6.1-stable patches

added patches:
	vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index 13bbbb25d86738b05eb7bc33566d5a84f90e0d52..1d59e821ec6d75ef7c95fc4b7543b4f65939a3d9 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -660,3 +660,4 @@ erofs-get-rid-of-z_erofs_do_map_blocks-forward-declaration.patch
 erofs-avoid-hardcoded-blocksize-for-subpage-block-support.patch
 erofs-set-block-size-to-the-on-disk-block-size.patch
 erofs-fix-incorrect-symlink-detection-in-fast-symlink.patch
+vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch

diff --git a/queue-6.1/vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch b/queue-6.1/vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch
new file mode 100644 (file)
index 0000000..51a04e6
--- /dev/null
+++ b/queue-6.1/vhost-scsi-null-ptr-dereference-in-vhost_scsi_get_req.patch
@@ -0,0 +1,115 @@
+From 221af82f606d928ccef19a16d35633c63026f1be Mon Sep 17 00:00:00 2001
+From: Haoran Zhang <wh1sper@zju.edu.cn>
+Date: Tue, 1 Oct 2024 15:14:15 -0500
+Subject: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
+
+From: Haoran Zhang <wh1sper@zju.edu.cn>
+
+commit 221af82f606d928ccef19a16d35633c63026f1be upstream.
+
+Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
+from control queue handler") a null pointer dereference bug can be
+triggered when guest sends an SCSI AN request.
+
+In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
+`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
+vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
+a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
+set to NULL in this branch. Later, in vhost_scsi_get_req(),
+`vc->target` is dereferenced without being checked, leading to a null
+pointer dereference bug. This bug can be triggered from guest.
+
+When this bug occurs, the vhost_worker process is killed while holding
+`vq->mutex` and the corresponding tpg will remain occupied
+indefinitely.
+
+Below is the KASAN report:
+Oops: general protection fault, probably for non-canonical address
+0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
+Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
+1.16.3-debian-1.16.3-2 04/01/2014
+RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
+Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
+48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
+04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
+RSP: 0018:ffff888017affb50 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
+RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
+FS:  000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
+Call Trace:
+ <TASK>
+ ? show_regs+0x86/0xa0
+ ? die_addr+0x4b/0xd0
+ ? exc_general_protection+0x163/0x260
+ ? asm_exc_general_protection+0x27/0x30
+ ? vhost_scsi_get_req+0x165/0x3a0
+ vhost_scsi_ctl_handle_vq+0x2a4/0xca0
+ ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10
+ ? __switch_to+0x721/0xeb0
+ ? __schedule+0xda5/0x5710
+ ? __kasan_check_write+0x14/0x30
+ ? _raw_spin_lock+0x82/0xf0
+ vhost_scsi_ctl_handle_kick+0x52/0x90
+ vhost_run_work_list+0x134/0x1b0
+ vhost_task_fn+0x121/0x350
+...
+ </TASK>
+---[ end trace 0000000000000000 ]---
+
+Let's add a check in vhost_scsi_get_req.
+
+Fixes: 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler")
+Signed-off-by: Haoran Zhang <wh1sper@zju.edu.cn>
+[whitespace fixes]
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Message-Id: <b26d7ddd-b098-4361-88f8-17ca7f90adf7@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/scsi.c |   25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -905,20 +905,23 @@ vhost_scsi_get_req(struct vhost_virtqueu
+               /* virtio-scsi spec requires byte 0 of the lun to be 1 */
+               vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp);
+       } else {
+-              struct vhost_scsi_tpg **vs_tpg, *tpg;
++              struct vhost_scsi_tpg **vs_tpg, *tpg = NULL;
+ 
+-              vs_tpg = vhost_vq_get_backend(vq);      /* validated at handler entry */
+-
+-              tpg = READ_ONCE(vs_tpg[*vc->target]);
+-              if (unlikely(!tpg)) {
+-                      vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
+-              } else {
+-                      if (tpgp)
+-                              *tpgp = tpg;
+-                      ret = 0;
++              if (vc->target) {
++                      /* validated at handler entry */
++                      vs_tpg = vhost_vq_get_backend(vq);
++                      tpg = READ_ONCE(vs_tpg[*vc->target]);
++                      if (unlikely(!tpg)) {
++                              vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
++                              goto out;
++                      }
+               }
+-      }
+ 
++              if (tpgp)
++                      *tpgp = tpg;
++              ret = 0;
++      }
++out:
+       return ret;
+ }
+