[PATCH] loop: fix NULL dereference if mount fails

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexey Dobriyan <adobriyan@gmail.com>
To: akpm@linux-foundation.org, viro@zeniv.linux.org.uk
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] loop: fix NULL dereference if mount fails
Date: Tue, 13 Oct 2009 05:38:15 +0400	[thread overview]
Message-ID: <20091013013815.GA8087@x200> (raw)

Commit bb21488482bd36eae6b30b014d93619063773fd4 ("[PATCH] switch loop")
started to pass NULL bdev to ioctl hook.

Steps to reproduce:

	[boot with loop.max_part=1]
	[mount -o loop something so mount fails]

BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8
IP: [<ffffffff811486ee>] blkdev_ioctl+0x2e/0xa30
PGD 0 
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/device:35/ACPI0003:00/power_supply/ACAD/online
CPU 0 
Modules linked in: zfs nvidia(P) [last unloaded: zfs]
Pid: 15177, comm: mount Tainted: P           2.6.32-rc4-zfs #2 Satellite X200
RIP: 0010:[<ffffffff811486ee>]  [<ffffffff811486ee>] blkdev_ioctl+0x2e/0xa30
RSP: 0018:ffff88003b3d5bb8  EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000125f RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88003b3d5ce8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffffffff000
R13: 0000000000000000 R14: ffff880071cef280 R15: 00000000000200da
FS:  00007fd77cfe7740(0000) GS:ffff880001600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000000b8 CR3: 0000000001001000 CR4: 00000000000026f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process mount (pid: 15177, threadinfo ffff88003b3d4000, task ffff88007572f920)
Stack:
 ffff88003b3d5c38 ffffffff812f95f5 ffff88007eeb6600 0000000000000000
<0> 0000000000000000 ffff88003b3d5c18 ffffffff811547d9 ffff88001bf11ef0
<0> 7fffffffffffffff ffff88001bf11ee8 ffff88001bf11ef0 0000000000000000
Call Trace:
 [<ffffffff812f95f5>] ? schedule_timeout+0x1f5/0x250
 [<ffffffff811547d9>] ? rb_insert_color+0x109/0x140
 [<ffffffff812fb754>] ? _spin_unlock_irq+0x14/0x40
 [<ffffffff812f84c6>] ? wait_for_common+0x66/0x170
 [<ffffffff8105a280>] ? default_wake_function+0x0/0x10
 [<ffffffff810f8258>] ioctl_by_bdev+0x38/0x50
 [<ffffffff811d2481>] loop_clr_fd+0x1e1/0x210
 [<ffffffff811d2522>] lo_release+0x72/0x80
 [<ffffffff810f934c>] __blkdev_put+0x1ac/0x1d0
 [<ffffffff810f937b>] blkdev_put+0xb/0x10
 [<ffffffff810f93b9>] blkdev_close+0x39/0x60
 [<ffffffff810ccef3>] __fput+0xd3/0x230
 [<ffffffff810cd06d>] fput+0x1d/0x30
 [<ffffffff810c9680>] filp_close+0x50/0x80
 [<ffffffff81061f11>] put_files_struct+0x81/0x100
 [<ffffffff81061fde>] exit_files+0x4e/0x60
 [<ffffffff81063ec5>] do_exit+0x6b5/0x730
 [<ffffffff8107b279>] ? up_read+0x9/0x10
 [<ffffffff8104c86e>] ? do_page_fault+0x18e/0x2a0
 [<ffffffff81063f81>] do_group_exit+0x41/0xc0
 [<ffffffff81064012>] sys_exit_group+0x12/0x20
 [<ffffffff81030deb>] system_call_fastpath+0x16/0x1b
Code: f8 48 89 e5 48 81 ec 30 01 00 00 48 89 5d d8 4c 89 6d e8 4c 89 65 e0 4c 89 75 f0 4c 89 7d f8 48 89 bd e8 fe ff ff 49 89 cd 89 f3 <49> 8b 88 b8 00 00 00 81 fa 68 12 00 00 0f 84 57 05 00 00 0f 86 
RIP  [<ffffffff811486ee>] blkdev_ioctl+0x2e/0xa30
 RSP <ffff88003b3d5bb8>
CR2: 00000000000000b8
---[ end trace c0b4d3c3118d1427 ]---
Fixing recursive fault but reboot is needed!

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---

 drivers/block/loop.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -949,7 +949,7 @@ static int loop_clr_fd(struct loop_device *lo, struct block_device *bdev)
 	lo->lo_state = Lo_unbound;
 	/* This is safe: open() is still holding a reference. */
 	module_put(THIS_MODULE);
-	if (max_part > 0)
+	if (max_part > 0 && bdev)
 		ioctl_by_bdev(bdev, BLKRRPART, 0);
 	mutex_unlock(&lo->lo_ctl_mutex);
 	/*

                 reply	other threads:[~2009-10-13  1:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091013013815.GA8087@x200 \
    --to=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.