Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750857AbWCYE2j (ORCPT ); Fri, 24 Mar 2006 23:28:39 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1750936AbWCYE2i (ORCPT ); Fri, 24 Mar 2006 23:28:38 -0500 Received: from dsl093-040-174.pdx1.dsl.speakeasy.net ([66.93.40.174]:10685 "EHLO aria.kroah.org") by vger.kernel.org with ESMTP id S1750857AbWCYE2W (ORCPT ); Fri, 24 Mar 2006 23:28:22 -0500 Date: Fri, 24 Mar 2006 20:28:00 -0800 From: Greg KH To: linux-kernel@vger.kernel.org, stable@kernel.org, torvalds@osdl.org Cc: Justin Forbes , Zwane Mwaikambo , "Theodore Ts'o" , Randy Dunlap , Dave Jones , Chuck Wolber , akpm@osdl.org, alan@lxorguk.ukuu.org.uk, kaber@trash.net, mike.miller@hp.com, Chris Wright , Greg Kroah-Hartman Subject: [patch 19/20] cciss: fix use-after-free in cciss_init_one Message-ID: <20060325042800.GT21260@kroah.com> References: <20060325041355.180237000@quad.kroah.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="cciss-fix-use-after-free-in-cciss_init_one.patch" In-Reply-To: <20060325042556.GA21260@kroah.com> User-Agent: Mutt/1.5.11 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2990 Lines: 85 -stable review patch. If anyone has any objections, please let us know. ------------------ From: Patrick McHardy free_hba() sets hba[i] to NULL, the dereference afterwards results in this crash. Setting busy_initializing to 0 actually looks unnecessary, but I'm not entirely sure, which is why I left it in. cciss: controller appears to be disabled Unable to handle kernel NULL pointer dereference at virtual address 00000370 printing eip: c1114d53 *pde = 00000000 Oops: 0002 [#1] Modules linked in: CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010286 (2.6.16 #1) EIP is at cciss_init_one+0x4e9/0x4fe eax: 00000000 ebx: c132cd60 ecx: c13154e4 edx: c27d3c00 esi: 00000000 edi: c2748800 ebp: c2536ee4 esp: c2536eb8 ds: 007b es: 007b ss: 0068 Process swapper (pid: 1, threadinfo=c2536000 task=c2535a30) Stack: <0>00000000 00000000 00000000 c13fdba0 c2536ee8 c13159c0 c2536f38 f7c74740 c132cd60 c132cd60 ffffffed c2536ef0 c10c1d51 c2748800 c2536f04 c10c1d85 c132cd60 c2748800 c132cd8c c2536f14 c10c1db8 c2748848 00000000 c2536f28 Call Trace: [] show_stack_log_lvl+0xa8/0xb0 [] show_registers+0x102/0x16a [] die+0xc1/0x13c [] do_page_fault+0x38a/0x525 [] error_code+0x4f/0x54 [] pci_call_probe+0xd/0x10 [] __pci_device_probe+0x31/0x43 [] pci_device_probe+0x21/0x34 [] driver_probe_device+0x44/0x99 [] __driver_attach+0x39/0x5d [] bus_for_each_dev+0x35/0x5a [] driver_attach+0x14/0x16 [] bus_add_driver+0x5c/0x8f [] driver_register+0x73/0x78 [] __pci_register_driver+0x5f/0x71 [] cciss_init+0x1a/0x1c [] do_initcalls+0x4c/0x96 [] do_basic_setup+0x1c/0x1e [] init+0x35/0x118 [] kernel_thread_helper+0x5/0xb Code: 04 b5 e0 de 40 c1 8d 50 04 8b 40 34 e8 3f b7 f9 ff 8b 04 b5 e0 de 40 c1 e8 aa f3 ff ff 89 f0 e8 e8 fa ff ff 8b 04 b5 e0 de 40 c1 80 70 03 00 00 00 00 00 00 83 c8 ff 8d 65 f4 5b 5e 5f 5d c3 <0>Kernel panic - not syncing: Attempted to kill init! Signed-off-by: Patrick McHardy Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman --- drivers/block/cciss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- linux-2.6.16.orig/drivers/block/cciss.c +++ linux-2.6.16/drivers/block/cciss.c @@ -3269,8 +3269,8 @@ clean2: unregister_blkdev(hba[i]->major, hba[i]->devname); clean1: release_io_mem(hba[i]); - free_hba(i); hba[i]->busy_initializing = 0; + free_hba(i); return(-1); } -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/