From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Munehisa Kamata <kamatam@amazon.com>,
Thomas Friebel <friebelt@amazon.de>,
Eduardo Valentin <eduval@amazon.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Juergen Gross <jgross@suse.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Roger Pau Monne <roger.pau@citrix.com>,
xen-devel@lists.xenproject.org
Subject: [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests
Date: Tue, 22 Aug 2017 12:13:55 -0700 [thread overview]
Message-ID: <20170822190943.024693871@linuxfoundation.org> (raw)
In-Reply-To: <20170822190941.918296529@linuxfoundation.org>
4.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Munehisa Kamata <kamatam@amazon.com>
commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream.
Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of
git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch
'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume()
has been using an index for iterating ring_info to check request when
iterating blk_shadow in an inner loop. This seems to have been
accidentally introduced during the massive rewrite of the block layer
macros in the commits.
This may cause crash like this:
[11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610
....
[11798.061063] Call Trace:
[11798.061063] [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140
[11798.061063] [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150
[11798.061063] [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110
[11798.061063] [<ffffffff813f3a08>] device_resume+0x88/0x190
[11798.061063] [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0
[11798.061063] [<ffffffff813f5221>] dpm_resume_end+0x11/0x20
[11798.061063] [<ffffffff813950a8>] do_suspend+0xe8/0x1a0
[11798.061063] [<ffffffff813954bd>] shutdown_handler+0xfd/0x130
[11798.061063] [<ffffffff8139aba0>] ? split+0x110/0x110
[11798.061063] [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120
[11798.061063] [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110
[11798.061063] [<ffffffff8108fe57>] kthread+0xd7/0xf0
[11798.061063] [<ffffffff811da811>] ? kfree+0x121/0x170
[11798.061063] [<ffffffff8108fd80>] ? kthread_park+0x60/0x60
[11798.061063] [<ffffffff810863b0>] ? call_usermodehelper_exec_work+0xb0/0xb0
[11798.061063] [<ffffffff810864ea>] ? call_usermodehelper_exec_async+0x13a/0x140
[11798.061063] [<ffffffff81534a45>] ret_from_fork+0x25/0x30
Use the right index in the inner loop.
Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block")
Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
Reviewed-by: Thomas Friebel <friebelt@amazon.de>
Reviewed-by: Eduardo Valentin <eduval@amazon.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Roger Pau Monne <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/xen-blkfront.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -2119,9 +2119,9 @@ static int blkfront_resume(struct xenbus
/*
* Get the bios in the request so we can re-queue them.
*/
- if (req_op(shadow[i].request) == REQ_OP_FLUSH ||
- req_op(shadow[i].request) == REQ_OP_DISCARD ||
- req_op(shadow[i].request) == REQ_OP_SECURE_ERASE ||
+ if (req_op(shadow[j].request) == REQ_OP_FLUSH ||
+ req_op(shadow[j].request) == REQ_OP_DISCARD ||
+ req_op(shadow[j].request) == REQ_OP_SECURE_ERASE ||
shadow[j].request->cmd_flags & REQ_FUA) {
/*
* Flush operations don't contain bios, so
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Juergen Gross <jgross@suse.com>,
Eduardo Valentin <eduval@amazon.com>,
Thomas Friebel <friebelt@amazon.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Munehisa Kamata <kamatam@amazon.com>,
stable@vger.kernel.org, xen-devel@lists.xenproject.org,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests
Date: Tue, 22 Aug 2017 12:13:55 -0700 [thread overview]
Message-ID: <20170822190943.024693871@linuxfoundation.org> (raw)
In-Reply-To: <20170822190941.918296529@linuxfoundation.org>
4.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Munehisa Kamata <kamatam@amazon.com>
commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream.
Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of
git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch
'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume()
has been using an index for iterating ring_info to check request when
iterating blk_shadow in an inner loop. This seems to have been
accidentally introduced during the massive rewrite of the block layer
macros in the commits.
This may cause crash like this:
[11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610
....
[11798.061063] Call Trace:
[11798.061063] [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140
[11798.061063] [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150
[11798.061063] [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110
[11798.061063] [<ffffffff813f3a08>] device_resume+0x88/0x190
[11798.061063] [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0
[11798.061063] [<ffffffff813f5221>] dpm_resume_end+0x11/0x20
[11798.061063] [<ffffffff813950a8>] do_suspend+0xe8/0x1a0
[11798.061063] [<ffffffff813954bd>] shutdown_handler+0xfd/0x130
[11798.061063] [<ffffffff8139aba0>] ? split+0x110/0x110
[11798.061063] [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120
[11798.061063] [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110
[11798.061063] [<ffffffff8108fe57>] kthread+0xd7/0xf0
[11798.061063] [<ffffffff811da811>] ? kfree+0x121/0x170
[11798.061063] [<ffffffff8108fd80>] ? kthread_park+0x60/0x60
[11798.061063] [<ffffffff810863b0>] ? call_usermodehelper_exec_work+0xb0/0xb0
[11798.061063] [<ffffffff810864ea>] ? call_usermodehelper_exec_async+0x13a/0x140
[11798.061063] [<ffffffff81534a45>] ret_from_fork+0x25/0x30
Use the right index in the inner loop.
Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block")
Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
Reviewed-by: Thomas Friebel <friebelt@amazon.de>
Reviewed-by: Eduardo Valentin <eduval@amazon.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Roger Pau Monne <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/xen-blkfront.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -2119,9 +2119,9 @@ static int blkfront_resume(struct xenbus
/*
* Get the bios in the request so we can re-queue them.
*/
- if (req_op(shadow[i].request) == REQ_OP_FLUSH ||
- req_op(shadow[i].request) == REQ_OP_DISCARD ||
- req_op(shadow[i].request) == REQ_OP_SECURE_ERASE ||
+ if (req_op(shadow[j].request) == REQ_OP_FLUSH ||
+ req_op(shadow[j].request) == REQ_OP_DISCARD ||
+ req_op(shadow[j].request) == REQ_OP_SECURE_ERASE ||
shadow[j].request->cmd_flags & REQ_FUA) {
/*
* Flush operations don't contain bios, so
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-08-22 19:20 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-22 19:13 [PATCH 4.12 00/41] 4.12.9-stable review Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 01/41] audit: Fix use after free in audit_remove_watch_rule() Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 02/41] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 03/41] crypto: ixp4xx - Fix error handling path in aead_perform() Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 04/41] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 05/41] drm/i915: Perform an invalidate prior to executing golden renderstate Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 07/41] Input: elan_i2c - add ELAN0608 to the ACPI table Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 08/41] Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 09/41] md: fix test in md_write_start() Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 10/41] md: always clear ->safemode when md_check_recovery gets the mddev lock Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 11/41] MD: not clear ->safemode for external metadata array Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 12/41] ALSA: seq: 2nd attempt at fixing race creating a queue Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 13/41] ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 14/41] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 15/41] ALSA: usb-audio: add DSD support for new Amanero PID Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 16/41] mm: discard memblock data later Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 17/41] slub: fix per memcg cache leak on css offline Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 18/41] mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 19/41] mm/cma_debug.c: fix stack corruption due to sprintf usage Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 20/41] mm/mempolicy: fix use after free when calling get_mempolicy Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 21/41] mm/vmalloc.c: dont unconditonally use __GFP_HIGHMEM Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 22/41] mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 24/41] ARM: dts: imx6qdl-nitrogen6_som2: fix PCIe reset Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 25/41] blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 26/41] powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC Greg Kroah-Hartman
2017-08-22 19:13 ` Greg Kroah-Hartman [this message]
2017-08-22 19:13 ` [PATCH 4.12 27/41] xen-blkfront: use a right index when checking requests Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 28/41] perf/x86: Fix RDPMC vs. mm_struct tracking Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 29/41] x86/asm/64: Clear AC on NMI entries Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 30/41] x86: Fix norandmaps/ADDR_NO_RANDOMIZE Greg Kroah-Hartman
2017-08-22 19:13 ` [PATCH 4.12 31/41] x86/elf: Remove the unnecessary ADDR_NO_RANDOMIZE checks Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 32/41] irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup() Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 33/41] irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup() Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 34/41] genirq: Restore trigger settings in irq_modify_status() Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 35/41] genirq/ipi: Fixup checks against nr_cpu_ids Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 36/41] kernel/watchdog: Prevent false positives with turbo modes Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 37/41] Sanitize move_pages() permission checks Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 38/41] pids: make task_tgid_nr_ns() safe Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 39/41] debug: Fix WARN_ON_ONCE() for modules Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 40/41] usb: optimize acpi companion search for usb port devices Greg Kroah-Hartman
2017-08-22 19:14 ` [PATCH 4.12 41/41] usb: qmi_wwan: add D-Link DWM-222 device ID Greg Kroah-Hartman
2017-08-23 0:33 ` [PATCH 4.12 00/41] 4.12.9-stable review Shuah Khan
2017-08-23 0:48 ` Greg Kroah-Hartman
2017-08-27 18:18 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170822190943.024693871@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=boris.ostrovsky@oracle.com \
--cc=eduval@amazon.com \
--cc=friebelt@amazon.de \
--cc=jgross@suse.com \
--cc=kamatam@amazon.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=roger.pau@citrix.com \
--cc=stable@vger.kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.