Commit a0fde512 authored Apr 07, 2023 by Maurizio Lombardi Committed by Martin K. Petersen Apr 11, 2023

scsi: target: core: Fix invalid memory access



nr_attrs should start counting from zero, otherwise we will end up
dereferencing an invalid memory address.

$ targetcli /loopback create

 general protection fault
 RIP: 0010:configfs_create_file+0x12/0x70
 Call Trace:
  <TASK>
  configfs_attach_item.part.0+0x5f/0x150
  configfs_attach_group.isra.0+0x49/0x120
  configfs_mkdir+0x24f/0x4d0
  vfs_mkdir+0x192/0x240
  do_mkdirat+0x131/0x160
  __x64_sys_mkdir+0x48/0x70
  do_syscall_64+0x5c/0x90

Fixes: 31177b74 ("scsi: target: core: Add RTPI attribute for target port")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20230407130033.556644-1-mlombard@redhat.com


Acked-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent dc70c961

drivers/target/target_core_fabric_configfs.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -885,7 +885,7 @@ target_fabric_setup_tpg_base_cit(struct target_fabric_configfs *tf)
		{
		struct config_item_type *cit = &tf->tf_tpg_base_cit;
		struct configfs_attribute **attrs = NULL;
		size_t nr_attrs = 1;
		size_t nr_attrs = 0;
		int i = 0;

		if (tf->tf_ops->tfc_tpg_base_attrs)
		@@ -895,8 +895,8 @@ target_fabric_setup_tpg_base_cit(struct target_fabric_configfs *tf)
		if (tf->tf_ops->fabric_enable_tpg)
		nr_attrs++;

		if (nr_attrs == 0)
		goto done;
		/* + 1 for target_fabric_tpg_base_attr_rtpi */
		nr_attrs++;

		/* + 1 for final NULL in the array */
		attrs = kcalloc(nr_attrs + 1, sizeof(*attrs), GFP_KERNEL);
		@@ -912,7 +912,6 @@ target_fabric_setup_tpg_base_cit(struct target_fabric_configfs *tf)

		attrs[i++] = &target_fabric_tpg_base_attr_rtpi;

		done:
		cit->ct_item_ops = &target_fabric_tpg_base_item_ops;
		cit->ct_attrs = attrs;
		cit->ct_owner = tf->tf_ops->module;