From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Gonglei <arei.gonglei@huawei.com>,
Longpeng <longpeng2@huawei.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 22/42] virtio_pci: fix a NULL pointer reference in vp_del_vqs
Date: Thu, 9 May 2019 20:42:11 +0200 [thread overview]
Message-ID: <20190509181257.144468524@linuxfoundation.org> (raw)
In-Reply-To: <20190509181252.616018683@linuxfoundation.org>
[ Upstream commit 6a8aae68c87349dbbcd46eac380bc43cdb98a13b ]
If the msix_affinity_masks is alloced failed, then we'll
try to free some resources in vp_free_vectors() that may
access it directly.
We met the following stack in our production:
[ 29.296767] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 29.311151] IP: [<ffffffffc04fe35a>] vp_free_vectors+0x6a/0x150 [virtio_pci]
[ 29.324787] PGD 0
[ 29.333224] Oops: 0000 [#1] SMP
[...]
[ 29.425175] RIP: 0010:[<ffffffffc04fe35a>] [<ffffffffc04fe35a>] vp_free_vectors+0x6a/0x150 [virtio_pci]
[ 29.441405] RSP: 0018:ffff9a55c2dcfa10 EFLAGS: 00010206
[ 29.453491] RAX: 0000000000000000 RBX: ffff9a55c322c400 RCX: 0000000000000000
[ 29.467488] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a55c322c400
[ 29.481461] RBP: ffff9a55c2dcfa20 R08: 0000000000000000 R09: ffffc1b6806ff020
[ 29.495427] R10: 0000000000000e95 R11: 0000000000aaaaaa R12: 0000000000000000
[ 29.509414] R13: 0000000000010000 R14: ffff9a55bd2d9e98 R15: ffff9a55c322c400
[ 29.523407] FS: 00007fdcba69f8c0(0000) GS:ffff9a55c2840000(0000) knlGS:0000000000000000
[ 29.538472] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 29.551621] CR2: 0000000000000000 CR3: 000000003ce52000 CR4: 00000000003607a0
[ 29.565886] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 29.580055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 29.594122] Call Trace:
[ 29.603446] [<ffffffffc04fe8a2>] vp_request_msix_vectors+0xe2/0x260 [virtio_pci]
[ 29.618017] [<ffffffffc04fedc5>] vp_try_to_find_vqs+0x95/0x3b0 [virtio_pci]
[ 29.632152] [<ffffffffc04ff117>] vp_find_vqs+0x37/0xb0 [virtio_pci]
[ 29.645582] [<ffffffffc057bf63>] init_vq+0x153/0x260 [virtio_blk]
[ 29.658831] [<ffffffffc057c1e8>] virtblk_probe+0xe8/0x87f [virtio_blk]
[...]
Cc: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Longpeng <longpeng2@huawei.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/virtio/virtio_pci_common.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
index 1c4797e53f686..80a3704939cdc 100644
--- a/drivers/virtio/virtio_pci_common.c
+++ b/drivers/virtio/virtio_pci_common.c
@@ -254,9 +254,11 @@ void vp_del_vqs(struct virtio_device *vdev)
for (i = 0; i < vp_dev->msix_used_vectors; ++i)
free_irq(pci_irq_vector(vp_dev->pci_dev, i), vp_dev);
- for (i = 0; i < vp_dev->msix_vectors; i++)
- if (vp_dev->msix_affinity_masks[i])
- free_cpumask_var(vp_dev->msix_affinity_masks[i]);
+ if (vp_dev->msix_affinity_masks) {
+ for (i = 0; i < vp_dev->msix_vectors; i++)
+ if (vp_dev->msix_affinity_masks[i])
+ free_cpumask_var(vp_dev->msix_affinity_masks[i]);
+ }
if (vp_dev->msix_enabled) {
/* Disable the vector used for configuration */
--
2.20.1
next prev parent reply other threads:[~2019-05-09 18:45 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-09 18:41 [PATCH 4.14 00/42] 4.14.118-stable review Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 01/42] scsi: libsas: fix a race condition when smp task timeout Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 02/42] Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 03/42] ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 04/42] staging: greybus: power_supply: fix prop-descriptor request size Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 05/42] ASoC: hdmi-codec: fix S/PDIF DAI Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 06/42] ASoC:soc-pcm:fix a codec fixup issue in TDM case Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 07/42] ASoC: nau8824: fix the issue of the widget with prefix name Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 08/42] ASoC: nau8810: fix the issue of widget with prefixed name Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 09/42] ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate Greg Kroah-Hartman
2019-05-09 18:41 ` [PATCH 4.14 10/42] ASoC: wm_adsp: Add locking to wm_adsp2_bus_error Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 11/42] ASoC: cs4270: Set auto-increment bit for register writes Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 12/42] IB/hfi1: Eliminate opcode tests on mr deref Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 13/42] MIPS: KGDB: fix kgdb support for SMP platforms Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 14/42] ASoC: tlv320aic32x4: Fix Common Pins Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 15/42] drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 16/42] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 17/42] perf/x86/intel: Initialize TFA MSR Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 18/42] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 19/42] xtensa: fix initialization of pt_regs::syscall in start_thread Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 20/42] ASoC: rockchip: pdm: fix regmap_ops hang issue Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 21/42] slab: fix a crash by reading /proc/slab_allocators Greg Kroah-Hartman
2019-05-09 18:42 ` Greg Kroah-Hartman [this message]
2019-05-09 18:42 ` [PATCH 4.14 23/42] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 24/42] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 25/42] drm/mediatek: fix possible object reference leak Greg Kroah-Hartman
2019-05-09 18:42 ` Greg Kroah-Hartman
2019-05-09 18:42 ` Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 26/42] ASoC: Intel: kbl: fix wrong number of channels Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 27/42] virtio-blk: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 28/42] platform/x86: pmc_atom: Drop __initconst on dmi table Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 29/42] iommu/amd: Set exclusion range correctly Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 30/42] genirq: Prevent use-after-free and work list corruption Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 31/42] usb: dwc3: Fix default lpm_nyet_threshold value Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 32/42] USB: serial: f81232: fix interrupt worker not stop Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 33/42] USB: cdc-acm: fix unthrottle races Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 34/42] usb-storage: Set virt_boundary_mask to avoid SG overflows Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 35/42] intel_th: pci: Add Comet Lake support Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 36/42] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 37/42] Bluetooth: hidp: fix buffer overflow Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 38/42] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 39/42] UAS: fix alignment of scatter/gather segments Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 40/42] ASoC: Intel: avoid Oops if DMA setup fails Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 41/42] locking/futex: Allow low-level atomic operations to return -EAGAIN Greg Kroah-Hartman
2019-05-09 18:42 ` [PATCH 4.14 42/42] arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP Greg Kroah-Hartman
2019-05-09 23:27 ` [PATCH 4.14 00/42] 4.14.118-stable review kernelci.org bot
2019-05-10 8:45 ` Naresh Kamboju
2019-05-10 10:16 ` Jon Hunter
2019-05-10 10:16 ` Jon Hunter
2019-05-10 13:35 ` Guenter Roeck
2019-05-10 21:26 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190509181257.144468524@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arei.gonglei@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longpeng2@huawei.com \
--cc=mst@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.