[3.8.y.z extended stable] Patch "[SCSI] storvsc: NULL pointer dereference fix" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Mon Mar 31 17:20:40 UTC 2014 

This is a note to let you know that I have just added a patch titled

    [SCSI] storvsc: NULL pointer dereference fix

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.21.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 0fad270edc2a6d5a13ca65c537444983366047af Mon Sep 17 00:00:00 2001
From: Ales Novak <alnovak at suse.cz>
Date: Thu, 27 Feb 2014 11:03:30 +0100
Subject: [SCSI] storvsc: NULL pointer dereference fix

commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream.

If the initialization of storvsc fails, the storvsc_device_destroy()
causes NULL pointer dereference.

storvsc_bus_scan()
  scsi_scan_target()
    __scsi_scan_target()
      scsi_probe_and_add_lun(hostdata=NULL)
        scsi_alloc_sdev(hostdata=NULL)

	  sdev->hostdata = hostdata

	  now the host allocation fails

          __scsi_remove_device(sdev)

	  calls sdev->host->hostt->slave_destroy() ==
	  storvsc_device_destroy(sdev)
	    access of sdev->hostdata->request_mempool

Signed-off-by: Ales Novak <alnovak at suse.cz>
Signed-off-by: Thomas Abraham <tabraham at suse.com>
Reviewed-by: Jiri Kosina <jkosina at suse.cz>
Acked-by: K. Y. Srinivasan <kys at microsoft.com>
Signed-off-by: James Bottomley <JBottomley at Parallels.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/scsi/storvsc_drv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 0374eee..a05f122 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1141,6 +1141,9 @@ static void storvsc_device_destroy(struct scsi_device *sdevice)
 {
 	struct stor_mem_pools *memp = sdevice->hostdata;

+	if (!memp)
+		return;
+
 	mempool_destroy(memp->request_mempool);
 	kmem_cache_destroy(memp->request_pool);
 	kfree(memp);
--
1.8.3.2

More information about the kernel-team mailing list