0x12d0
 __blk_mq_sched_dispatch_requests+0x244/0x380
 blk_mq_sched_dispatch_requests+0xf0/0x160
 __blk_mq_run_hw_queue+0xe8/0x160
 __blk_mq_delay_run_hw_queue+0x252/0x5d0
 blk_mq_run_hw_queue+0x1dd/0x3b0
 blk_mq_sched_insert_request+0x1ff/0x3e0
 blk_execute_rq_nowait+0x173/0x1e0
 blk_execute_rq+0x15c/0x540
 sg_io+0x97c/0x1370
 scsi_ioctl+0xe16/0x28e0
 sd_ioctl+0x134/0x170
 blkdev_ioctl+0x362/0x6e0
 block_ioctl+0xb0/0xf0
 vfs_ioctl+0xa7/0xf0
 do_syscall_64+0x3d/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
---[ end trace 8b086e334adef6d2 ]---
Kernel panic - not syncing: Fatal exception

Link: https://lore.kernel.org/r/20211103170659.22151-2-tadeusz.struk@linaro.org
Fixes: 2ceda20f0a ("scsi: core: Move command size detection out of the fast path")
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: James E.J. Bottomley <jejb@linux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <linux-scsi@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Cc: <stable@vger.kernel.org> # 5.15, 5.14, 5.10
Reported-by: syzbot+5516b30f5401d4dcbcae@syzkaller.appspotmail.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-18 14:03:37 +01:00
..
accessibility
acpi acpi/arm64: fix next_platform_timer() section mismatch error 2021-10-20 11:45:06 +02:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:10:09 +01:00
android binder: use cred instead of task for getsecid 2021-11-18 14:03:36 +01:00
ata libata: fix read log timeout value 2021-11-18 14:03:37 +01:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-19 09:44:52 +02:00
auxdisplay
base regmap: Fix possible double-free in regcache_rbtree_exit() 2021-11-02 19:48:22 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-15 09:50:45 +02:00
block Revert "block: nbd: add sanity check for first_minor" 2021-09-16 12:51:23 +02:00
bluetooth Bluetooth: btusb: check conditions before enabling USB ALT 3 for WBS 2021-09-03 10:09:28 +02:00
bus drivers: bus: simple-pm-bus: Add support for probing simple bus only devices 2021-10-20 11:45:01 +02:00
cdrom cdrom: gdrom: initialize global variable at init time 2021-05-26 12:06:55 +02:00
char tpm: ibmvtpm: Avoid error message when process gets signal while waiting 2021-09-15 09:50:30 +02:00
clk clk: socfpga: agilex: fix duplicate s2f_user0_clk 2021-10-20 11:44:58 +02:00
clocksource clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel 2021-09-15 09:50:29 +02:00
connector
counter counter: 104-quad-8: Return error when invalid mode during ceiling_write 2021-09-15 09:50:38 +02:00
cpufreq cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory 2021-10-06 15:55:46 +02:00
cpuidle cpuidle: pseries: Mark pseries_idle_proble() as __init 2021-09-18 13:40:12 +02:00
crypto crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() 2021-10-06 15:56:03 +02:00
dax
dca
devfreq PM / devfreq: Add missing error code in devfreq_add_device() 2021-07-14 16:56:11 +02:00
dio
dma dmaengine: xilinx_dma: Set DMA mask for coherent APIs 2021-09-26 14:09:00 +02:00
dma-buf dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER 2021-09-26 14:08:59 +02:00
edac EDAC/armada-xp: Fix output of uncorrectable error counter 2021-10-20 11:45:01 +02:00
eisa
extcon extcon: intel-mrfld: Sync hardware and software state on init 2021-07-19 09:45:00 +02:00
firewire firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-07 15:00:11 +02:00
firmware efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() 2021-10-20 11:45:00 +02:00
fpga fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() 2021-09-30 10:11:04 +02:00
fsi fsi: Add missing MODULE_DEVICE_TABLE 2021-07-20 16:05:42 +02:00
gnss
gpio gpio: xgs-iproc: fix parsing of ngpios property 2021-11-02 19:48:23 +01:00
gpu Revert "drm/ttm: fix memleak in ttm_transfered_destroy" 2021-11-06 14:10:09 +01:00
greybus
hid HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs 2021-10-17 10:43:32 +02:00
hsi HSI: core: fix resource leaks in hsi_add_client_from_dt() 2021-05-14 09:50:28 +02:00
hv drivers: hv: Fix missing error code in vmbus_connect() 2021-07-14 16:55:59 +02:00
hwmon hwmon: (pmbus/ibm-cffps) max_power_out swap changes 2021-10-17 10:43:34 +02:00
hwspinlock
hwtracing intel_th: Wait until port is in reset before programming it 2021-07-20 16:05:46 +02:00
i2c i2c: mediatek: Add OFFSET_EXT_CONF setting back 2021-10-13 10:04:29 +02:00
i3c Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register" 2021-05-14 09:50:05 +02:00
ide
idle
iio iio: dac: ti-dac5571: fix an error code in probe() 2021-10-20 11:45:02 +02:00
infiniband RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string 2021-11-02 19:48:22 +01:00
input Input: i8042 - Add quirk for Fujitsu Lifebook T725 2021-11-18 14:03:36 +01:00
interconnect treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
iommu iommu/amd: Relocate GAMSup check to early_enable_iommus 2021-09-26 14:08:59 +02:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:56:01 +02:00
irqchip irqchip/gic: Work around broken Renesas integration 2021-10-09 14:40:57 +02:00
isdn isdn: mISDN: Fix sleeping function called from invalid context 2021-10-27 09:56:55 +02:00
leds leds: trigger: audio: Add an activate callback to ensure the initial brightness is set 2021-09-15 09:50:36 +02:00
lightnvm
macintosh
mailbox soc: mediatek: cmdq: add address shift in jump 2021-09-18 13:40:16 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-30 10:11:00 +02:00
md md: fix a lock order reversal in md_alloc 2021-09-30 10:11:05 +02:00
media media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() 2021-11-06 14:10:09 +01:00
memory memory: tegra: Fix compilation warnings on 64bit platforms 2021-07-25 14:36:14 +02:00
memstick memstick: rtsx_usb_ms: fix UAF 2021-07-14 16:55:53 +02:00
message
mfd mfd: lpc_sch: Rename GPIOBASE to prevent build error 2021-09-22 12:28:06 +02:00
misc misc: fastrpc: Add missing lock before accessing find_vma() 2021-10-20 11:45:01 +02:00
mmc mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit 2021-11-02 19:48:20 +01:00
most
mtd mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' 2021-09-22 12:28:04 +02:00
mux
net rsi: fix control-message timeout 2021-11-12 14:58:35 +01:00
nfc nfc: port100: fix using -ERRNO as command type mask 2021-11-02 19:48:19 +01:00
ntb NTB: perf: Fix an error code in perf_setup_inbuf() 2021-09-22 12:28:02 +02:00
nubus
nvdimm libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind 2021-09-18 13:40:36 +02:00
nvme nvme-tcp: fix possible req->offset corruption 2021-11-02 19:48:22 +01:00
nvmem nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 11:45:01 +02:00
of of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS 2021-09-18 13:40:31 +02:00
opp opp: Don't print an error if required-opps is missing 2021-09-18 13:40:29 +02:00
oprofile
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-26 14:08:59 +02:00
parport parport: remove non-zero check on count 2021-09-18 13:40:34 +02:00
pci s390/pci: fix zpci_zdev_put() on reserve 2021-10-27 09:56:56 +02:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-12 13:22:16 +02:00
perf perf/arm-cmn: Fix invalid pointer when access dtc object sharing the same IRQ number 2021-07-14 16:56:08 +02:00
phy phy: intel: Fix for warnings due to EMMC clock 175Mhz change in FIP 2021-07-20 16:05:46 +02:00
pinctrl pinctrl: amd: disable and mask interrupts on probe 2021-11-02 19:48:19 +01:00
platform platform/x86: intel_scu_ipc: Update timeout value in comment 2021-10-27 09:56:55 +02:00
pnp
power power: supply: max17042: handle fails of reading status register 2021-09-18 13:40:08 +02:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-13 10:04:27 +02:00
pwm pwm: stm32-lp: Don't modify HW state in .remove() callback 2021-09-26 14:09:01 +02:00
rapidio rapidio: handle create_workqueue() failure 2021-05-26 12:06:52 +02:00
ras RAS/CEC: Correct ce_add_elem()'s returned values 2021-04-14 08:42:12 +02:00
regulator regulator: vctrl: Avoid lockdep warning in enable/disable ops 2021-09-15 09:50:30 +02:00
remoteproc remoteproc: k3-r5: Fix an error message 2021-07-20 16:05:50 +02:00
reset reset: brcmstb-rescal: fix incorrect polarity of status bit 2021-11-02 19:48:22 +01:00
rpmsg rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() 2021-05-19 10:13:02 +02:00
rtc rtc: rx8010: select REGMAP_I2C 2021-09-26 14:09:02 +02:00
s390 s390/qeth: fix NULL deref in qeth_clear_working_pool_list() 2021-09-30 10:11:03 +02:00
sbus
scsi scsi: core: Remove command size deduction from scsi_setup_scsi_cmnd() 2021-11-18 14:03:37 +01:00
sfi
sh
siox
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-26 08:35:55 -04:00
soc soc: ti: omap-prm: Fix external abort for am335x pruss 2021-10-13 10:04:26 +02:00
soundwire soundwire: intel: fix potential race condition during power down 2021-09-18 13:40:31 +02:00
spi spi: bcm-qspi: clear MSPI spifie interrupt during probe 2021-10-20 11:45:05 +02:00
spmi
ssb ssb: Fix error return code in ssb_bus_scan() 2021-07-14 16:56:21 +02:00
staging media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init 2021-11-12 14:58:35 +01:00
target scsi: target: Fix the pgr/alua_support_store functions 2021-09-30 10:11:03 +02:00
tc
tee tee: optee: Fix missing devices unregister during optee_remove 2021-10-20 11:45:02 +02:00
thermal thermal/drivers/tsens: Fix wrong check for tzd in irq handlers 2021-10-09 14:40:57 +02:00
thunderbolt thunderbolt: Fix port linking by checking all adapters 2021-09-18 13:40:27 +02:00
tty tty: Fix out-of-bound vmalloc access in imageblit 2021-10-06 15:55:45 +02:00
uio uio_hv_generic: Fix a memory leak in error handling paths 2021-05-26 12:06:52 +02:00
usb usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform 2021-11-18 14:03:36 +01:00
vdpa vdpa/mlx5: Avoid destroying MR on empty iotlb 2021-08-26 08:35:42 -04:00
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-18 13:40:12 +02:00
vhost vhost-vdpa: Fix the wrong input in config_cb 2021-10-20 11:45:04 +02:00
video video: fbdev: gbefb: Only instantiate device when built for IP32 2021-10-13 10:04:28 +02:00
virt nitro_enclaves: Fix stale file descriptors on failed usercopy 2021-05-11 14:47:11 +02:00
virtio virtio: write back F_VERSION_1 before validate 2021-10-20 11:45:01 +02:00
visorbus visorbus: fix error return code in visorchipset_init() 2021-07-14 16:56:41 +02:00
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:05:39 +02:00
watchdog watchdog: Start watchdog in watchdog_set_last_hw_keepalive only if appropriate 2021-09-22 12:28:01 +02:00
xen xen/balloon: fix cancelled balloon action 2021-10-13 10:04:24 +02:00
zorro
Kconfig
Makefile