[thirdparty/kernel/stable-queue.git] / releases / 3.10.34 / scsi-storvsc-null-pointer-dereference-fix.patch

From b12bb60d6c350b348a4e1460cd68f97ccae9822e Mon Sep 17 00:00:00 2001
From: Ales Novak <alnovak@suse.cz>
Date: Thu, 27 Feb 2014 11:03:30 +0100
Subject: SCSI: storvsc: NULL pointer dereference fix

From: Ales Novak <alnovak@suse.cz>

commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream.

If the initialization of storvsc fails, the storvsc_device_destroy()
causes NULL pointer dereference.

storvsc_bus_scan()
  scsi_scan_target()
    __scsi_scan_target()
      scsi_probe_and_add_lun(hostdata=NULL)
        scsi_alloc_sdev(hostdata=NULL)

	  sdev->hostdata = hostdata

	  now the host allocation fails

          __scsi_remove_device(sdev)

	  calls sdev->host->hostt->slave_destroy() ==
	  storvsc_device_destroy(sdev)
	    access of sdev->hostdata->request_mempool

Signed-off-by: Ales Novak <alnovak@suse.cz>
Signed-off-by: Thomas Abraham <tabraham@suse.com>
Reviewed-by: Jiri Kosina <jkosina@suse.cz>
Acked-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/storvsc_drv.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1189,6 +1189,9 @@ static void storvsc_device_destroy(struc
 {
 	struct stor_mem_pools *memp = sdevice->hostdata;
 
+	if (!memp)
+		return;
+
 	mempool_destroy(memp->request_mempool);
 	kmem_cache_destroy(memp->request_pool);
 	kfree(memp);
Commit	Line	Data
0f2bcbd3 GKH	1	From b12bb60d6c350b348a4e1460cd68f97ccae9822e Mon Sep 17 00:00:00 2001
	2	From: Ales Novak <alnovak@suse.cz>
	3	Date: Thu, 27 Feb 2014 11:03:30 +0100
	4	Subject: SCSI: storvsc: NULL pointer dereference fix
	5
	6	From: Ales Novak <alnovak@suse.cz>
	7
	8	commit b12bb60d6c350b348a4e1460cd68f97ccae9822e upstream.
	9
	10	If the initialization of storvsc fails, the storvsc_device_destroy()
	11	causes NULL pointer dereference.
	12
	13	storvsc_bus_scan()
	14	scsi_scan_target()
	15	__scsi_scan_target()
	16	scsi_probe_and_add_lun(hostdata=NULL)
	17	scsi_alloc_sdev(hostdata=NULL)
	18
	19	sdev->hostdata = hostdata
	20
	21	now the host allocation fails
	22
	23	__scsi_remove_device(sdev)
	24
	25	calls sdev->host->hostt->slave_destroy() ==
	26	storvsc_device_destroy(sdev)
	27	access of sdev->hostdata->request_mempool
	28
	29	Signed-off-by: Ales Novak <alnovak@suse.cz>
	30	Signed-off-by: Thomas Abraham <tabraham@suse.com>
	31	Reviewed-by: Jiri Kosina <jkosina@suse.cz>
	32	Acked-by: K. Y. Srinivasan <kys@microsoft.com>
	33	Signed-off-by: James Bottomley <JBottomley@Parallels.com>
	34	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	35
	36	---
	37	drivers/scsi/storvsc_drv.c \| 3 +++
	38	1 file changed, 3 insertions(+)
	39
	40	--- a/drivers/scsi/storvsc_drv.c
	41	+++ b/drivers/scsi/storvsc_drv.c
	42	@@ -1189,6 +1189,9 @@ static void storvsc_device_destroy(struc
	43	{
	44	struct stor_mem_pools *memp = sdevice->hostdata;
	45
	46	+ if (!memp)
	47	+ return;
	48	+
	49	mempool_destroy(memp->request_mempool);
	50	kmem_cache_destroy(memp->request_pool);
	51	kfree(memp);