From: Marina Makienko <makienko@ispras.ru>
To: "David S. Miller" <davem@davemloft.net>
Cc: Marina Makienko <makienko@ispras.ru>,
linux-ide@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@ispras.ru
Subject: [PATCH 11/13] ide: Potential null pointer dereference in idetape_queue_rw_tail()
Date: Thu, 9 Aug 2012 17:55:28 +0400 [thread overview]
Message-ID: <1344520529-19164-9-git-send-email-makienko@ispras.ru> (raw)
In-Reply-To: <1344520529-19164-1-git-send-email-makienko@ispras.ru>
The function blk_get_request() can return NULL in some cases. There are
checks on it if function is called with argumetns one of which is
GFP_ATOMIC/GFP_NOIO/etc. If system couldn't find request
blk_get_request() return NULL.
But if there is function call with argument __GFP_WAIT
the system will wait until get request or the queue becomes
dead. If something kills the queue, blk_get_request()
return NULL and next operations will lead to errors.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Marina Makienko <makienko@ispras.ru>
---
drivers/ide/ide-tape.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/ide/ide-tape.c b/drivers/ide/ide-tape.c
index ce8237d..c27b05c 100644
--- a/drivers/ide/ide-tape.c
+++ b/drivers/ide/ide-tape.c
@@ -853,6 +853,8 @@ static int idetape_queue_rw_tail(ide_drive_t *drive, int cmd, int size)
BUG_ON(size < 0 || size % tape->blk_size);
rq = blk_get_request(drive->queue, READ, __GFP_WAIT);
+ if (!rq)
+ return -EIO;
rq->cmd_type = REQ_TYPE_SPECIAL;
rq->cmd[13] = cmd;
rq->rq_disk = tape->disk;
--
1.7.7
next prev parent reply other threads:[~2012-08-09 13:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 13:55 [PATCH 03/13] ide: Potential null pointer dereference in ide_queue_pc_tail() Marina Makienko
2012-08-09 13:55 ` [PATCH 04/13] ide: Potential null pointer dereference in ide_cdrom_reset() Marina Makienko
2012-08-09 13:55 ` [PATCH 05/13] ide: Potential null pointer dereference in ide_raw_taskfile() Marina Makienko
2012-08-09 13:55 ` [PATCH 06/13] ide: Potential null pointer dereference in generic_ide_resume() Marina Makienko
2012-08-09 13:55 ` [PATCH 07/13] ide: Potential null pointer dereference in ide_cmd_ioctl() Marina Makienko
2012-08-09 13:55 ` [PATCH 08/13] ide: Potential null pointer dereference in ide_devset_execute() Marina Makienko
2012-08-09 13:55 ` [PATCH 09/13] ide: Potential null pointer dereference in set_multcount() Marina Makienko
2012-08-09 13:55 ` [PATCH 10/13] ide: Potential null pointer dereference in ide_cd_queue_pc() Marina Makienko
2012-08-09 13:55 ` Marina Makienko [this message]
2012-08-09 13:55 ` [PATCH 12/13] ide: Potential null pointer dereference in issue_park_cmd() Marina Makienko
2012-08-09 14:13 ` [PATCH 03/13] ide: Potential null pointer dereference in ide_queue_pc_tail() Alan Cox
2012-08-09 21:49 ` David Miller
2012-08-17 17:00 ` Sergei Shtylyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1344520529-19164-9-git-send-email-makienko@ispras.ru \
--to=makienko@ispras.ru \
--cc=davem@davemloft.net \
--cc=ldv-project@ispras.ru \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.