* [PATCH 01/13] block/paride: Potential null pointer dereference in pd_special_command()
@ 2012-08-09 13:54 Marina Makienko
2012-08-09 13:54 ` [PATCH 02/13] block: Potential null pointer dereference in pkt_generic_packet() Marina Makienko
0 siblings, 1 reply; 2+ messages in thread
From: Marina Makienko @ 2012-08-09 13:54 UTC (permalink / raw)
To: Tim Waugh; +Cc: Marina Makienko, Grant R. Guenther, linux-kernel, ldv-project
The function blk_get_request() can return NULL in some cases. There are
checks on it if function is called with argumetns one of which is
GFP_ATOMIC/GFP_NOIO/etc. If system couldn't find request
blk_get_request() return NULL.
But if there is function call with argument __GFP_WAIT
the system will wait until get request or the queue becomes
dead. If something kills the queue, blk_get_request()
return NULL and next operations will lead to errors.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Marina Makienko <makienko@ispras.ru>
---
drivers/block/paride/pd.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/block/paride/pd.c b/drivers/block/paride/pd.c
index 831e3ac..6e28910 100644
--- a/drivers/block/paride/pd.c
+++ b/drivers/block/paride/pd.c
@@ -723,6 +723,9 @@ static int pd_special_command(struct pd_unit *disk,
rq = blk_get_request(disk->gd->queue, READ, __GFP_WAIT);
+ if (!rq)
+ return Fail;
+
rq->cmd_type = REQ_TYPE_SPECIAL;
rq->special = func;
--
1.7.7
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 02/13] block: Potential null pointer dereference in pkt_generic_packet()
2012-08-09 13:54 [PATCH 01/13] block/paride: Potential null pointer dereference in pd_special_command() Marina Makienko
@ 2012-08-09 13:54 ` Marina Makienko
0 siblings, 0 replies; 2+ messages in thread
From: Marina Makienko @ 2012-08-09 13:54 UTC (permalink / raw)
To: Peter Osterlund; +Cc: Marina Makienko, ldv-project, linux-kernel
The function blk_get_request() can return NULL in some cases. There are
checks on it if function is called with argumetns one of which is
GFP_ATOMIC/GFP_NOIO/etc. If system couldn't find request
blk_get_request() return NULL.
But if there is function call with argument __GFP_WAIT
the system will wait until get request or the queue becomes
dead. If something kills the queue, blk_get_request()
return NULL and next operations will lead to errors.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Marina Makienko <makienko@ispras.ru>
---
drivers/block/pktcdvd.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index ba66e44..be477aa 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -743,6 +743,9 @@ static int pkt_generic_packet(struct pktcdvd_device *pd, struct packet_command *
rq = blk_get_request(q, (cgc->data_direction == CGC_DATA_WRITE) ?
WRITE : READ, __GFP_WAIT);
+ if (!rq)
+ return -EIO;
+
if (cgc->buflen) {
if (blk_rq_map_kern(q, rq, cgc->buffer, cgc->buflen, __GFP_WAIT))
goto out;
--
1.7.7
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-09 13:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-09 13:54 [PATCH 01/13] block/paride: Potential null pointer dereference in pd_special_command() Marina Makienko
2012-08-09 13:54 ` [PATCH 02/13] block: Potential null pointer dereference in pkt_generic_packet() Marina Makienko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.