From: Bart Van Assche <Bart.VanAssche@wdc.com>
To: Bart Van Assche <Bart.VanAssche@wdc.com>,
"mail@maciej.szmigiero.name" <mail@maciej.szmigiero.name>
Cc: "hch@lst.de" <hch@lst.de>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"osandov@fb.com" <osandov@fb.com>,
"axboe@kernel.dk" <axboe@kernel.dk>
Subject: Re: [v2,4/6] pktcdvd: Check queue type before attaching to a queue
Date: Sun, 31 Dec 2017 00:53:16 +0000 [thread overview]
Message-ID: <1514681596.11082.1.camel@wdc.com> (raw)
In-Reply-To: <d237f623-ce22-6360-306f-3460ddba25ef@maciej.szmigiero.name>
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
On Sat, 2017-12-30 at 22:41 +0100, Maciej S. Szmigiero wrote:
> This commit causes a NULL pointer dereference when adding a pktcdvd
> mapping.
>
> Reproducing it is simple:
> # pktsetup 1 /dev/cdrom
>
> Specifically, the NULL dereference happens inside bdev_get_queue(bdev),
> which is supposed to return bdev->bd_disk->queue, but in this case
> bdev->bd_disk is NULL.
Would it be possible to test the two attached patches?
Thanks,
Bart.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-pktcdvd-Fix-a-recently-introduced-NULL-pointer-deref.patch --]
[-- Type: text/x-patch; name="0001-pktcdvd-Fix-a-recently-introduced-NULL-pointer-deref.patch", Size: 1348 bytes --]
From 8ef0308718a3f3f60c0c6983d3ff606ac8d3db8d Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@wdc.com>
Date: Sat, 30 Dec 2017 15:28:25 -0800
Subject: [PATCH 1/2] pktcdvd: Fix a recently introduced NULL pointer
dereference
Reported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: commit ca18d6f769d2 ("block: Make most scsi_req_init() calls implicit")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org> # v4.13
---
drivers/block/pktcdvd.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 67974796c350..fc8a80ec90e5 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2579,14 +2579,14 @@ static int pkt_new_dev(struct pktcdvd_device *pd, dev_t dev)
bdev = bdget(dev);
if (!bdev)
return -ENOMEM;
+ ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
+ if (ret)
+ return ret;
if (!blk_queue_scsi_passthrough(bdev_get_queue(bdev))) {
WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
- bdput(bdev);
+ blkdev_put(bdev, FMODE_READ | FMODE_NDELAY);
return -EINVAL;
}
- ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
- if (ret)
- return ret;
/* This is safe, since we have a reference from open(). */
__module_get(THIS_MODULE);
--
2.15.1
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0002-pktcdvd-Fix-pkt_setup_dev-error-path.patch --]
[-- Type: text/x-patch; name="0002-pktcdvd-Fix-pkt_setup_dev-error-path.patch", Size: 848 bytes --]
From 3192cc5f62b3ba9f866bcb245d21231a39745d8d Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@wdc.com>
Date: Sat, 30 Dec 2017 16:44:35 -0800
Subject: [PATCH 2/2] pktcdvd: Fix pkt_setup_dev() error path
Since disk_release(disk) calls blk_put_queue() if disk->queue != NULL,
clear disk->queue before calling put_disk().
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: <stable@vger.kernel.org>
---
drivers/block/pktcdvd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index fc8a80ec90e5..c5e930d23a63 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2765,6 +2765,7 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev)
out_new_dev:
blk_cleanup_queue(disk->queue);
+ disk->queue = NULL;
out_mem2:
put_disk(disk);
out_mem:
--
2.15.1
next prev parent reply other threads:[~2017-12-31 0:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-31 21:43 [PATCH v2 0/6] Split scsi passthrough fields out of struct request sequel Bart Van Assche
2017-05-31 21:43 ` [PATCH v2 1/6] block: Avoid that blk_exit_rl() triggers a use-after-free Bart Van Assche
2017-06-01 19:09 ` Jens Axboe
2017-06-13 17:54 ` Ross Zwisler
2017-06-14 15:19 ` Bart Van Assche
2017-06-14 18:04 ` Ross Zwisler
2017-06-14 19:28 ` Jens Axboe
2017-06-14 19:32 ` Bart Van Assche
2017-05-31 21:43 ` [PATCH v2 2/6] block: Introduce queue flag QUEUE_FLAG_SCSI_PASSTHROUGH Bart Van Assche
2017-05-31 21:43 ` [PATCH v2 3/6] bsg: Check queue type before attaching to a queue Bart Van Assche
2017-05-31 21:43 ` [PATCH v2 4/6] pktcdvd: " Bart Van Assche
2017-12-30 21:41 ` [v2,4/6] " Maciej S. Szmigiero
2017-12-31 0:53 ` Bart Van Assche [this message]
2017-12-31 1:23 ` Maciej S. Szmigiero
2017-05-31 21:43 ` [PATCH v2 5/6] cdrom: Check SCSI passthrough support before reading audio Bart Van Assche
2017-06-01 5:50 ` Hannes Reinecke
2017-06-01 6:05 ` Christoph Hellwig
2017-05-31 21:43 ` [PATCH v2 6/6] nfsd: Check queue type before submitting a SCSI request Bart Van Assche
2017-06-01 13:29 ` J . Bruce Fields
2017-06-01 6:05 ` [PATCH v2 0/6] Split scsi passthrough fields out of struct request sequel Christoph Hellwig
2017-06-01 19:11 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1514681596.11082.1.camel@wdc.com \
--to=bart.vanassche@wdc.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=mail@maciej.szmigiero.name \
--cc=osandov@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox