From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Damien Le Moal <dlemoal@kernel.org>,
Hannes Reinecke <hare@suse.de>,
John Garry <john.g.garry@oracle.com>,
Niklas Cassel <cassel@kernel.org>,
Oleksandr Tymoshenko <ovt@google.com>
Subject: [PATCH 6.1 20/71] ata: libata-core: Fix null pointer dereference on error
Date: Sun, 1 Sep 2024 18:17:25 +0200 [thread overview]
Message-ID: <20240901160802.650807619@linuxfoundation.org> (raw)
In-Reply-To: <20240901160801.879647959@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream.
If the ata_port_alloc() call in ata_host_alloc() fails,
ata_host_release() will get called.
However, the code in ata_host_release() tries to free ata_port struct
members unconditionally, which can lead to the following:
BUG: unable to handle page fault for address: 0000000000003990
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata]
Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41
RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246
RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0
RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68
R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004
R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006
FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? page_fault_oops+0x15a/0x2f0
? exc_page_fault+0x7e/0x180
? asm_exc_page_fault+0x26/0x30
? ata_host_release.cold+0x2f/0x6e [libata]
? ata_host_release.cold+0x2f/0x6e [libata]
release_nodes+0x35/0xb0
devres_release_group+0x113/0x140
ata_host_alloc+0xed/0x120 [libata]
ata_host_alloc_pinfo+0x14/0xa0 [libata]
ahci_init_one+0x6c9/0xd20 [ahci]
Do not access ata_port struct members unconditionally.
Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it")
Cc: stable@vger.kernel.org
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5471,6 +5471,9 @@ static void ata_host_release(struct kref
for (i = 0; i < host->n_ports; i++) {
struct ata_port *ap = host->ports[i];
+ if (!ap)
+ continue;
+
kfree(ap->pmp_link);
kfree(ap->slave_link);
kfree(ap);
next prev parent reply other threads:[~2024-09-01 16:47 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-01 16:17 [PATCH 6.1 00/71] 6.1.108-rc1 review Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 01/71] drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 02/71] LoongArch: Remove the unused dma-direct.h Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 03/71] btrfs: run delayed iputs when flushing delalloc Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 04/71] smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 05/71] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 06/71] pinctrl: single: fix potential NULL dereference in pcs_get_function() Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 07/71] of: Add cleanup.h based auto release via __free(device_node) markings Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 08/71] wifi: wfx: repair open network AP mode Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 09/71] wifi: mwifiex: duplicate static structs used in driver instances Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 10/71] net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 11/71] mptcp: close subflow when receiving TCP+FIN Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 12/71] mptcp: sched: check both backup in retrans Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 13/71] mptcp: pm: skip connecting to already established sf Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 14/71] mptcp: pm: reset MPC endp ID when re-added Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 15/71] mptcp: pm: send ACK on an active subflow Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 16/71] mptcp: pm: do not remove already closed subflows Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 17/71] mptcp: pm: ADD_ADDR 0 is not a new address Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 18/71] drm/amdgpu: align pp_power_profile_mode with kernel docs Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 19/71] drm/amdgpu/swsmu: always force a state reprogram on init Greg Kroah-Hartman
2024-09-01 16:17 ` Greg Kroah-Hartman [this message]
2024-09-01 16:17 ` [PATCH 6.1 21/71] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration" Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 22/71] mmc: Avoid open coding by using mmc_op_tuning() Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 23/71] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 24/71] mptcp: unify pm get_local_id interfaces Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 25/71] mptcp: pm: remove mptcp_pm_remove_subflow() Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 26/71] mptcp: pm: only mark subflow endp as available Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 27/71] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 28/71] of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put() handling Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 29/71] thermal: of: Fix OF node leak in thermal_of_trips_init() error path Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 30/71] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 31/71] ASoC: amd: acp: fix module autoloading Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 32/71] ASoC: SOF: amd: Fix for acp init sequence Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 33/71] pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 34/71] mm: Fix missing folio invalidation calls during truncation Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 35/71] btrfs: fix extent map use-after-free when adding pages to compressed bio Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 36/71] soundwire: stream: fix programming slave ports for non-continous port maps Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 37/71] phy: xilinx: add runtime PM support Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 38/71] phy: xilinx: phy-zynqmp: dynamic clock support for power-save Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 39/71] phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 40/71] dmaengine: dw: Add peripheral bus width verification Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 41/71] dmaengine: dw: Add memory " Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 42/71] Bluetooth: hci_core: Fix not handling hibernation actions Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 43/71] iommu: Do not return 0 from map_pages if it doesnt do anything Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 44/71] netfilter: nf_tables: restore IP sanity checks for netdev/egress Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 45/71] wifi: iwlwifi: fw: fix wgds rev 3 exact size Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 46/71] ethtool: check device is present when getting link settings Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 47/71] netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 48/71] selftests: forwarding: no_forwarding: Down ports on cleanup Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 49/71] selftests: forwarding: local_termination: " Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 50/71] bonding: implement xdo_dev_state_free and call it after deletion Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 51/71] gtp: fix a potential NULL pointer dereference Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 52/71] sctp: fix association labeling in the duplicate COOKIE-ECHO case Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 53/71] drm/amd/display: avoid using null object of framebuffer Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.1 54/71] net: busy-poll: use ktime_get_ns() instead of local_clock() Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 55/71] nfc: pn533: Add poll mod list filling check Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 56/71] soc: qcom: cmd-db: Map shared memory as WC, not WB Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 57/71] cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 58/71] USB: serial: option: add MeiG Smart SRM825L Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 59/71] usb: dwc3: omap: add missing depopulate in probe error path Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 60/71] usb: dwc3: core: Prevent USB core invalid event buffer address access Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 61/71] usb: dwc3: st: fix probed platform device ref count on probe error path Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 62/71] usb: dwc3: st: add missing depopulate in " Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 63/71] usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 64/71] usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 65/71] usb: cdnsp: fix for Link TRB with TC Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 66/71] phy: zynqmp: Enable reference clock correctly Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 67/71] igc: Fix reset adapter logics when tx mode change Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 68/71] igc: Fix qbv tx latency by setting gtxoffset Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 69/71] scsi: aacraid: Fix double-free on probe failure Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 70/71] apparmor: fix policy_unpack_test on big endian systems Greg Kroah-Hartman
2024-09-01 16:18 ` [PATCH 6.1 71/71] fbdev: offb: fix up missing cleanup.h Greg Kroah-Hartman
2024-09-02 7:10 ` [PATCH 6.1 00/71] 6.1.108-rc1 review Pavel Machek
2024-09-02 15:42 ` Naresh Kamboju
2024-09-02 18:55 ` Florian Fainelli
2024-09-03 7:23 ` Ron Economos
2024-09-03 8:44 ` Jon Hunter
2024-09-03 11:48 ` Mark Brown
2024-09-04 7:24 ` Yann Sionneau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240901160802.650807619@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cassel@kernel.org \
--cc=dlemoal@kernel.org \
--cc=hare@suse.de \
--cc=john.g.garry@oracle.com \
--cc=ovt@google.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.