From: Guixin Liu <kanie@linux.alibaba.com> mainline inclusion from mainline-v6.14-rc1 commit 295006f6e8c17212d3098811166e29627d19e05c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPBKB CVE: CVE-2025-21723 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------------------------------- If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: <TASK> mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Fixes: 4268fa751365 ("scsi: mpi3mr: Add bsg device support") Signed-off-by: Guixin Liu <kanie@linux.alibaba.com> Link: https://lore.kernel.org/r/20250107022032.24006-1-kanie@linux.alibaba.com Reviewed-by: Bart Van Assche <bvanassche@acm.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Conflicts: drivers/scsi/mpi3mr/mpi3mr_app.c [Context conflicts due to 9042fb6d2c08 ("scsi: mpi3mr: Pass queue_limits to bsg_setup_queue()") isn't merged.] Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- drivers/scsi/mpi3mr/mpi3mr_app.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 8e9e278d0449..e00977028c40 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -1534,6 +1534,7 @@ void mpi3mr_bsg_init(struct mpi3mr_ioc *mrioc) { struct device *bsg_dev = &mrioc->bsg_dev; struct device *parent = &mrioc->shost->shost_gendev; + struct request_queue *q; device_initialize(bsg_dev); @@ -1549,9 +1550,9 @@ void mpi3mr_bsg_init(struct mpi3mr_ioc *mrioc) return; } - mrioc->bsg_queue = bsg_setup_queue(bsg_dev, dev_name(bsg_dev), + q = bsg_setup_queue(bsg_dev, dev_name(bsg_dev), mpi3mr_bsg_request, NULL, 0); - if (IS_ERR(mrioc->bsg_queue)) { + if (IS_ERR(q)) { ioc_err(mrioc, "%s: bsg registration failed\n", dev_name(bsg_dev)); device_del(bsg_dev); @@ -1559,6 +1560,7 @@ void mpi3mr_bsg_init(struct mpi3mr_ioc *mrioc) return; } + mrioc->bsg_queue = q; blk_queue_max_segments(mrioc->bsg_queue, MPI3MR_MAX_APP_XFER_SEGMENTS); blk_queue_max_hw_sectors(mrioc->bsg_queue, MPI3MR_MAX_APP_XFER_SECTORS); -- 2.43.0