The TCM_LOOP LUN creation process calls device_register() to create the
device, which in turn invokes tcm_loop_driver_probe() registered with
the TCM_LOOP bus to create and register the scsi_host. However, if the
scsi_host memory allocation fails or scsi_add_host() fails, the
device_register() process still returns success. Subsequently, when the
user binds the LUN to a specific backend device, it accesses the NULL or
freed scsi_host.
Crash Call Trace:
RIP: 0010:scsi_is_host_device+0x7/0x20
scsi_alloc_target+0x32/0x2c0
__scsi_add_device+0x41/0xf0
scsi_add_device+0xd/0x30
tcm_loop_port_link+0x25/0x50 [tcm_loop]
target_fabric_port_link+0x9c/0xb0 [target_core_mod]
...
This issue is fixed by:
1. Setting the tcm_loop_hba's scsi_host to NULL, if scsi_add_host()
fails.
2. Checking the tcm_loop_hba's scsi_host after device_register().
3. Checking the tcm_loop_hba's scsi_host in tcm_loop_driver_remove().
Fixes: 3703b2c5d0 ("[SCSI] tcm_loop: Add multi-fabric Linux/SCSI LLD fabric module")
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20260424013923.25998-1-kanie@linux.alibaba.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
b71cb088b2