[openEuler-1.0-LTS 0/3] scsi: scsi_device_gets returns failure when the module is NULL.

List overview All Threads
Download

newer

older

[PATCH OLK-5.10] dm: switch to...

[PATCH openEuler-1.0-LTS 0/7]...

Zhong Jinghua

7 Sep 2023 7 Sep '23

10:35 a.m.

Fix scsi mod UAF problem.

Li Lingfeng (2): scsi: don't fail if hostt->module is NULL scsi: fix kabi broken in struct Scsi_Host

Zhong Jinghua (1): scsi: scsi_device_gets returns failure when the module is NULL.

drivers/scsi/hosts.c | 3 +++ drivers/scsi/scsi.c | 6 +++++- include/scsi/scsi_host.h | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-)

-- 2.31.1

Show replies by date

Zhong Jinghua

7 Sep 7 Sep

10:35 a.m.

New subject: [openEuler-1.0-LTS 1/3] scsi: scsi_device_gets returns failure when the module is NULL.

hulk inclusion category: bugfix bugzilla: 189103, https://gitee.com/openeuler/kernel/issues/I7YWV4 CVE: NA

--------------------------------

when module is NULL, try_module_get return true. But it would be better to return failure in scsi_device_get.

Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- drivers/scsi/scsi.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index acd118da88bf..f3b7c7540ed8 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -557,11 +557,15 @@ EXPORT_SYMBOL(scsi_report_opcode); */ int scsi_device_get(struct scsi_device *sdev) { + struct module *module; + if (sdev->sdev_state == SDEV_DEL || sdev->sdev_state == SDEV_CANCEL) goto fail; if (!get_device(&sdev->sdev_gendev)) goto fail; - if (!try_module_get(sdev->host->hostt->module)) + + module = sdev->host->hostt->module; + if (!module || !try_module_get(module)) goto fail_put_device; return 0;

-- 2.31.1

Zhong Jinghua

10:35 a.m.

New subject: [openEuler-1.0-LTS 2/3] scsi: don't fail if hostt->module is NULL

From: Li Lingfeng lilingfeng3@huawei.com

hulk inclusion category: bugfix bugzilla: 189103, https://gitee.com/openeuler/kernel/issues/I7YWV4 CVE: NA

--------------------------------

If CONFIG_SCSI_VIRTIO is set as "y", sdev->host->hostt->module will be NULL, which means scsi device can't be probed normally.

Fix the problem by adding a member in struct Scsi_Host to record whether the module is builtin.

Fixes: 3f4659e76aa3 ("[Huawei] scsi: scsi_device_gets returns failure when the module is NULL.") Signed-off-by: Li Lingfeng lilingfeng3@huawei.com conflict: drivers/scsi/hosts.c Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- drivers/scsi/hosts.c | 3 +++ drivers/scsi/scsi.c | 2 +- include/scsi/scsi_host.h | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index 7150164c5ed9..5299fa75215a 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -477,6 +477,9 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)

shost->use_blk_mq = scsi_use_blk_mq || shost->hostt->force_blk_mq;

+ if (!sht->module) + shost->is_builtin = true; + device_initialize(&shost->shost_gendev); dev_set_name(&shost->shost_gendev, "host%d", shost->host_no); shost->shost_gendev.bus = &scsi_bus_type; diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c index f3b7c7540ed8..6178b476bec6 100644 --- a/drivers/scsi/scsi.c +++ b/drivers/scsi/scsi.c @@ -565,7 +565,7 @@ int scsi_device_get(struct scsi_device *sdev) goto fail;

module = sdev->host->hostt->module; - if (!module || !try_module_get(module)) + if ((!module && !sdev->host->is_builtin) || !try_module_get(module)) goto fail_put_device; return 0;

diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h index 29268cc34fe6..7811f6c3f68c 100644 --- a/include/scsi/scsi_host.h +++ b/include/scsi/scsi_host.h @@ -710,6 +710,8 @@ struct Scsi_Host { */ struct device *dma_dev;

+ bool is_builtin; + KABI_RESERVE(1) KABI_RESERVE(2) KABI_RESERVE(3)

-- 2.31.1

Zhong Jinghua

10:35 a.m.

New subject: [openEuler-1.0-LTS 3/3] scsi: fix kabi broken in struct Scsi_Host

From: Li Lingfeng lilingfeng3@huawei.com

hulk inclusion category: bugfix, https://gitee.com/openeuler/kernel/issues/I7YWV4 bugzilla: 189103 CVE: NA

--------------------------------

This broken caused by adding "is_builtin". Fix kabi broken in struct Scsi_Host.

Signed-off-by: Li Lingfeng lilingfeng3@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- include/scsi/scsi_host.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/include/scsi/scsi_host.h b/include/scsi/scsi_host.h index 7811f6c3f68c..f3c440e32ba7 100644 --- a/include/scsi/scsi_host.h +++ b/include/scsi/scsi_host.h @@ -710,9 +710,7 @@ struct Scsi_Host { */ struct device *dma_dev;

- bool is_builtin; - - KABI_RESERVE(1) + KABI_USE(1, bool is_builtin) KABI_RESERVE(2) KABI_RESERVE(3) KABI_RESERVE(4)

-- 2.31.1

388

Age (days ago)

388

Last active (days ago)

kernel@openeuler.org

3 comments

1 participants

tags (0)

participants (1)

Zhong Jinghua