• YueHaibing's avatar
    scsi: scsi_dh_alua: Fix possible null-ptr-deref · 12e750bc
    YueHaibing authored
    If alloc_workqueue fails in alua_init, it should return -ENOMEM, otherwise
    it will trigger null-ptr-deref while unloading module which calls
    destroy_workqueue dereference
    wq->lock like this:
    
    BUG: KASAN: null-ptr-deref in __lock_acquire+0x6b4/0x1ee0
    Read of size 8 at addr 0000000000000080 by task syz-executor.0/7045
    
    CPU: 0 PID: 7045 Comm: syz-executor.0 Tainted: G         C        5.1.0+ #28
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
    Call Trace:
     dump_stack+0xa9/0x10e
     __kasan_report+0x171/0x18d
     ? __lock_acquire+0x6b4/0x1ee0
     kasan_report+0xe/0x20
     __lock_acquire+0x6b4/0x1ee0
     lock_acquire+0xb4/0x1b0
     __mutex_lock+0xd8/0xb90
     drain_workqueue+0x25/0x290
     destroy_workqueue+0x1f/0x3f0
     __x64_sys_delete_module+0x244/0x330
     do_syscall_64+0x72/0x2a0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    Reported-by: default avatarHulk Robot <hulkci@huawei.com>
    Fixes: 03197b61 ("scsi_dh_alua: Use workqueue for RTPG")
    Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
    Reviewed-by: default avatarBart Van Assche <bvanassche@acm.org>
    Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    12e750bc
scsi_dh_alua.c 31.1 KB