kernel-hacking-2024-linux-steffo

unimore/kernel-hacking-2024-linux-steffo

History

Mikulas Patocka a207f59376 block: fix a probe argument to blk_register_region The probe function is supposed to return NULL on failure (as we can see in kobj_lookup: kobj = probe(dev, index, data); ... if (kobj) return kobj; However, in loop and brd, it returns negative error from ERR_PTR. This causes a crash if we simulate disk allocation failure and run less -f /dev/loop0 because the negative number is interpreted as a pointer: BUG: unable to handle kernel NULL pointer dereference at 00000000000002b4 IP: [<ffffffff8118b188>] __blkdev_get+0x28/0x450 PGD 23c677067 PUD 23d6d1067 PMD 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: loop hpfs nvidia(PO) ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_stats cpufreq_ondemand cpufreq_userspace cpufreq_powersave cpufreq_conservative hid_generic spadfs usbhid hid fuse raid0 snd_usb_audio snd_pcm_oss snd_mixer_oss md_mod snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib dmi_sysfs snd_rawmidi nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd soundcore lm85 hwmon_vid ohci_hcd ehci_pci ehci_hcd serverworks sata_svw libata acpi_cpufreq freq_table mperf ide_core usbcore kvm_amd kvm tg3 i2c_piix4 libphy microcode e100 usb_common ptp skge i2c_core pcspkr k10temp evdev floppy hwmon pps_core mii rtc_cmos button processor unix [last unloaded: nvidia] CPU: 1 PID: 6831 Comm: less Tainted: P W O 3.10.15-devel #18 Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009 task: ffff880203cc6bc0 ti: ffff88023e47c000 task.ti: ffff88023e47c000 RIP: 0010:[<ffffffff8118b188>] [<ffffffff8118b188>] __blkdev_get+0x28/0x450 RSP: 0018:ffff88023e47dbd8 EFLAGS: 00010286 RAX: ffffffffffffff74 RBX: ffffffffffffff74 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88023e47dc18 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88023f519658 R13: ffffffff8118c300 R14: 0000000000000000 R15: ffff88023f519640 FS: 00007f2070bf7700(0000) GS:ffff880247400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000002b4 CR3: 000000023da1d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: 0000000000000002 0000001d00000000 000000003e47dc50 ffff88023f519640 ffff88043d5bb668 ffffffff8118c300 ffff88023d683550 ffff88023e47de60 ffff88023e47dc98 ffffffff8118c10d 0000001d81605698 0000000000000292 Call Trace: [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff8118c10d>] blkdev_get+0x1dd/0x370 [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50 [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60 [<ffffffff8118c365>] blkdev_open+0x65/0x80 [<ffffffff8114d12e>] do_dentry_open.isra.18+0x23e/0x2f0 [<ffffffff8114d214>] finish_open+0x34/0x50 [<ffffffff8115e122>] do_last.isra.62+0x2d2/0xc50 [<ffffffff8115eb58>] path_openat.isra.63+0xb8/0x4d0 [<ffffffff81115a8e>] ? might_fault+0x4e/0xa0 [<ffffffff8115f4f0>] do_filp_open+0x40/0x90 [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50 [<ffffffff8116db85>] ? __alloc_fd+0xa5/0x1f0 [<ffffffff8114e45f>] do_sys_open+0xef/0x1d0 [<ffffffff8114e559>] SyS_open+0x19/0x20 [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f Code: 44 00 00 55 48 89 e5 41 57 49 89 ff 41 56 41 89 d6 41 55 41 54 4c 8d 67 18 53 48 83 ec 18 89 75 cc e9 f2 00 00 00 0f 1f 44 00 00 <48> 8b 80 40 03 00 00 48 89 df 4c 8b 68 58 e8 d5 a4 07 00 44 89 RIP [<ffffffff8118b188>] __blkdev_get+0x28/0x450 RSP <ffff88023e47dbd8> CR2: 00000000000002b4 ---[ end trace bb7f32dbf02398dc ]--- The brd change should be backported to stable kernels starting with 2.6.25. The loop change should be backported to stable kernels starting with 2.6.22. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Tejun Heo <tj@kernel.org> Cc: stable@kernel.org # 2.6.22+ Signed-off-by: Jens Axboe <axboe@kernel.dk>		2013-11-08 08:59:39 -07:00
..
aoe	aoe: do not BUG if memory pressure prevented debugfs file creation	2013-09-11 15:59:28 -07:00
drbd	treewide: Add __GFP_NOWARN to k.alloc calls with v.alloc fallbacks	2013-08-20 13:06:40 +02:00
mtip32xx	Remove GENERIC_HARDIRQ config option	2013-09-13 15:09:52 +02:00
paride
rsxx
xen-blkback	block: replace strict_strtoul() with kstrtoul()	2013-09-11 15:56:56 -07:00
amiflop.c
ataflop.c
brd.c	block: fix a probe argument to blk_register_region	2013-11-08 08:59:39 -07:00
cciss.c	cciss: fix info leak in cciss_ioctl32_passthru()	2013-09-24 17:00:26 -07:00
cciss.h
cciss_cmd.h
cciss_scsi.c
cciss_scsi.h
cpqarray.c	cpqarray: fix info leak in ida_locked_ioctl()	2013-09-24 17:00:26 -07:00
cpqarray.h
cryptoloop.c	move linux/loop.h to drivers/block	2013-06-29 12:46:45 +04:00
DAC960.c
DAC960.h
floppy.c
hd.c
ida_cmd.h
ida_ioctl.h
Kconfig
loop.c	block: fix a probe argument to blk_register_region	2013-11-08 08:59:39 -07:00
loop.h	move linux/loop.h to drivers/block	2013-06-29 12:46:45 +04:00
Makefile
mg_disk.c	drivers/block/mg_disk.c: make mg_times_out() static	2013-09-11 15:56:59 -07:00
nbd.c	nbd: correct disconnect behavior	2013-07-03 16:08:05 -07:00
nvme-core.c	NVMe: Merge issue on character device bring-up	2013-09-06 16:26:58 -04:00
nvme-scsi.c
osdblk.c	block: replace strict_strtoul() with kstrtoul()	2013-09-11 15:56:56 -07:00
pktcdvd.c	pktcdvd: fix defective misuses of pkt_<level>	2013-09-11 15:59:34 -07:00
ps3disk.c
ps3vram.c
rbd.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client	2013-09-19 12:50:37 -05:00
rbd_types.h
smart1,2.h
sunvdc.c
swim.c	drivers/block/swim.c: remove unnecessary platform_set_drvdata()	2013-09-11 15:56:59 -07:00
swim3.c
swim_asm.S
sx8.c
umem.c
umem.h
virtio_blk.c
xen-blkfront.c	Merge branch 'stable/for-jens-3.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-3.11/drivers	2013-06-28 16:01:14 +02:00
xsysace.c	xilinx systemace: Fix sparse warnings	2013-07-10 07:47:12 +02:00
z2ram.c