From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Munehisa Kamata <kamatam@amazon.com>, Thomas Friebel <friebelt@amazon.de>, Eduardo Valentin <eduval@amazon.com>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Juergen Gross <jgross@suse.com>, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, Roger Pau Monne <roger.pau@citrix.com>, xen-devel@lists.xenproject.org Subject: [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests Date: Tue, 22 Aug 2017 12:13:55 -0700 [thread overview] Message-ID: <20170822190943.024693871@linuxfoundation.org> (raw) In-Reply-To: <20170822190941.918296529@linuxfoundation.org> 4.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Munehisa Kamata <kamatam@amazon.com> commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream. Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume() has been using an index for iterating ring_info to check request when iterating blk_shadow in an inner loop. This seems to have been accidentally introduced during the massive rewrite of the block layer macros in the commits. This may cause crash like this: [11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610 .... [11798.061063] Call Trace: [11798.061063] [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140 [11798.061063] [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150 [11798.061063] [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110 [11798.061063] [<ffffffff813f3a08>] device_resume+0x88/0x190 [11798.061063] [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0 [11798.061063] [<ffffffff813f5221>] dpm_resume_end+0x11/0x20 [11798.061063] [<ffffffff813950a8>] do_suspend+0xe8/0x1a0 [11798.061063] [<ffffffff813954bd>] shutdown_handler+0xfd/0x130 [11798.061063] [<ffffffff8139aba0>] ? split+0x110/0x110 [11798.061063] [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120 [11798.061063] [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110 [11798.061063] [<ffffffff8108fe57>] kthread+0xd7/0xf0 [11798.061063] [<ffffffff811da811>] ? kfree+0x121/0x170 [11798.061063] [<ffffffff8108fd80>] ? kthread_park+0x60/0x60 [11798.061063] [<ffffffff810863b0>] ? call_usermodehelper_exec_work+0xb0/0xb0 [11798.061063] [<ffffffff810864ea>] ? call_usermodehelper_exec_async+0x13a/0x140 [11798.061063] [<ffffffff81534a45>] ret_from_fork+0x25/0x30 Use the right index in the inner loop. Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block") Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block") Signed-off-by: Munehisa Kamata <kamatam@amazon.com> Reviewed-by: Thomas Friebel <friebelt@amazon.de> Reviewed-by: Eduardo Valentin <eduval@amazon.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Juergen Gross <jgross@suse.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Roger Pau Monne <roger.pau@citrix.com> Cc: xen-devel@lists.xenproject.org Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/block/xen-blkfront.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -2119,9 +2119,9 @@ static int blkfront_resume(struct xenbus /* * Get the bios in the request so we can re-queue them. */ - if (req_op(shadow[i].request) == REQ_OP_FLUSH || - req_op(shadow[i].request) == REQ_OP_DISCARD || - req_op(shadow[i].request) == REQ_OP_SECURE_ERASE || + if (req_op(shadow[j].request) == REQ_OP_FLUSH || + req_op(shadow[j].request) == REQ_OP_DISCARD || + req_op(shadow[j].request) == REQ_OP_SECURE_ERASE || shadow[j].request->cmd_flags & REQ_FUA) { /* * Flush operations don't contain bios, so
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Juergen Gross <jgross@suse.com>, Eduardo Valentin <eduval@amazon.com>, Thomas Friebel <friebelt@amazon.de>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Munehisa Kamata <kamatam@amazon.com>, stable@vger.kernel.org, xen-devel@lists.xenproject.org, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Roger Pau Monne <roger.pau@citrix.com> Subject: [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests Date: Tue, 22 Aug 2017 12:13:55 -0700 [thread overview] Message-ID: <20170822190943.024693871@linuxfoundation.org> (raw) In-Reply-To: <20170822190941.918296529@linuxfoundation.org> 4.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Munehisa Kamata <kamatam@amazon.com> commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream. Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume() has been using an index for iterating ring_info to check request when iterating blk_shadow in an inner loop. This seems to have been accidentally introduced during the massive rewrite of the block layer macros in the commits. This may cause crash like this: [11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610 .... [11798.061063] Call Trace: [11798.061063] [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140 [11798.061063] [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150 [11798.061063] [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110 [11798.061063] [<ffffffff813f3a08>] device_resume+0x88/0x190 [11798.061063] [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0 [11798.061063] [<ffffffff813f5221>] dpm_resume_end+0x11/0x20 [11798.061063] [<ffffffff813950a8>] do_suspend+0xe8/0x1a0 [11798.061063] [<ffffffff813954bd>] shutdown_handler+0xfd/0x130 [11798.061063] [<ffffffff8139aba0>] ? split+0x110/0x110 [11798.061063] [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120 [11798.061063] [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110 [11798.061063] [<ffffffff8108fe57>] kthread+0xd7/0xf0 [11798.061063] [<ffffffff811da811>] ? kfree+0x121/0x170 [11798.061063] [<ffffffff8108fd80>] ? kthread_park+0x60/0x60 [11798.061063] [<ffffffff810863b0>] ? call_usermodehelper_exec_work+0xb0/0xb0 [11798.061063] [<ffffffff810864ea>] ? call_usermodehelper_exec_async+0x13a/0x140 [11798.061063] [<ffffffff81534a45>] ret_from_fork+0x25/0x30 Use the right index in the inner loop. Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block") Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block") Signed-off-by: Munehisa Kamata <kamatam@amazon.com> Reviewed-by: Thomas Friebel <friebelt@amazon.de> Reviewed-by: Eduardo Valentin <eduval@amazon.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Juergen Gross <jgross@suse.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Roger Pau Monne <roger.pau@citrix.com> Cc: xen-devel@lists.xenproject.org Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/block/xen-blkfront.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -2119,9 +2119,9 @@ static int blkfront_resume(struct xenbus /* * Get the bios in the request so we can re-queue them. */ - if (req_op(shadow[i].request) == REQ_OP_FLUSH || - req_op(shadow[i].request) == REQ_OP_DISCARD || - req_op(shadow[i].request) == REQ_OP_SECURE_ERASE || + if (req_op(shadow[j].request) == REQ_OP_FLUSH || + req_op(shadow[j].request) == REQ_OP_DISCARD || + req_op(shadow[j].request) == REQ_OP_SECURE_ERASE || shadow[j].request->cmd_flags & REQ_FUA) { /* * Flush operations don't contain bios, so _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-08-22 19:20 UTC|newest] Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-08-22 19:13 [PATCH 4.12 00/41] 4.12.9-stable review Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 01/41] audit: Fix use after free in audit_remove_watch_rule() Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 02/41] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 03/41] crypto: ixp4xx - Fix error handling path in aead_perform() Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 04/41] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 05/41] drm/i915: Perform an invalidate prior to executing golden renderstate Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 07/41] Input: elan_i2c - add ELAN0608 to the ACPI table Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 08/41] Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 09/41] md: fix test in md_write_start() Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 10/41] md: always clear ->safemode when md_check_recovery gets the mddev lock Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 11/41] MD: not clear ->safemode for external metadata array Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 12/41] ALSA: seq: 2nd attempt at fixing race creating a queue Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 13/41] ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 14/41] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 15/41] ALSA: usb-audio: add DSD support for new Amanero PID Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 16/41] mm: discard memblock data later Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 17/41] slub: fix per memcg cache leak on css offline Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 18/41] mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 19/41] mm/cma_debug.c: fix stack corruption due to sprintf usage Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 20/41] mm/mempolicy: fix use after free when calling get_mempolicy Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 21/41] mm/vmalloc.c: dont unconditonally use __GFP_HIGHMEM Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 22/41] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 24/41] ARM: dts: imx6qdl-nitrogen6_som2: fix PCIe reset Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 25/41] blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 26/41] powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC Greg Kroah-Hartman 2017-08-22 19:13 ` Greg Kroah-Hartman [this message] 2017-08-22 19:13 ` [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 28/41] perf/x86: Fix RDPMC vs. mm_struct tracking Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 29/41] x86/asm/64: Clear AC on NMI entries Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 30/41] x86: Fix norandmaps/ADDR_NO_RANDOMIZE Greg Kroah-Hartman 2017-08-22 19:13 ` [PATCH 4.12 31/41] x86/elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 32/41] irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup() Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 33/41] irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup() Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 34/41] genirq: Restore trigger settings in irq_modify_status() Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 35/41] genirq/ipi: Fixup checks against nr_cpu_ids Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 36/41] kernel/watchdog: Prevent false positives with turbo modes Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 37/41] Sanitize move_pages() permission checks Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 38/41] pids: make task_tgid_nr_ns() safe Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 39/41] debug: Fix WARN_ON_ONCE() for modules Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 40/41] usb: optimize acpi companion search for usb port devices Greg Kroah-Hartman 2017-08-22 19:14 ` [PATCH 4.12 41/41] usb: qmi_wwan: add D-Link DWM-222 device ID Greg Kroah-Hartman 2017-08-23 0:33 ` [PATCH 4.12 00/41] 4.12.9-stable review Shuah Khan 2017-08-23 0:48 ` Greg Kroah-Hartman 2017-08-27 18:18 ` Guenter Roeck
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170822190943.024693871@linuxfoundation.org \ --to=gregkh@linuxfoundation.org \ --cc=boris.ostrovsky@oracle.com \ --cc=eduval@amazon.com \ --cc=friebelt@amazon.de \ --cc=jgross@suse.com \ --cc=kamatam@amazon.com \ --cc=konrad.wilk@oracle.com \ --cc=linux-kernel@vger.kernel.org \ --cc=roger.pau@citrix.com \ --cc=stable@vger.kernel.org \ --cc=xen-devel@lists.xenproject.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.