linux-mtd.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
@ 2024-04-28  7:19 linan666
  2024-04-28  7:51 ` Zhihao Cheng
  0 siblings, 1 reply; 6+ messages in thread
From: linan666 @ 2024-04-28  7:19 UTC (permalink / raw)
  To: richard, miquel.raynal, vigneshr, axboe, chaitanya.kulkarni
  Cc: linux-mtd, linux-kernel, linan666, yukuai3, yi.zhang, houtao1, yangerkun

From: Li Nan <linan122@huawei.com>

Similar to commit adbf4c4954e3 ("ubi: block: fix memleak in
ubiblock_create()"), 'dev->gd' is not assigned but dereferenced if
blk_mq_alloc_tag_set() fails, and leading to a null-pointer-dereference.

Using 'gd' directly here is not a good idea, too. 'gd->part0.bd_device'
is not initialized at this point. The error log will be:
  block (null): block: dynamic minor allocation failed

Fix it by using pr_err() and print ubi id.

Fixes: 77567b25ab9f ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk")
Signed-off-by: Li Nan <linan122@huawei.com>
---
 drivers/mtd/ubi/block.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
index f82e3423acb9..bf7308e8ec2f 100644
--- a/drivers/mtd/ubi/block.c
+++ b/drivers/mtd/ubi/block.c
@@ -390,7 +390,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
 
 	ret = blk_mq_alloc_tag_set(&dev->tag_set);
 	if (ret) {
-		dev_err(disk_to_dev(dev->gd), "blk_mq_alloc_tag_set failed");
+		pr_err("ubiblock%d_%d: blk_mq_alloc_tag_set failed\n",
+			dev->ubi_num, dev->vol_id);
 		goto out_free_dev;
 	}
 
@@ -407,8 +408,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
 	gd->minors = 1;
 	gd->first_minor = idr_alloc(&ubiblock_minor_idr, dev, 0, 0, GFP_KERNEL);
 	if (gd->first_minor < 0) {
-		dev_err(disk_to_dev(gd),
-			"block: dynamic minor allocation failed");
+		pr_err("ubiblock%d_%d: block: dynamic minor allocation failed\n",
+			dev->ubi_num, dev->vol_id);
 		ret = -ENODEV;
 		goto out_cleanup_disk;
 	}
-- 
2.39.2


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
  2024-04-28  7:19 [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create() linan666
@ 2024-04-28  7:51 ` Zhihao Cheng
  2024-05-06 13:35   ` Li Nan
  0 siblings, 1 reply; 6+ messages in thread
From: Zhihao Cheng @ 2024-04-28  7:51 UTC (permalink / raw)
  To: linan666, richard, miquel.raynal, vigneshr, axboe, chaitanya.kulkarni
  Cc: linux-mtd, linux-kernel, yukuai3, yi.zhang, houtao1, yangerkun

在 2024/4/28 15:19, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
> 
> Similar to commit adbf4c4954e3 ("ubi: block: fix memleak in
> ubiblock_create()"), 'dev->gd' is not assigned but dereferenced if
> blk_mq_alloc_tag_set() fails, and leading to a null-pointer-dereference.
> 
> Using 'gd' directly here is not a good idea, too. 'gd->part0.bd_device'
> is not initialized at this point. The error log will be:
>    block (null): block: dynamic minor allocation failed
> 
> Fix it by using pr_err() and print ubi id.
> 
> Fixes: 77567b25ab9f ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk")
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
>   drivers/mtd/ubi/block.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
> index f82e3423acb9..bf7308e8ec2f 100644
> --- a/drivers/mtd/ubi/block.c
> +++ b/drivers/mtd/ubi/block.c
> @@ -390,7 +390,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
>   
>   	ret = blk_mq_alloc_tag_set(&dev->tag_set);
>   	if (ret) {
> -		dev_err(disk_to_dev(dev->gd), "blk_mq_alloc_tag_set failed");
> +		pr_err("ubiblock%d_%d: blk_mq_alloc_tag_set failed\n",
> +			dev->ubi_num, dev->vol_id);
>   		goto out_free_dev;
>   	}
>   
> @@ -407,8 +408,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
>   	gd->minors = 1;
>   	gd->first_minor = idr_alloc(&ubiblock_minor_idr, dev, 0, 0, GFP_KERNEL);

There is no need to modify this place. The device of 'gd' is initialized 
in blk_mq_alloc_disk. Refer to nbd_dev_add.
>   	if (gd->first_minor < 0) {
> -		dev_err(disk_to_dev(gd),
> -			"block: dynamic minor allocation failed");
> +		pr_err("ubiblock%d_%d: block: dynamic minor allocation failed\n",
> +			dev->ubi_num, dev->vol_id);
>   		ret = -ENODEV;
>   		goto out_cleanup_disk;
>   	}
> 


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
  2024-04-28  7:51 ` Zhihao Cheng
@ 2024-05-06 13:35   ` Li Nan
  0 siblings, 0 replies; 6+ messages in thread
From: Li Nan @ 2024-05-06 13:35 UTC (permalink / raw)
  To: Zhihao Cheng, richard, miquel.raynal, vigneshr, axboe,
	chaitanya.kulkarni
  Cc: linux-mtd, linux-kernel, yukuai3, yi.zhang, houtao1, yangerkun



在 2024/4/28 15:51, Zhihao Cheng 写道:
> 在 2024/4/28 15:19, linan666@huaweicloud.com 写道:
>> From: Li Nan <linan122@huawei.com>
>>
>> Similar to commit adbf4c4954e3 ("ubi: block: fix memleak in
>> ubiblock_create()"), 'dev->gd' is not assigned but dereferenced if
>> blk_mq_alloc_tag_set() fails, and leading to a null-pointer-dereference.
>>
>> Using 'gd' directly here is not a good idea, too. 'gd->part0.bd_device'
>> is not initialized at this point. The error log will be:
>>    block (null): block: dynamic minor allocation failed
>>
>> Fix it by using pr_err() and print ubi id.
>>
>> Fixes: 77567b25ab9f ("ubi: use blk_mq_alloc_disk and blk_cleanup_disk")
>> Signed-off-by: Li Nan <linan122@huawei.com>
>> ---
>>   drivers/mtd/ubi/block.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
>> index f82e3423acb9..bf7308e8ec2f 100644
>> --- a/drivers/mtd/ubi/block.c
>> +++ b/drivers/mtd/ubi/block.c
>> @@ -390,7 +390,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
>>       ret = blk_mq_alloc_tag_set(&dev->tag_set);
>>       if (ret) {
>> -        dev_err(disk_to_dev(dev->gd), "blk_mq_alloc_tag_set failed");
>> +        pr_err("ubiblock%d_%d: blk_mq_alloc_tag_set failed\n",
>> +            dev->ubi_num, dev->vol_id);
>>           goto out_free_dev;
>>       }
>> @@ -407,8 +408,8 @@ int ubiblock_create(struct ubi_volume_info *vi)
>>       gd->minors = 1;
>>       gd->first_minor = idr_alloc(&ubiblock_minor_idr, dev, 0, 0, 
>> GFP_KERNEL);
> 
> There is no need to modify this place. The device of 'gd' is initialized in 
> blk_mq_alloc_disk. Refer to nbd_dev_add.


The print of this dev_err() is:
   block (null): block: dynamic minor allocation failed
	~~~~~~
There is no information about which device failed. dev_err()
use 'kobject_name(&dev->kobj)' here, which is init in device_add_disk()
later. So use pr_err() here can print more detail.

I will split the patch into two in v2 to make it clearer.

>>       if (gd->first_minor < 0) {
>> -        dev_err(disk_to_dev(gd),
>> -            "block: dynamic minor allocation failed");
>> +        pr_err("ubiblock%d_%d: block: dynamic minor allocation failed\n",
>> +            dev->ubi_num, dev->vol_id);
>>           ret = -ENODEV;
>>           goto out_cleanup_disk;
>>       }
>>

-- 
Thanks,
Nan


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
  2023-12-08  7:29 ` Zhihao Cheng
@ 2023-12-08  7:40   ` Li Nan
  0 siblings, 0 replies; 6+ messages in thread
From: Li Nan @ 2023-12-08  7:40 UTC (permalink / raw)
  To: Zhihao Cheng, linan666, richard, miquel.raynal, vigneshr
  Cc: linux-mtd, linux-kernel, yukuai3, yi.zhang, houtao1, yangerkun



在 2023/12/8 15:29, Zhihao Cheng 写道:
> 在 2023/12/8 15:13, linan666@huaweicloud.com 写道:
>> From: Li Nan <linan122@huawei.com>
>>
>> If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in
>> ubiblock_create(), but dev->gd has not been assigned yet at this time, 
>> and
>> accessing it will trigger a null-pointer-dereference issue. Fix it by put
>> gd directly.
> Function 'put_disk()' checks disk whether is NULL, so I think it's a 
> 'memleak' problem, not a null-ptr-deref problem.
>>

Damn, I overlooked it here. Thanks for your review, I will fix the log
in v2.

>> Signed-off-by: Li Nan <linan122@huawei.com>
>> ---
>>   drivers/mtd/ubi/block.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
>> index 309a42aeaa4c..654bd7372cd8 100644
>> --- a/drivers/mtd/ubi/block.c
>> +++ b/drivers/mtd/ubi/block.c
>> @@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi)
>>       list_del(&dev->list);
>>       idr_remove(&ubiblock_minor_idr, gd->first_minor);
>>   out_cleanup_disk:
>> -    put_disk(dev->gd);
>> +    put_disk(gd);
> 
> For memleak solution:
> 
> Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
> 
>>   out_free_tags:
>>       blk_mq_free_tag_set(&dev->tag_set);
>>   out_free_dev:
> 
> 
> .

-- 
Thanks,
Nan


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
  2023-12-08  7:13 linan666
@ 2023-12-08  7:29 ` Zhihao Cheng
  2023-12-08  7:40   ` Li Nan
  0 siblings, 1 reply; 6+ messages in thread
From: Zhihao Cheng @ 2023-12-08  7:29 UTC (permalink / raw)
  To: linan666, richard, miquel.raynal, vigneshr
  Cc: linux-mtd, linux-kernel, linan122, yukuai3, yi.zhang, houtao1, yangerkun

在 2023/12/8 15:13, linan666@huaweicloud.com 写道:
> From: Li Nan <linan122@huawei.com>
>
> If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in
> ubiblock_create(), but dev->gd has not been assigned yet at this time, and
> accessing it will trigger a null-pointer-dereference issue. Fix it by put
> gd directly.
Function 'put_disk()' checks disk whether is NULL, so I think it's a 
'memleak' problem, not a null-ptr-deref problem.
>
> Signed-off-by: Li Nan <linan122@huawei.com>
> ---
>   drivers/mtd/ubi/block.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
> index 309a42aeaa4c..654bd7372cd8 100644
> --- a/drivers/mtd/ubi/block.c
> +++ b/drivers/mtd/ubi/block.c
> @@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi)
>   	list_del(&dev->list);
>   	idr_remove(&ubiblock_minor_idr, gd->first_minor);
>   out_cleanup_disk:
> -	put_disk(dev->gd);
> +	put_disk(gd);

For memleak solution:

Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>

>   out_free_tags:
>   	blk_mq_free_tag_set(&dev->tag_set);
>   out_free_dev:



______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
@ 2023-12-08  7:13 linan666
  2023-12-08  7:29 ` Zhihao Cheng
  0 siblings, 1 reply; 6+ messages in thread
From: linan666 @ 2023-12-08  7:13 UTC (permalink / raw)
  To: richard, miquel.raynal, vigneshr
  Cc: linux-mtd, linux-kernel, linan122, yukuai3, yi.zhang, houtao1, yangerkun

From: Li Nan <linan122@huawei.com>

If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in
ubiblock_create(), but dev->gd has not been assigned yet at this time, and
accessing it will trigger a null-pointer-dereference issue. Fix it by put
gd directly.

Signed-off-by: Li Nan <linan122@huawei.com>
---
 drivers/mtd/ubi/block.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
index 309a42aeaa4c..654bd7372cd8 100644
--- a/drivers/mtd/ubi/block.c
+++ b/drivers/mtd/ubi/block.c
@@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi)
 	list_del(&dev->list);
 	idr_remove(&ubiblock_minor_idr, gd->first_minor);
 out_cleanup_disk:
-	put_disk(dev->gd);
+	put_disk(gd);
 out_free_tags:
 	blk_mq_free_tag_set(&dev->tag_set);
 out_free_dev:
-- 
2.39.2


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-05-06 13:36 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-28  7:19 [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create() linan666
2024-04-28  7:51 ` Zhihao Cheng
2024-05-06 13:35   ` Li Nan
  -- strict thread matches above, loose matches on Subject: below --
2023-12-08  7:13 linan666
2023-12-08  7:29 ` Zhihao Cheng
2023-12-08  7:40   ` Li Nan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).