Patch "pktcdvd: Fix a recently introduced NULL pointer dereference" has been added to the 4.14-stable tree

From: <gregkh@linuxfoundation.org>
To: bart.vanassche@wdc.com, axboe@kernel.dk,
	gregkh@linuxfoundation.org, mail@maciej.szmigiero.name
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "pktcdvd: Fix a recently introduced NULL pointer dereference" has been added to the 4.14-stable tree
Date: Thu, 15 Feb 2018 09:32:53 +0100	[thread overview]
Message-ID: <1518683572151227@kroah.com> (raw)


This is a note to let you know that I've just added the patch titled

    pktcdvd: Fix a recently introduced NULL pointer dereference

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pktcdvd-fix-a-recently-introduced-null-pointer-dereference.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 882d4171a8950646413b1a3cbe0e4a6a612fe82e Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bart.vanassche@wdc.com>
Date: Tue, 2 Jan 2018 11:39:48 -0800
Subject: pktcdvd: Fix a recently introduced NULL pointer dereference

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 882d4171a8950646413b1a3cbe0e4a6a612fe82e upstream.

Call bdev_get_queue(bdev) after bdev->bd_disk has been initialized
instead of just before that pointer has been initialized. This patch
avoids that the following command

pktsetup 1 /dev/sr0

triggers the following kernel crash:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000548
IP: pkt_setup_dev+0x2db/0x670 [pktcdvd]
CPU: 2 PID: 724 Comm: pktsetup Not tainted 4.15.0-rc4-dbg+ #1
Call Trace:
 pkt_ctl_ioctl+0xce/0x1c0 [pktcdvd]
 do_vfs_ioctl+0x8e/0x670
 SyS_ioctl+0x3c/0x70
 entry_SYSCALL_64_fastpath+0x23/0x9a

Reported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: commit ca18d6f769d2 ("block: Make most scsi_req_init() calls implicit")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Tested-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/pktcdvd.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2579,14 +2579,14 @@ static int pkt_new_dev(struct pktcdvd_de
 	bdev = bdget(dev);
 	if (!bdev)
 		return -ENOMEM;
+	ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
+	if (ret)
+		return ret;
 	if (!blk_queue_scsi_passthrough(bdev_get_queue(bdev))) {
 		WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
-		bdput(bdev);
+		blkdev_put(bdev, FMODE_READ | FMODE_NDELAY);
 		return -EINVAL;
 	}
-	ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
-	if (ret)
-		return ret;
 
 	/* This is safe, since we have a reference from open(). */
 	__module_get(THIS_MODULE);


Patches currently in stable-queue which might be from bart.vanassche@wdc.com are

queue-4.14/pktcdvd-fix-pkt_setup_dev-error-path.patch
queue-4.14/pktcdvd-fix-a-recently-introduced-null-pointer-dereference.patch
