[PATCH] Fix NULL ptr deref in nvme_ctrl_fast_io_fail_tmo_store

[PATCH] Fix NULL ptr deref in nvme_ctrl_fast_io_fail_tmo_store

[Gopal Tiwari]

When trying to set fast_io_fail_tmo from /sys hit kernel crash

[ 1749.892646] RIP: 0010:nvme_ctrl_fast_io_fail_tmo_store+0x55/0x80 [nvme_core]
[ 1749.918344] RSP: 0018:ffffb52541d53e78 EFLAGS: 00010206
[ 1749.923550] RAX: 000000000000001e RBX: 0000000000000003 RCX: 0000000000000000
[ 1749.930653] RDX: 000000000000001e RSI: 000000000000000a RDI: ffff98e75e774d42
[ 1749.937760] RBP: 0000000000000000 R08: 000000000000001e R09: 0000000000000002
[ 1749.944862] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000003
[ 1749.951968] R13: fffffffffffffff2 R14: ffffb52541d53f08 R15: ffff98e74fc240e0
[ 1749.959072] FS:  00007fc551327740(0000) GS:ffff98e79dc40000(0000) knlGS:000000
00000000000
[ 1749.967127] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1749.972852] CR2: 0000000000000064 CR3: 000000043f53c005 CR4: 00000000003706e0
[ 1749.979956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1749.987062] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[66824.400512] IPv6: ADDRCONF(NETDEV_UP): wlp0s20f3: link is not ready
[ 1749.996612]  kernfs_fop_write+0x116/0x190
[ 1750.000610]  vfs_write+0xa5/0x1a0
[ 1750.003918]  ksys_write+0x4f/0xb0

Fixed by checking opts for NULL.

Fixes: 09fbed636382 (nvme: export fast_io_fail_tmo to sysfs)

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 drivers/nvme/host/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 39b8fbe87adb..d26eddf2bde4 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -3764,6 +3764,9 @@ static ssize_t nvme_ctrl_fast_io_fail_tmo_store(struct device *dev,
 	struct nvmf_ctrl_options *opts = ctrl->opts;
 	int fast_io_fail_tmo, err;
 
+	if (!opts)
+		return -EINVAL;
+
 	err = kstrtoint(buf, 10, &fast_io_fail_tmo);
 	if (err)
 		return -EINVAL;
-- 
2.26.2


_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

Re: [PATCH] Fix NULL ptr deref in nvme_ctrl_fast_io_fail_tmo_store

[Keith Busch]

On Tue, Apr 13, 2021 at 03:50:46PM +0530, Gopal Tiwari wrote:
> When trying to set fast_io_fail_tmo from /sys hit kernel crash
> 
> [ 1749.892646] RIP: 0010:nvme_ctrl_fast_io_fail_tmo_store+0x55/0x80 [nvme_core]
> [ 1749.918344] RSP: 0018:ffffb52541d53e78 EFLAGS: 00010206
> [ 1749.923550] RAX: 000000000000001e RBX: 0000000000000003 RCX: 0000000000000000
> [ 1749.930653] RDX: 000000000000001e RSI: 000000000000000a RDI: ffff98e75e774d42
> [ 1749.937760] RBP: 0000000000000000 R08: 000000000000001e R09: 0000000000000002
> [ 1749.944862] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000003
> [ 1749.951968] R13: fffffffffffffff2 R14: ffffb52541d53f08 R15: ffff98e74fc240e0
> [ 1749.959072] FS:  00007fc551327740(0000) GS:ffff98e79dc40000(0000) knlGS:000000
> 00000000000
> [ 1749.967127] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1749.972852] CR2: 0000000000000064 CR3: 000000043f53c005 CR4: 00000000003706e0
> [ 1749.979956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 1749.987062] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [66824.400512] IPv6: ADDRCONF(NETDEV_UP): wlp0s20f3: link is not ready
> [ 1749.996612]  kernfs_fop_write+0x116/0x190
> [ 1750.000610]  vfs_write+0xa5/0x1a0
> [ 1750.003918]  ksys_write+0x4f/0xb0
> 
> Fixed by checking opts for NULL.
> 
> Fixes: 09fbed636382 (nvme: export fast_io_fail_tmo to sysfs)

How were you able to access this attribute? It doesn't pass the
.is_visible() test without ctrl->opts..

_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme