CVE-2021-47290

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: Fix NULL dereference on XCOPY completion<br /> <br /> CPU affinity control added with commit 39ae3edda325 ("scsi: target: core:<br /> Make completion affinity configurable") makes target_complete_cmd() queue<br /> work on a CPU based on se_tpg-&gt;se_tpg_wwn-&gt;cmd_compl_affinity state.<br /> <br /> LIO&amp;#39;s EXTENDED COPY worker is a special case in that read/write cmds are<br /> dispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn<br /> pointer following initialization in target_xcopy_setup_pt().<br /> <br /> The NULL xcopy_pt_tpg-&gt;se_tpg_wwn pointer is dereferenced on completion of<br /> any EXTENDED COPY initiated read/write cmds. E.g using the libiscsi<br /> SCSI.ExtendedCopy.Simple test:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000001a8<br /> RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod]<br /> Call Trace:<br /> fd_execute_rw+0x148/0x42a [target_core_file]<br /> ? __dynamic_pr_debug+0xa7/0xe0<br /> ? target_check_reservation+0x5b/0x940 [target_core_mod]<br /> __target_execute_cmd+0x1e/0x90 [target_core_mod]<br /> transport_generic_new_cmd+0x17c/0x330 [target_core_mod]<br /> target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod]<br /> target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod]<br /> ? target_check_fua+0x40/0x40 [target_core_mod]<br /> ? transport_complete_task_attr+0x130/0x130 [target_core_mod]<br /> target_xcopy_do_work+0x61f/0xc00 [target_core_mod]<br /> <br /> This fix makes target_complete_cmd() queue work on se_cmd-&gt;cpuid if<br /> se_tpg_wwn is NULL.