Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2537927yba; Mon, 6 May 2019 07:41:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFjMhSeynAkrEJpUEBitcbzYLY1iEpmsktCu+CCbwt04CyZRb24PpC1QLG3NtN22E5Jmwd X-Received: by 2002:a62:ac0c:: with SMTP id v12mr33348571pfe.59.1557153669951; Mon, 06 May 2019 07:41:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557153669; cv=none; d=google.com; s=arc-20160816; b=YKnkDGimOHILH087/j+/7ERxtbOHxkQcM3ODGulalMHMEoaEjc2SUo2HzftBHTYIrm uEvKuA86w7GnFuyLxMbUuzBrK6VD3ddX/6vKPTd5/10vZKIECyUItX9tfJCGX9nUWOLQ ZpmZp5vjZfU9HBh3+oXu94fI/bBe2JsM12rkOjLaH7CUwrtwp+ex1pIZGSLpQf6xMN+G vXVapP+3WpBrQQ9w4vn0TBb8HSWPhhktX19M+654bMxp/L2JRPOp3g7ns+KcYRSBK0mZ KM4h52lqe1glNn/6NbWOX2LeVRx4jcnUr54QWz6mC1yznJ/uFFvc711W1E43Oi3ePtvw 6qJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=f5aiYJ9STs2uELO18VGDV1QZHV3cHZtzyAZzIbd3Ds8=; b=sN3cp5xgiSYXg3DXcmAGzp7ihY1q0dYeY8w1j6SUu07VqqsM7RzqpXq5Tn7Rzt3Weh lcx/pAZchae0BDrAiKlb+gPPi37Ke/Ln+kdhdt19R1tTc16pX9LaFO5NbR9jlKT5uq6b CVvB32zVz9gwjyISwujOq84XcRfIE/TDv8IFMA1dkJOeyv1Qi0LlL2mg63SOKIpb08xn TkG/VIXt8if1+8fisJcwj3gMyjaZGegM/tIJIE1WA0LS5WYodL+hWpV2rbiumbUV5p/4 Z1iMg91C5zdVOllcpFZKyjDCAzJGqh4MNz0B/bUGj0UmGA7pV7sxLMK4j76ywKHj2uwx WIAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vzBk6vhZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11si13888274pgv.373.2019.05.06.07.40.51; Mon, 06 May 2019 07:41:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vzBk6vhZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727481AbfEFOhw (ORCPT + 99 others); Mon, 6 May 2019 10:37:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:58690 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726658AbfEFOhu (ORCPT ); Mon, 6 May 2019 10:37:50 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 50F55206A3; Mon, 6 May 2019 14:37:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557153468; bh=FSyqmkAp+KiiecRVP+XIwK6GrP0VO5e0HsZ/5kTldmE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vzBk6vhZIxt2xGQZrUw+HLc5QvBJ6O+EqfdCZaUhYLllyF7mNdXqF3o05FZWlFIGd 3V29qw2F07RwYnyxMouOqMZ12jX4OPsYWmDTYl2J4nrjd/t+qtwkl+CqiX3IWYAtWK Xkxi6vcTU1ZMPSeMUQY0RF1S1W3GSB5IQzBmnlWM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michal Simek , Guenter Roeck , Jens Axboe , "Sasha Levin (Microsoft)" Subject: [PATCH 5.0 079/122] xsysace: Fix error handling in ace_setup Date: Mon, 6 May 2019 16:32:17 +0200 Message-Id: <20190506143101.923401474@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190506143054.670334917@linuxfoundation.org> References: <20190506143054.670334917@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 47b16820c490149c2923e8474048f2c6e7557cab ] If xace hardware reports a bad version number, the error handling code in ace_setup() calls put_disk(), followed by queue cleanup. However, since the disk data structure has the queue pointer set, put_disk() also cleans and releases the queue. This results in blk_cleanup_queue() accessing an already released data structure, which in turn may result in a crash such as the following. [ 10.681671] BUG: Kernel NULL pointer dereference at 0x00000040 [ 10.681826] Faulting instruction address: 0xc0431480 [ 10.682072] Oops: Kernel access of bad area, sig: 11 [#1] [ 10.682251] BE PAGE_SIZE=4K PREEMPT Xilinx Virtex440 [ 10.682387] Modules linked in: [ 10.682528] CPU: 0 PID: 1 Comm: swapper Tainted: G W 5.0.0-rc6-next-20190218+ #2 [ 10.682733] NIP: c0431480 LR: c043147c CTR: c0422ad8 [ 10.682863] REGS: cf82fbe0 TRAP: 0300 Tainted: G W (5.0.0-rc6-next-20190218+) [ 10.683065] MSR: 00029000 CR: 22000222 XER: 00000000 [ 10.683236] DEAR: 00000040 ESR: 00000000 [ 10.683236] GPR00: c043147c cf82fc90 cf82ccc0 00000000 00000000 00000000 00000002 00000000 [ 10.683236] GPR08: 00000000 00000000 c04310bc 00000000 22000222 00000000 c0002c54 00000000 [ 10.683236] GPR16: 00000000 00000001 c09aa39c c09021b0 c09021dc 00000007 c0a68c08 00000000 [ 10.683236] GPR24: 00000001 ced6d400 ced6dcf0 c0815d9c 00000000 00000000 00000000 cedf0800 [ 10.684331] NIP [c0431480] blk_mq_run_hw_queue+0x28/0x114 [ 10.684473] LR [c043147c] blk_mq_run_hw_queue+0x24/0x114 [ 10.684602] Call Trace: [ 10.684671] [cf82fc90] [c043147c] blk_mq_run_hw_queue+0x24/0x114 (unreliable) [ 10.684854] [cf82fcc0] [c04315bc] blk_mq_run_hw_queues+0x50/0x7c [ 10.685002] [cf82fce0] [c0422b24] blk_set_queue_dying+0x30/0x68 [ 10.685154] [cf82fcf0] [c0423ec0] blk_cleanup_queue+0x34/0x14c [ 10.685306] [cf82fd10] [c054d73c] ace_probe+0x3dc/0x508 [ 10.685445] [cf82fd50] [c052d740] platform_drv_probe+0x4c/0xb8 [ 10.685592] [cf82fd70] [c052abb0] really_probe+0x20c/0x32c [ 10.685728] [cf82fda0] [c052ae58] driver_probe_device+0x68/0x464 [ 10.685877] [cf82fdc0] [c052b500] device_driver_attach+0xb4/0xe4 [ 10.686024] [cf82fde0] [c052b5dc] __driver_attach+0xac/0xfc [ 10.686161] [cf82fe00] [c0528428] bus_for_each_dev+0x80/0xc0 [ 10.686314] [cf82fe30] [c0529b3c] bus_add_driver+0x144/0x234 [ 10.686457] [cf82fe50] [c052c46c] driver_register+0x88/0x15c [ 10.686610] [cf82fe60] [c09de288] ace_init+0x4c/0xac [ 10.686742] [cf82fe80] [c0002730] do_one_initcall+0xac/0x330 [ 10.686888] [cf82fee0] [c09aafd0] kernel_init_freeable+0x34c/0x478 [ 10.687043] [cf82ff30] [c0002c6c] kernel_init+0x18/0x114 [ 10.687188] [cf82ff40] [c000f2f0] ret_from_kernel_thread+0x14/0x1c [ 10.687349] Instruction dump: [ 10.687435] 3863ffd4 4bfffd70 9421ffd0 7c0802a6 93c10028 7c9e2378 93e1002c 38810008 [ 10.687637] 7c7f1b78 90010034 4bfffc25 813f008c <81290040> 75290100 4182002c 80810008 [ 10.688056] ---[ end trace 13c9ff51d41b9d40 ]--- Fix the problem by setting the disk queue pointer to NULL before calling put_disk(). A more comprehensive fix might be to rearrange the code to check the hardware version before initializing data structures, but I don't know if this would have undesirable side effects, and it would increase the complexity of backporting the fix to older kernels. Fixes: 74489a91dd43a ("Add support for Xilinx SystemACE CompactFlash interface") Acked-by: Michal Simek Signed-off-by: Guenter Roeck Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin (Microsoft) --- drivers/block/xsysace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c index 87ccef4bd69e..32a21b8d1d85 100644 --- a/drivers/block/xsysace.c +++ b/drivers/block/xsysace.c @@ -1090,6 +1090,8 @@ static int ace_setup(struct ace_device *ace) return 0; err_read: + /* prevent double queue cleanup */ + ace->gd->queue = NULL; put_disk(ace->gd); err_alloc_disk: blk_cleanup_queue(ace->queue); -- 2.20.1