From: Bart Van Assche <bvanassche@acm.org>
To: "Guilherme G. Piccoli" <gpiccoli@canonical.com>,
linux-block@vger.kernel.org, linux-raid@vger.kernel.org
Cc: dm-devel@redhat.com, axboe@kernel.dk, gavin.guo@canonical.com,
jay.vosburgh@canonical.com, kernel@gpiccoli.net,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] block: Fix a NULL pointer dereference in generic_make_request()
Date: Tue, 30 Apr 2019 15:55:25 -0700 [thread overview]
Message-ID: <1556664925.161891.183.camel@acm.org> (raw)
In-Reply-To: <20190430223722.20845-1-gpiccoli@canonical.com>
On Tue, 2019-04-30 at 19:37 -0300, Guilherme G. Piccoli wrote:
> Commit 37f9579f4c31 ("blk-mq: Avoid that submitting a bio concurrently
> with device removal triggers a crash") introduced a NULL pointer
> dereference in generic_make_request(). The patch sets q to NULL and
> enter_succeeded to false; right after, there's an 'if (enter_succeeded)'
> which is not taken, and then the 'else' will dereference q in
> blk_queue_dying(q).
>
> This patch just moves the 'q = NULL' to a point in which it won't trigger
> the oops, although the semantics of this NULLification remains untouched.
>
> A simple test case/reproducer is as follows:
> a) Build kernel v5.1-rc7 with CONFIG_BLK_CGROUP=n.
>
> b) Create a raid0 md array with 2 NVMe devices as members, and mount it
> with an ext4 filesystem.
>
> c) Run the following oneliner (supposing the raid0 is mounted in /mnt):
> (dd of=/mnt/tmp if=/dev/zero bs=1M count=999 &); sleep 0.3;
> echo 1 > /sys/block/nvme0n1/device/device/remove
> (whereas nvme0n1 is the 2nd array member)
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
WARNING: multiple messages have this Message-ID (diff)
From: Bart Van Assche <bvanassche@acm.org>
To: "Guilherme G. Piccoli" <gpiccoli@canonical.com>,
linux-block@vger.kernel.org, linux-raid@vger.kernel.org
Cc: dm-devel@redhat.com, axboe@kernel.dk, gavin.guo@canonical.com,
jay.vosburgh@canonical.com, kernel@gpiccoli.net,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] block: Fix a NULL pointer dereference in generic_make_request()
Date: Tue, 30 Apr 2019 15:55:25 -0700 [thread overview]
Message-ID: <1556664925.161891.183.camel@acm.org> (raw)
In-Reply-To: <20190430223722.20845-1-gpiccoli@canonical.com>
On Tue, 2019-04-30 at 19:37 -0300, Guilherme G. Piccoli wrote:
> Commit 37f9579f4c31 ("blk-mq: Avoid that submitting a bio concurrently
> with device removal triggers a crash") introduced a NULL pointer
> dereference in generic_make_request(). The patch sets q to NULL and
> enter_succeeded to false; right after, there's an 'if (enter_succeeded)'
> which is not taken, and then the 'else' will dereference q in
> blk_queue_dying(q).
>
> This patch just moves the 'q = NULL' to a point in which it won't trigger
> the oops, although the semantics of this NULLification remains untouched.
>
> A simple test case/reproducer is as follows:
> a) Build kernel v5.1-rc7 with CONFIG_BLK_CGROUP=n.
>
> b) Create a raid0 md array with 2 NVMe devices as members, and mount it
> with an ext4 filesystem.
>
> c) Run the following oneliner (supposing the raid0 is mounted in /mnt):
> (dd of=/mnt/tmp if=/dev/zero bs=1M count=999 &); sleep 0.3;
> echo 1 > /sys/block/nvme0n1/device/device/remove
> (whereas nvme0n1 is the 2nd array member)
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
next prev parent reply other threads:[~2019-04-30 22:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-30 22:37 [PATCH 1/2] block: Fix a NULL pointer dereference in generic_make_request() Guilherme G. Piccoli
2019-04-30 22:37 ` [PATCH 2/2] md/raid0: Do not bypass blocking queue entered for raid0 bios Guilherme G. Piccoli
2019-05-06 16:50 ` Song Liu
2019-05-06 18:48 ` Guilherme G. Piccoli
2019-05-06 21:07 ` Song Liu
2019-05-07 21:51 ` Guilherme G. Piccoli
2019-05-08 9:29 ` Wols Lists
2019-05-08 9:29 ` Wols Lists
2019-05-08 14:52 ` Guilherme G. Piccoli
2019-05-08 16:52 ` Wols Lists
2019-05-17 16:19 ` Guilherme G. Piccoli
2019-05-20 16:23 ` Song Liu
2019-05-20 19:25 ` Guilherme Piccoli
2019-04-30 22:55 ` Bart Van Assche [this message]
2019-04-30 22:55 ` [PATCH 1/2] block: Fix a NULL pointer dereference in generic_make_request() Bart Van Assche
2019-05-17 3:33 ` Eric Ren
2019-05-17 16:17 ` Guilherme G. Piccoli
2019-05-20 2:43 ` Eric Ren
2019-05-17 22:04 ` Ming Lei
-- strict thread matches above, loose matches on Subject: below --
2019-05-23 17:23 Song Liu
2019-05-23 17:23 ` Song Liu
2019-05-23 17:25 ` Song Liu
2019-06-12 16:36 ` Guilherme G. Piccoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1556664925.161891.183.camel@acm.org \
--to=bvanassche@acm.org \
--cc=axboe@kernel.dk \
--cc=dm-devel@redhat.com \
--cc=gavin.guo@canonical.com \
--cc=gpiccoli@canonical.com \
--cc=jay.vosburgh@canonical.com \
--cc=kernel@gpiccoli.net \
--cc=linux-block@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.