linux/drivers/block
Mikulas Patocka 3ec981e30f loop: fix crash if blk_alloc_queue fails
loop: fix crash if blk_alloc_queue fails

If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the
identifier allocated with idr_alloc. That causes crash on module unload in
idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to
remove non-existed device with that id.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000380
IP: [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
PGD 43d399067 PUD 43d0ad067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but!
 ton unix
CPU: 7 PID: 2735 Comm: rmmod Tainted: G        W    3.10.15-devel #15
Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000
RIP: 0010:[<ffffffff812057c9>]  [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
RSP: 0018:ffff88043d21fe10  EFLAGS: 00010282
RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000
RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff
R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800
FS:  00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
 ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800
 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60
 ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec
Call Trace:
 [<ffffffff8100aba4>] ? native_sched_clock+0x24/0x80
 [<ffffffffa05102b4>] loop_remove+0x14/0x40 [loop]
 [<ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop]
 [<ffffffff81217b74>] idr_for_each+0x104/0x190
 [<ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop]
 [<ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0
 [<ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop]
 [<ffffffff810a98ea>] SyS_delete_module+0x13a/0x260
 [<ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00
00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20
RIP  [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
 RSP <ffff88043d21fe10>
CR2: 0000000000000380
---[ end trace 64ec069ec70f1309 ]---

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: stable@kernel.org	# 3.1+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2013-11-08 08:59:26 -07:00
..
aoe aoe: do not BUG if memory pressure prevented debugfs file creation 2013-09-11 15:59:28 -07:00
drbd treewide: Add __GFP_NOWARN to k.alloc calls with v.alloc fallbacks 2013-08-20 13:06:40 +02:00
mtip32xx Remove GENERIC_HARDIRQ config option 2013-09-13 15:09:52 +02:00
paride block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
rsxx rsxx: Adding in debugfs entries. 2013-06-19 13:52:10 +02:00
xen-blkback block: replace strict_strtoul() with kstrtoul() 2013-09-11 15:56:56 -07:00
amiflop.c block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
ataflop.c block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
brd.c drivers/block/brd.c: fix brd_lookup_page() race 2013-05-24 16:22:52 -07:00
cciss_cmd.h
cciss_scsi.c cciss: switch to ->show_info() 2013-04-09 14:13:19 -04:00
cciss_scsi.h
cciss.c cciss: fix info leak in cciss_ioctl32_passthru() 2013-09-24 17:00:26 -07:00
cciss.h
cpqarray.c cpqarray: fix info leak in ida_locked_ioctl() 2013-09-24 17:00:26 -07:00
cpqarray.h
cryptoloop.c move linux/loop.h to drivers/block 2013-06-29 12:46:45 +04:00
DAC960.c procfs: new helper - PDE_DATA(inode) 2013-04-09 14:13:32 -04:00
DAC960.h
floppy.c Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block 2013-05-08 10:13:35 -07:00
hd.c
ida_cmd.h
ida_ioctl.h
Kconfig rsxx: Changing the adapter name to the official name. 2013-06-19 13:52:09 +02:00
loop.c loop: fix crash if blk_alloc_queue fails 2013-11-08 08:59:26 -07:00
loop.h move linux/loop.h to drivers/block 2013-06-29 12:46:45 +04:00
Makefile NVMe: Add nvme-scsi.c 2013-03-28 14:50:49 -04:00
mg_disk.c drivers/block/mg_disk.c: make mg_times_out() static 2013-09-11 15:56:59 -07:00
nbd.c nbd: correct disconnect behavior 2013-07-03 16:08:05 -07:00
nvme-core.c NVMe: Merge issue on character device bring-up 2013-09-06 16:26:58 -04:00
nvme-scsi.c NVMe: Use kzalloc instead of kmalloc+memset 2013-06-19 13:24:27 -04:00
osdblk.c block: replace strict_strtoul() with kstrtoul() 2013-09-11 15:56:56 -07:00
pktcdvd.c pktcdvd: fix defective misuses of pkt_<level> 2013-09-11 15:59:34 -07:00
ps3disk.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
ps3vram.c procfs: new helper - PDE_DATA(inode) 2013-04-09 14:13:32 -04:00
rbd_types.h rbd: get rid of RBD_MAX_SEG_NAME_LEN 2012-12-17 08:37:29 -06:00
rbd.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-09-19 12:50:37 -05:00
smart1,2.h
sunvdc.c sunvdc: Fix off-by-one in generic_request(). 2013-02-14 11:49:01 -08:00
swim3.c block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00
swim_asm.S
swim.c drivers/block/swim.c: remove unnecessary platform_set_drvdata() 2013-09-11 15:56:59 -07:00
sx8.c
umem.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
umem.h
virtio_blk.c virtio_blk: Add missing 'static' qualifiers 2013-05-20 12:09:23 +09:30
xen-blkfront.c Merge branch 'stable/for-jens-3.10' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-3.11/drivers 2013-06-28 16:01:14 +02:00
xsysace.c xilinx systemace: Fix sparse warnings 2013-07-10 07:47:12 +02:00
z2ram.c block_device_operations->release() should return void 2013-05-07 02:16:21 -04:00