Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-04-21 08:41:57 +0200
committerJiri Slaby <jslaby@suse.cz>2019-04-21 08:42:32 +0200
commit1d4840b126bc3a3229e00eaa4b81a2cd14a8cf61 (patch)
tree86d9eef616d0312d5e18bcc58b479abaf90aae42
parent38a4bd7120efb1faa0edffde3276fa2df19d61c0 (diff)
paride/pcd: Fix potential NULL pointer dereference and mem leak
-rw-r--r--patches.kernel.org/5.0.9-093-paride-pcd-Fix-potential-NULL-pointer-dereferen.patch126
-rw-r--r--series.conf1
2 files changed, 127 insertions, 0 deletions
diff --git a/patches.kernel.org/5.0.9-093-paride-pcd-Fix-potential-NULL-pointer-dereferen.patch b/patches.kernel.org/5.0.9-093-paride-pcd-Fix-potential-NULL-pointer-dereferen.patch
new file mode 100644
index 0000000000..3df79fd910
--- /dev/null
+++ b/patches.kernel.org/5.0.9-093-paride-pcd-Fix-potential-NULL-pointer-dereferen.patch
@@ -0,0 +1,126 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 5 Apr 2019 10:14:58 +0800
+Subject: [PATCH] paride/pcd: Fix potential NULL pointer dereference and mem
+ leak
+References: bnc#1012628
+Patch-mainline: 5.0.9
+Git-commit: f0d1762554014ce0ae347b9f0d088f2c157c8c72
+
+[ Upstream commit f0d1762554014ce0ae347b9f0d088f2c157c8c72 ]
+
+Syzkaller report this:
+
+pcd: pcd version 1.07, major 46, nice 0
+pcd0: Autoprobe failed
+pcd: No CD-ROM drive found
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+CPU: 1 PID: 4525 Comm: syz-executor.0 Not tainted 5.1.0-rc3+ #8
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+RIP: 0010:pcd_init+0x95c/0x1000 [pcd]
+Code: c4 ab f7 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 56 a3 da f7 4c 8b 23 49 8d bc 24 80 05 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 74 05 e8 39 a3 da f7 49 8b bc 24 80 05 00 00 e8 cc b2
+RSP: 0018:ffff8881e84df880 EFLAGS: 00010202
+RAX: 00000000000000b0 RBX: ffffffffc155a088 RCX: ffffffffc1508935
+RDX: 0000000000040000 RSI: ffffc900014f0000 RDI: 0000000000000580
+RBP: dffffc0000000000 R08: ffffed103ee658b8 R09: ffffed103ee658b8
+R10: 0000000000000001 R11: ffffed103ee658b7 R12: 0000000000000000
+R13: ffffffffc155a778 R14: ffffffffc155a4a8 R15: 0000000000000003
+FS: 00007fe71bee3700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055a7334441a8 CR3: 00000001e9674003 CR4: 00000000007606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ ? 0xffffffffc1508000
+ ? 0xffffffffc1508000
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe71bee2c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+RBP: 00007fe71bee2c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe71bee36bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+Modules linked in: pcd(+) paride solos_pci atm ts_fsm rtc_mt6397 mac80211 nhc_mobility nhc_udp nhc_ipv6 nhc_hop nhc_dest nhc_fragment nhc_routing 6lowpan rtc_cros_ec memconsole intel_xhci_usb_role_switch roles rtc_wm8350 usbcore industrialio_triggered_buffer kfifo_buf industrialio asc7621 dm_era dm_persistent_data dm_bufio dm_mod tpm gnss_ubx gnss_serial serdev gnss max2165 cpufreq_dt hid_penmount hid menf21bmc_wdt rc_core n_tracesink ide_gd_mod cdns_csi2tx v4l2_fwnode videodev media pinctrl_lewisburg pinctrl_intel iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd
+ ide_pci_generic piix input_leds cryptd glue_helper psmouse ide_core intel_agp serio_raw intel_gtt ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: bmc150_magn]
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+---[ end trace d873691c3cd69f56 ]---
+
+If alloc_disk fails in pcd_init_units, cd->disk will be
+NULL, however in pcd_detect and pcd_exit, it's not check
+this before free.It may result a NULL pointer dereference.
+
+Also when register_blkdev failed, blk_cleanup_queue() and
+blk_mq_free_tag_set() should be called to free resources.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 81b74ac68c28 ("paride/pcd: cleanup queues when detection fails")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/block/paride/pcd.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
+index 377a694dc228..6d415b20fb70 100644
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -314,6 +314,7 @@ static void pcd_init_units(void)
+ disk->queue = blk_mq_init_sq_queue(&cd->tag_set, &pcd_mq_ops,
+ 1, BLK_MQ_F_SHOULD_MERGE);
+ if (IS_ERR(disk->queue)) {
++ put_disk(disk);
+ disk->queue = NULL;
+ continue;
+ }
+@@ -750,6 +751,8 @@ static int pcd_detect(void)
+
+ printk("%s: No CD-ROM drive found\n", name);
+ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
++ if (!cd->disk)
++ continue;
+ blk_cleanup_queue(cd->disk->queue);
+ cd->disk->queue = NULL;
+ blk_mq_free_tag_set(&cd->tag_set);
+@@ -1010,8 +1013,14 @@ static int __init pcd_init(void)
+ pcd_probe_capabilities();
+
+ if (register_blkdev(major, name)) {
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
++ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
++ if (!cd->disk)
++ continue;
++
++ blk_cleanup_queue(cd->disk->queue);
++ blk_mq_free_tag_set(&cd->tag_set);
+ put_disk(cd->disk);
++ }
+ return -EBUSY;
+ }
+
+@@ -1032,6 +1041,9 @@ static void __exit pcd_exit(void)
+ int unit;
+
+ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
++ if (!cd->disk)
++ continue;
++
+ if (cd->present) {
+ del_gendisk(cd->disk);
+ pi_release(cd->pi);
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 033a141cd1..7a82647303 100644
--- a/series.conf
+++ b/series.conf
@@ -1040,6 +1040,7 @@
patches.kernel.org/5.0.9-090-bpf-fix-use-after-free-in-bpf_evict_inode.patch
patches.kernel.org/5.0.9-091-IB-hfi1-Failed-to-drain-send-queue-when-QP-is-p.patch
patches.kernel.org/5.0.9-092-paride-pf-Fix-potential-NULL-pointer-dereferenc.patch
+ patches.kernel.org/5.0.9-093-paride-pcd-Fix-potential-NULL-pointer-dereferen.patch
########################################################
# Build fixes that apply to the vanilla kernel too.