linux_dsm_epyc7002/drivers/block
YueHaibing 58ccd2d31e paride/pf: Fix potential NULL pointer dereference
Syzkaller report this:

pf: pf version 1.04, major 47, cluster 64, nice 0
pf: No ATAPI disk detected
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 9887 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:pf_init+0x7af/0x1000 [pf]
Code: 46 77 d2 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 03 25 a6 d2 4c 8b 23 49 8d bc 24 80 05 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 74 05 e8 e6 24 a6 d2 49 8b bc 24 80 05 00 00 e8 79 34
RSP: 0018:ffff8881abcbf998 EFLAGS: 00010202
RAX: 00000000000000b0 RBX: ffffffffc1e4a8a8 RCX: ffffffffaec50788
RDX: 0000000000039b10 RSI: ffffc9000153c000 RDI: 0000000000000580
RBP: dffffc0000000000 R08: ffffed103ee44e59 R09: ffffed103ee44e59
R10: 0000000000000001 R11: ffffed103ee44e58 R12: 0000000000000000
R13: ffffffffc1e4b028 R14: 0000000000000000 R15: 0000000000000020
FS:  00007f1b78a91700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6d72b207f8 CR3: 00000001d5790004 CR4: 00000000007606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 ? 0xffffffffc1e50000
 do_one_initcall+0xbc/0x47d init/main.c:901
 do_init_module+0x1b5/0x547 kernel/module.c:3456
 load_module+0x6405/0x8c10 kernel/module.c:3804
 __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
 do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1b78a90c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007f1b78a90c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b78a916bc
R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
Modules linked in: pf(+) paride gpio_tps65218 tps65218 i2c_cht_wc ati_remote dc395x act_meta_skbtcindex act_ife ife ecdh_generic rc_xbox_dvd sky81452_regulator v4l2_fwnode leds_blinkm snd_usb_hiface comedi(C) aes_ti slhc cfi_cmdset_0020 mtd cfi_util sx8654 mdio_gpio of_mdio fixed_phy mdio_bitbang libphy alcor_pci matrix_keymap hid_uclogic usbhid scsi_transport_fc videobuf2_v4l2 videobuf2_dma_sg snd_soc_pcm179x_spi snd_soc_pcm179x_codec i2c_demux_pinctrl mdev snd_indigodj isl6405 mii enc28j60 cmac adt7316_i2c(C) adt7316(C) fmc_trivial fmc nf_reject_ipv4 authenc rc_dtt200u rtc_ds1672 dvb_usb_dibusb_mc dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb dvb_core videobuf2_common videobuf2_vmalloc videobuf2_memops regulator_haptic adf7242 mac802154 ieee802154 s5h1409 da9034_ts snd_intel8x0m wmi cx24120 usbcore sdhci_cadence sdhci_pltfm sdhci mmc_core joydev i2c_algo_bit scsi_transport_iscsi iscsi_boot_sysfs ves1820 lockd grace nfs_acl auth_rpcgss sunrp
 c
 ip_vs snd_soc_adau7002 snd_cs4281 snd_rawmidi gameport snd_opl3_lib snd_seq_device snd_hwdep snd_ac97_codec ad7418 hid_primax hid snd_soc_cs4265 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore ti_adc108s102 eeprom_93cx6 i2c_algo_pca mlxreg_hotplug st_pressure st_sensors industrialio_triggered_buffer kfifo_buf industrialio v4l2_common videodev media snd_soc_adau_utils rc_pinnacle_grey rc_core pps_gpio leds_lm3692x nandcore ledtrig_pattern iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic aes_x86_64 piix crypto_simd input_leds psmouse cryp
 td
 glue_helper ide_core intel_agp serio_raw intel_gtt agpgart ata_generic i2c_piix4 pata_acpi parport_pc parport rtc_cmos floppy sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: paride]
Dumping ftrace buffer:
  (ftrace buffer empty)
---[ end trace 7a818cf5f210d79e ]---

If alloc_disk fails in pf_init_units, pf->disk will be
NULL, however in pf_detect and pf_exit, it's not check
this before free.It may result a NULL pointer dereference.

Also when register_blkdev failed, blk_cleanup_queue() and
blk_mq_free_tag_set() should be called to free resources.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 6ce59025f1 ("paride/pf: cleanup queues when detection fails")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>

Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-04-03 10:07:48 -06:00
..
aoe aoe: add __exit annotation 2018-12-16 09:01:38 -07:00
drbd for-4.21/block-20190102 2019-01-02 18:49:58 -08:00
mtip32xx for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
paride paride/pf: Fix potential NULL pointer dereference 2019-04-03 10:07:48 -06:00
rsxx pci-v4.20-changes 2018-10-25 06:50:48 -07:00
xen-blkback xen/blkback: rework connect_ring() to avoid inconsistent xenstore 'ring-page-order' set by malicious blkfront 2019-02-24 10:17:56 -05:00
zram drivers/block/zram/zram_drv.c: fix idle/writeback string compare 2019-03-29 10:01:37 -07:00
amiflop.c block/amiflop: Don't log error message on invalid ioctl 2018-12-31 10:19:11 -07:00
ataflop.c ataflop: implement mq_ops->commit_rqs() hook 2018-11-29 10:12:27 -07:00
brd.c block: brd: associate with queue until adding disk 2018-11-01 19:59:51 -06:00
cryptoloop.c block: cryptoloop: Remove VLA usage of skcipher 2018-09-28 12:46:07 +08:00
floppy.c for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
loop.c loop: access lo_backing_file only when the loop device is Lo_bound 2019-03-18 08:20:53 -06:00
loop.h block/loop: Use global lock for ioctl() operation. 2018-11-08 06:30:11 -07:00
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
nbd.c nbd: propagate genlmsg_reply return code 2019-02-28 14:06:37 -07:00
null_blk_main.c null_blk: fix checking for REQ_FUA 2019-02-28 14:03:03 -07:00
null_blk_zoned.c null_blk: Add conventional zone configuration for zoned support 2018-11-07 13:41:50 -07:00
null_blk.h null_blk: add zoned config support information 2019-01-06 10:58:27 -07:00
pktcdvd.c pktcdvd: remove queue_lock around blk_queue_max_hw_sectors 2018-11-16 09:16:59 -07:00
ps3disk.c ps3disk: convert to blk-mq 2018-10-15 20:07:56 -06:00
ps3vram.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
rbd_types.h rbd: RBD_V{1,2}_DATA_FORMAT macros 2017-02-20 12:16:15 +01:00
rbd.c rbd: drop wait_for_latest_osdmap() 2019-03-20 16:27:40 +01:00
skd_main.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
skd_s1120.h skd: Use __packed only when needed 2017-08-18 08:45:29 -06:00
sunvdc.c block: sunvdc: don't run hw queue synchronously from irq context 2019-01-03 08:21:47 -07:00
swim3.c block/swim3: Fix regression on PowerBook G3 2018-12-31 10:19:19 -07:00
swim_asm.S
swim.c swim: convert to blk-mq 2018-10-16 09:49:18 -06:00
sx8.c sx8: use a per-host tag_set 2018-11-09 08:14:14 -07:00
umem.c block: remove the lock argument to blk_alloc_queue_node 2018-11-15 12:13:35 -07:00
umem.h
virtio_blk.c virtio-blk: Consider virtio_max_dma_size() for maximum segment size 2019-03-06 11:19:26 -05:00
xen-blkfront.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
xsysace.c xsysace: convert to blk-mq 2018-10-15 20:08:24 -06:00
z2ram.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00