linux/drivers/block
Guenter Roeck 47b16820c4 xsysace: Fix error handling in ace_setup
If xace hardware reports a bad version number, the error handling code
in ace_setup() calls put_disk(), followed by queue cleanup. However, since
the disk data structure has the queue pointer set, put_disk() also
cleans and releases the queue. This results in blk_cleanup_queue()
accessing an already released data structure, which in turn may result
in a crash such as the following.

[   10.681671] BUG: Kernel NULL pointer dereference at 0x00000040
[   10.681826] Faulting instruction address: 0xc0431480
[   10.682072] Oops: Kernel access of bad area, sig: 11 [#1]
[   10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440
[   10.682387] Modules linked in:
[   10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G        W         5.0.0-rc6-next-20190218+ #2
[   10.682733] NIP:  c0431480 LR: c043147c CTR: c0422ad8
[   10.682863] REGS: cf82fbe0 TRAP: 0300   Tainted: G        W          (5.0.0-rc6-next-20190218+)
[   10.683065] MSR:  00029000 <CE,EE,ME>  CR: 22000222  XER: 00000000
[   10.683236] DEAR: 00000040 ESR: 00000000
[   10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000
[   10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000
[   10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000
[   10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800
[   10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114
[   10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114
[   10.684602] Call Trace:
[   10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable)
[   10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c
[   10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68
[   10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c
[   10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508
[   10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8
[   10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c
[   10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464
[   10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4
[   10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc
[   10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0
[   10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234
[   10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c
[   10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac
[   10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330
[   10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478
[   10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114
[   10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c
[   10.687349] Instruction dump:
[   10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008
[   10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008
[   10.688056] ---[ end trace 13c9ff51d41b9d40 ]---

Fix the problem by setting the disk queue pointer to NULL before calling
put_disk(). A more comprehensive fix might be to rearrange the code
to check the hardware version before initializing data structures,
but I don't know if this would have undesirable side effects, and
it would increase the complexity of backporting the fix to older kernels.

Fixes: 74489a91dd ("Add support for Xilinx SystemACE CompactFlash interface")
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-04-06 10:51:12 -06:00
..
aoe aoe: add __exit annotation 2018-12-16 09:01:38 -07:00
drbd for-4.21/block-20190102 2019-01-02 18:49:58 -08:00
mtip32xx for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
paride paride/pcd: Fix potential NULL pointer dereference and mem leak 2019-04-05 09:24:34 -06:00
rsxx pci-v4.20-changes 2018-10-25 06:50:48 -07:00
xen-blkback xen/blkback: rework connect_ring() to avoid inconsistent xenstore 'ring-page-order' set by malicious blkfront 2019-02-24 10:17:56 -05:00
zram drivers/block/zram/zram_drv.c: fix idle/writeback string compare 2019-03-29 10:01:37 -07:00
amiflop.c block/amiflop: Don't log error message on invalid ioctl 2018-12-31 10:19:11 -07:00
ataflop.c ataflop: implement mq_ops->commit_rqs() hook 2018-11-29 10:12:27 -07:00
brd.c block: brd: associate with queue until adding disk 2018-11-01 19:59:51 -06:00
cryptoloop.c block: cryptoloop: Remove VLA usage of skcipher 2018-09-28 12:46:07 +08:00
floppy.c for-5.1/block-20190302 2019-03-08 14:12:17 -08:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
loop.c loop: access lo_backing_file only when the loop device is Lo_bound 2019-03-18 08:20:53 -06:00
loop.h block/loop: Use global lock for ioctl() operation. 2018-11-08 06:30:11 -07:00
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
nbd.c nbd: propagate genlmsg_reply return code 2019-02-28 14:06:37 -07:00
null_blk_main.c null_blk: prevent crash from bad home_node value 2019-04-06 10:51:08 -06:00
null_blk_zoned.c null_blk: Add conventional zone configuration for zoned support 2018-11-07 13:41:50 -07:00
null_blk.h null_blk: add zoned config support information 2019-01-06 10:58:27 -07:00
pktcdvd.c pktcdvd: remove queue_lock around blk_queue_max_hw_sectors 2018-11-16 09:16:59 -07:00
ps3disk.c ps3disk: convert to blk-mq 2018-10-15 20:07:56 -06:00
ps3vram.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
rbd_types.h rbd: RBD_V{1,2}_DATA_FORMAT macros 2017-02-20 12:16:15 +01:00
rbd.c rbd: drop wait_for_latest_osdmap() 2019-03-20 16:27:40 +01:00
skd_main.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
skd_s1120.h skd: Use __packed only when needed 2017-08-18 08:45:29 -06:00
sunvdc.c block: sunvdc: don't run hw queue synchronously from irq context 2019-01-03 08:21:47 -07:00
swim3.c block/swim3: Fix regression on PowerBook G3 2018-12-31 10:19:19 -07:00
swim_asm.S
swim.c swim: convert to blk-mq 2018-10-16 09:49:18 -06:00
sx8.c sx8: use a per-host tag_set 2018-11-09 08:14:14 -07:00
umem.c block: remove the lock argument to blk_alloc_queue_node 2018-11-15 12:13:35 -07:00
umem.h
virtio_blk.c virtio-blk: Consider virtio_max_dma_size() for maximum segment size 2019-03-06 11:19:26 -05:00
xen-blkfront.c block: kill BLK_MQ_F_SG_MERGE 2019-02-15 08:40:12 -07:00
xsysace.c xsysace: Fix error handling in ace_setup 2019-04-06 10:51:12 -06:00
z2ram.c powerpc updates for 4.20 2018-10-26 14:36:21 -07:00