lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1487198500.217113025@decadent.org.uk>
Date:   Wed, 15 Feb 2017 22:41:40 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "Scott Bauer" <scott.bauer@...el.com>,
        "Jens Axboe" <axboe@...com>, "Sagi Grimberg" <sagi@...mbeg.me>,
        "Keith Busch" <keith.busch@...el.com>,
        "Christoph Hellwig" <hch@....de>
Subject: [PATCH 3.16 237/306] nvme/pci: Don't free queues on error

3.16.40-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Keith Busch <keith.busch@...el.com>

commit d48756228ee9161ac8836b346589a43fabdc9f3c upstream.

The nvme_remove function tears down all allocated resources in the correct
order, so no need to free queues on error during initialization. This
fixes possible use-after-free errors when queues are still associated
with a blk-mq hctx.

Reported-by: Scott Bauer <scott.bauer@...el.com>
Tested-by: Scott Bauer <scott.bauer@...el.com>
Signed-off-by: Keith Busch <keith.busch@...el.com>
Reviewed-by: Sagi Grimberg <sagi@...mbeg.me>
Reviewed-by: Christoph Hellwig <hch@....de>
Signed-off-by: Jens Axboe <axboe@...com>
[bwh: Backported to 3.16:
 - Adjust filename, context
 - Only nvme_setup_io_queues() needs to be fixed]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
--- a/drivers/block/nvme-core.c
+++ b/drivers/block/nvme-core.c
@@ -2196,7 +2196,7 @@ static int nvme_setup_io_queues(struct n
 	result = queue_request_irq(dev, adminq, adminq->irqname);
 	if (result) {
 		adminq->q_suspended = 1;
-		goto free_queues;
+		return result;
 	}
 
 	/* Free previously allocated queues that are no longer usable */
@@ -2204,10 +2204,6 @@ static int nvme_setup_io_queues(struct n
 	nvme_assign_io_queues(dev);
 
 	return 0;
-
- free_queues:
-	nvme_free_queues(dev, 1);
-	return result;
 }
 
 /*

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ