| From f92898e7f32e3533bfd95be174044bc349d416ca Mon Sep 17 00:00:00 2001 |
| From: Vasilis Liaskovitis <vliaskovitis@suse.com> |
| Date: Mon, 15 Oct 2018 15:25:08 +0200 |
| Subject: xen/blkfront: avoid NULL blkfront_info dereference on device removal |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Vasilis Liaskovitis <vliaskovitis@suse.com> |
| |
| commit f92898e7f32e3533bfd95be174044bc349d416ca upstream. |
| |
| If a block device is hot-added when we are out of grants, |
| gnttab_grant_foreign_access fails with -ENOSPC (log message "28 |
| granting access to ring page") in this code path: |
| |
| talk_to_blkback -> |
| setup_blkring -> |
| xenbus_grant_ring -> |
| gnttab_grant_foreign_access |
| |
| and the failing path in talk_to_blkback sets the driver_data to NULL: |
| |
| destroy_blkring: |
| blkif_free(info, 0); |
| |
| mutex_lock(&blkfront_mutex); |
| free_info(info); |
| mutex_unlock(&blkfront_mutex); |
| |
| dev_set_drvdata(&dev->dev, NULL); |
| |
| This results in a NULL pointer BUG when blkfront_remove and blkif_free |
| try to access the failing device's NULL struct blkfront_info. |
| |
| Cc: stable@vger.kernel.org # 4.5 and later |
| Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com> |
| Reviewed-by: Roger Pau Monné <roger.pau@citrix.com> |
| Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/block/xen-blkfront.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/block/xen-blkfront.c |
| +++ b/drivers/block/xen-blkfront.c |
| @@ -2524,6 +2524,9 @@ static int blkfront_remove(struct xenbus |
| |
| dev_dbg(&xbdev->dev, "%s removed", xbdev->nodename); |
| |
| + if (!info) |
| + return 0; |
| + |
| blkif_free(info, 0); |
| |
| mutex_lock(&info->mutex); |