CVE-2021-47337

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: core: Fix bad pointer dereference when ehandler kthread is invalid<br /> <br /> Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()")<br /> changed the allocation logic to call put_device() to perform host cleanup<br /> with the assumption that IDA removal and stopping the kthread would<br /> properly be performed in scsi_host_dev_release(). However, in the unlikely<br /> case that the error handler thread fails to spawn, shost-&gt;ehandler is set<br /> to ERR_PTR(-ENOMEM).<br /> <br /> The error handler cleanup code in scsi_host_dev_release() will call<br /> kthread_stop() if shost-&gt;ehandler != NULL which will always be the case<br /> whether the kthread was successfully spawned or not. In the case that it<br /> failed to spawn this has the nasty side effect of trying to dereference an<br /> invalid pointer when kthread_stop() is called. The following splat provides<br /> an example of this behavior in the wild:<br /> <br /> scsi host11: error handler thread failed to spawn, error = -4<br /> Kernel attempted to read user page (10c) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x0000010c<br /> Faulting instruction address: 0xc00000000818e9a8<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region<br /> hash dm_log dm_mod fuse overlay squashfs loop<br /> CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1<br /> NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8<br /> REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7)<br /> MSR: 800000000280b033 &amp;lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE&amp;gt; CR: 28228228<br /> XER: 20040001<br /> CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0<br /> GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc<br /> GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000<br /> GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff<br /> GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0<br /> GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288<br /> GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898<br /> GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000<br /> GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc<br /> NIP [c00000000818e9a8] kthread_stop+0x38/0x230<br /> LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160<br /> Call Trace:<br /> [c000000033bb2c48] 0xc000000033bb2c48 (unreliable)<br /> [c0000000089846e8] scsi_host_dev_release+0x98/0x160<br /> [c00000000891e960] device_release+0x60/0x100<br /> [c0000000087e55c4] kobject_release+0x84/0x210<br /> [c00000000891ec78] put_device+0x28/0x40<br /> [c000000008984ea4] scsi_host_alloc+0x314/0x430<br /> [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi]<br /> [c000000008110104] vio_bus_probe+0xa4/0x4b0<br /> [c00000000892a860] really_probe+0x140/0x680<br /> [c00000000892aefc] driver_probe_device+0x15c/0x200<br /> [c00000000892b63c] device_driver_attach+0xcc/0xe0<br /> [c00000000892b740] __driver_attach+0xf0/0x200<br /> [c000000008926f28] bus_for_each_dev+0xa8/0x130<br /> [c000000008929ce4] driver_attach+0x34/0x50<br /> [c000000008928fc0] bus_add_driver+0x1b0/0x300<br /> [c00000000892c798] driver_register+0x98/0x1a0<br /> [c00000000810eb60] __vio_register_driver+0x80/0xe0<br /> [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi]<br /> [c0000000080121d0] do_one_initcall+0x60/0x2d0<br /> [c000000008261abc] do_init_module+0x7c/0x320<br /> [c000000008265700] load_module+0x2350/0x25b0<br /> [c000000008265cb4] __do_sys_finit_module+0xd4/0x160<br /> [c000000008031110] system_call_exception+0x150/0x2d0<br /> [c00000000800d35c] system_call_common+0xec/0x278<br /> <br /> Fix this be nulling shost-&gt;ehandler when the kthread fails to spawn.