From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mikulas Patocka <mpatocka@redhat.com>,
Tejun Heo <tj@kernel.org>, Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 3.4 31/39] block: fix a probe argument to blk_register_region
Date: Tue, 26 Nov 2013 16:56:55 -0800 [thread overview]
Message-ID: <20131127005621.229796789@linuxfoundation.org> (raw)
In-Reply-To: <20131127005619.011763867@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit a207f5937630dd35bd2550620bef416937a1365e upstream.
The probe function is supposed to return NULL on failure (as we can see in
kobj_lookup: kobj = probe(dev, index, data); ... if (kobj) return kobj;
However, in loop and brd, it returns negative error from ERR_PTR.
This causes a crash if we simulate disk allocation failure and run
less -f /dev/loop0 because the negative number is interpreted as a pointer:
BUG: unable to handle kernel NULL pointer dereference at 00000000000002b4
IP: [<ffffffff8118b188>] __blkdev_get+0x28/0x450
PGD 23c677067 PUD 23d6d1067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: loop hpfs nvidia(PO) ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_stats cpufreq_ondemand cpufreq_userspace cpufreq_powersave cpufreq_conservative hid_generic spadfs usbhid hid fuse raid0 snd_usb_audio snd_pcm_oss snd_mixer_oss md_mod snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib dmi_sysfs snd_rawmidi nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd soundcore lm85 hwmon_vid ohci_hcd ehci_pci ehci_hcd serverworks sata_svw libata acpi_cpufreq freq_table mperf ide_core usbcore kvm_amd kvm tg3 i2c_piix4 libphy microcode e100 usb_common ptp skge i2c_core pcspkr k10temp evdev floppy hwmon pps_core mii rtc_cmos button processor unix [last unloaded: nvidia]
CPU: 1 PID: 6831 Comm: less Tainted: P W O 3.10.15-devel #18
Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009
task: ffff880203cc6bc0 ti: ffff88023e47c000 task.ti: ffff88023e47c000
RIP: 0010:[<ffffffff8118b188>] [<ffffffff8118b188>] __blkdev_get+0x28/0x450
RSP: 0018:ffff88023e47dbd8 EFLAGS: 00010286
RAX: ffffffffffffff74 RBX: ffffffffffffff74 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff88023e47dc18 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88023f519658
R13: ffffffff8118c300 R14: 0000000000000000 R15: ffff88023f519640
FS: 00007f2070bf7700(0000) GS:ffff880247400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000002b4 CR3: 000000023da1d000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
0000000000000002 0000001d00000000 000000003e47dc50 ffff88023f519640
ffff88043d5bb668 ffffffff8118c300 ffff88023d683550 ffff88023e47de60
ffff88023e47dc98 ffffffff8118c10d 0000001d81605698 0000000000000292
Call Trace:
[<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
[<ffffffff8118c10d>] blkdev_get+0x1dd/0x370
[<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
[<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
[<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
[<ffffffff8118c365>] blkdev_open+0x65/0x80
[<ffffffff8114d12e>] do_dentry_open.isra.18+0x23e/0x2f0
[<ffffffff8114d214>] finish_open+0x34/0x50
[<ffffffff8115e122>] do_last.isra.62+0x2d2/0xc50
[<ffffffff8115eb58>] path_openat.isra.63+0xb8/0x4d0
[<ffffffff81115a8e>] ? might_fault+0x4e/0xa0
[<ffffffff8115f4f0>] do_filp_open+0x40/0x90
[<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
[<ffffffff8116db85>] ? __alloc_fd+0xa5/0x1f0
[<ffffffff8114e45f>] do_sys_open+0xef/0x1d0
[<ffffffff8114e559>] SyS_open+0x19/0x20
[<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
Code: 44 00 00 55 48 89 e5 41 57 49 89 ff 41 56 41 89 d6 41 55 41 54 4c 8d 67 18 53 48 83 ec 18 89 75 cc e9 f2 00 00 00 0f 1f 44 00 00 <48> 8b 80 40 03 00 00 48 89 df 4c 8b 68 58 e8 d5
a4 07 00 44 89
RIP [<ffffffff8118b188>] __blkdev_get+0x28/0x450
RSP <ffff88023e47dbd8>
CR2: 00000000000002b4
---[ end trace bb7f32dbf02398dc ]---
The brd change should be backported to stable kernels starting with 2.6.25.
The loop change should be backported to stable kernels starting with 2.6.22.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/brd.c | 2 +-
drivers/block/loop.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -546,7 +546,7 @@ static struct kobject *brd_probe(dev_t d
mutex_lock(&brd_devices_mutex);
brd = brd_init_one(MINOR(dev) >> part_shift);
- kobj = brd ? get_disk(brd->brd_disk) : ERR_PTR(-ENOMEM);
+ kobj = brd ? get_disk(brd->brd_disk) : NULL;
mutex_unlock(&brd_devices_mutex);
*part = 0;
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1743,7 +1743,7 @@ static struct kobject *loop_probe(dev_t
if (err < 0)
err = loop_add(&lo, MINOR(dev) >> part_shift);
if (err < 0)
- kobj = ERR_PTR(err);
+ kobj = NULL;
else
kobj = get_disk(lo->lo_disk);
mutex_unlock(&loop_index_mutex);
next prev parent reply other threads:[~2013-11-27 0:56 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-27 0:56 [PATCH 3.4 00/39] 3.4.71-stable review Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 01/39] vfs,proc: guarantee unique inodes in /proc Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 02/39] nfs: dont allow nfs_find_actor to match inodes of the wrong type Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 03/39] libertas: potential oops in debugfs Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 04/39] aacraid: prevent invalid pointer dereference Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 05/39] ACPICA: Interpreter: Fix Store() when implicit conversion is not possible Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 06/39] ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 07/39] ACPICA: Return error if DerefOf resolves to a null package element Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 08/39] ACPICA: Fix for a Store->ArgX when ArgX contains a reference to a field Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 09/39] USB: mos7840: fix tiocmget error handling Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 10/39] crypto: ansi_cprng - Fix off by one error in non-block size request Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 11/39] can: c_can: Fix RX message handling, handle lost message before EOB Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 12/39] 8139cp: re-enable interrupts after tx timeout Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 14/39] SUNRPC handle EKEYEXPIRED in call_refreshresult Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 15/39] SUNRPC: dont map EKEYEXPIRED to EACCES " Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 16/39] Nest rename_lock inside vfsmount_lock Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 17/39] exec: do not abuse ->cred_guard_mutex in threadgroup_lock() Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 18/39] include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 19/39] perf/ftrace: Fix paranoid level for enabling function tracer Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 20/39] rt2x00: check if device is still available on rt2x00mac_flush() Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 21/39] Revert "ima: policy for RAMFS" Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 22/39] exec/ptrace: fix get_dumpable() incorrect tests Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 23/39] ALSA: 6fire: Fix probe of multiple cards Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 24/39] ALSA: msnd: Avoid duplicated driver name Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 25/39] NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 26/39] nfsd: split up nfsd_setattr Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 27/39] nfsd: make sure to balance get/put_write_access Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 28/39] x86/microcode/amd: Tone down printk(), dont treat a missing firmware file as an error Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 29/39] hwmon: (lm90) Fix max6696 alarm handling Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 30/39] block: fix race between request completion and timeout handling Greg Kroah-Hartman
2013-11-27 0:56 ` Greg Kroah-Hartman [this message]
2013-11-27 0:56 ` [PATCH 3.4 32/39] block: properly stack underlying max_segment_size to DM device Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 33/39] powerpc/vio: use strcpy in modalias_show Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 34/39] powerpc/powernv: Add PE to its own PELTV Greg Kroah-Hartman
2013-11-27 0:56 ` [PATCH 3.4 35/39] powerpc/signals: Mark VSX not saved with small contexts Greg Kroah-Hartman
2013-11-27 0:57 ` [PATCH 3.4 36/39] SUNRPC: Fix a data corruption issue when retransmitting RPC calls Greg Kroah-Hartman
2013-11-27 0:57 ` [PATCH 3.4 37/39] rt2800usb: slow down TX status polling Greg Kroah-Hartman
2013-11-27 0:57 ` [PATCH 3.4 38/39] configfs: fix race between dentry put and lookup Greg Kroah-Hartman
2013-11-27 0:57 ` [PATCH 3.4 39/39] cris: media platform drivers: fix build Greg Kroah-Hartman
2013-11-27 4:14 ` [PATCH 3.4 00/39] 3.4.71-stable review Guenter Roeck
2013-11-27 22:29 ` Shuah Khan
2013-11-28 10:54 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131127005621.229796789@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.