scsi: target: core: Fix invalid memory access

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

nr_attrs should start counting from zero, otherwise we will end up
dereferencing an invalid memory address.

$ targetcli /loopback create

general protection fault
RIP: 0010:configfs_create_file+0x12/0x70
Call Trace:
<TASK>
configfs_attach_item.part.0+0x5f/0x150
configfs_attach_group.isra.0+0x49/0x120
configfs_mkdir+0x24f/0x4d0
vfs_mkdir+0x192/0x240
do_mkdirat+0x131/0x160
__x64_sys_mkdir+0x48/0x70
do_syscall_64+0x5c/0x90

Fixes: 31177b74790c ("scsi: target: core: Add RTPI attribute for target port")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20230407130033.556644-1-mlombard@redhat.com
Acked-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Maurizio Lombardi and committed by

Martin K. Petersen 3 years ago a0fde512 dc70c961

+3 -4

1 changed file

expand all

drivers

target

target_core_fabric_configfs.c

+3 -4

drivers/target/target_core_fabric_configfs.c

··· 885 885 { 886 886 struct config_item_type *cit = &tf->tf_tpg_base_cit; 887 887 struct configfs_attribute **attrs = NULL; 888 - size_t nr_attrs = 1; 888 + size_t nr_attrs = 0; 889 889 int i = 0; 890 890 891 891 if (tf->tf_ops->tfc_tpg_base_attrs) ··· 895 895 if (tf->tf_ops->fabric_enable_tpg) 896 896 nr_attrs++; 897 897 898 - if (nr_attrs == 0) 899 - goto done; 898 + /* + 1 for target_fabric_tpg_base_attr_rtpi */ 899 + nr_attrs++; 900 900 901 901 /* + 1 for final NULL in the array */ 902 902 attrs = kcalloc(nr_attrs + 1, sizeof(*attrs), GFP_KERNEL); ··· 912 912 913 913 attrs[i++] = &target_fabric_tpg_base_attr_rtpi; 914 914 915 - done: 916 915 cit->ct_item_ops = &target_fabric_tpg_base_item_ops; 917 916 cit->ct_attrs = attrs; 918 917 cit->ct_owner = tf->tf_ops->module;