| Message ID | 20231208071317.1268465-1-linan666@huaweicloud.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp5290867vqy;
Thu, 7 Dec 2023 23:14:46 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IEqlzMBRpQ/PCHeabO9qWTXecph4n6+Bn8T9+EwWbE6FpjXh3tDZyC96KlJAm1jhnGfAD6T
X-Received: by 2002:a17:90a:a895:b0:286:964d:c with SMTP id
h21-20020a17090aa89500b00286964d000cmr3870651pjq.86.1702019685995;
Thu, 07 Dec 2023 23:14:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702019685; cv=none;
d=google.com; s=arc-20160816;
b=h91//We5eU+eYxqQ742gh2pNhUWbmdtK3xxJmAC8+VbaO0S0b/St7U6ZXIDQLi/tHg
xsxVid2ajIxr0nt7OvcGovFaBHz6qmk0mW9AeBGBXUGdG9hHqJHTLzuNx3meqAXjz5o2
D9JviwPqJ78bmaH+6C1wX3OHRu578D9fPbrml5PHvwpniofY5mcnU7OS/ggp+kfY3kEj
QSChdC45qImjCqKIQpG9HE9c8DhNXv8cBJnxHh8V3M0Kjc7DIiioJmwNQSJYKVMW8nQZ
godCsvXUYJdX38NF5q2NcBL2bGHEBEuiX/bWXS9LXlKia4jPL/XFRurkicTIpRNwtDvb
Jv+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=defwGGaKwK/J2Hc8bxbuHiKshidNXLSm3I4l0VlvjXQ=;
fh=Y0RwOsiLNwDs4//+52Dq5dQnxwvpPccSb55qGMu2vCg=;
b=k9gBG9lBTg1dhu13DoCk7GYE5StVSySgKpHA+JKc8xLa0jAj+kNvbUFm5nYldgJCAi
O50FxCkylZeBmNHZ+oHvNwbQwf5CCEYxyEFcutN7Q2jIDA1Xsdicnw4hwVt/GZzZta0H
UCVH81KHMkDy5c6jNVX4JG1y6Pxh62MAYMrwJOxVsFinvSI9DEaHPK/t6D9VrDYblw2L
SGOZOHULEOhZEvsmhBLYabh5vootabmcB1m8vO/Ip6OTiMAcUcuS+7LGQKw/dm1OIMTA
GO7tLLIuq7lZJvigZcxqLXCEmc9vv41Ec2/IYhCECbG0RpsriGDjj/yXfkhcPJy13rmQ
uJBg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
by mx.google.com with ESMTPS id
p17-20020a170902ead100b001d07b6a0aefsi1129994pld.214.2023.12.07.23.14.41
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 07 Dec 2023 23:14:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.37 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by snail.vger.email (Postfix) with ESMTP id 38BA280978B1;
Thu, 7 Dec 2023 23:14:41 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233024AbjLHHOb (ORCPT <rfc822;chrisfriedt@gmail.com>
+ 99 others); Fri, 8 Dec 2023 02:14:31 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35090 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229480AbjLHHO3 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 8 Dec 2023 02:14:29 -0500
Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8657A10EB
for <linux-kernel@vger.kernel.org>;
Thu, 7 Dec 2023 23:14:35 -0800 (PST)
Received: from mail.maildlp.com (unknown [172.19.93.142])
by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id
4Smj7Q50v7z4f3lDB
for <linux-kernel@vger.kernel.org>;
Fri, 8 Dec 2023 15:14:26 +0800 (CST)
Received: from mail02.huawei.com (unknown [10.116.40.112])
by mail.maildlp.com (Postfix) with ESMTP id 7B5311A01C8
for <linux-kernel@vger.kernel.org>;
Fri, 8 Dec 2023 15:14:31 +0800 (CST)
Received: from huaweicloud.com (unknown [10.175.104.67])
by APP1 (Coremail) with SMTP id cCh0CgDn6hBVwnJltY8_DA--.36836S4;
Fri, 08 Dec 2023 15:14:31 +0800 (CST)
From: linan666@huaweicloud.com
To: richard@nod.at, miquel.raynal@bootlin.com, vigneshr@ti.com
Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
linan122@huawei.com, yukuai3@huawei.com, yi.zhang@huawei.com,
houtao1@huawei.com, yangerkun@huawei.com
Subject: [PATCH] ubi: block: fix null-pointer-dereference in ubiblock_create()
Date: Fri, 8 Dec 2023 15:13:17 +0800
Message-Id: <20231208071317.1268465-1-linan666@huaweicloud.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: cCh0CgDn6hBVwnJltY8_DA--.36836S4
X-Coremail-Antispam: 1UD129KBjvdXoWrtF1kCw4ktr1ktr4xXry8uFg_yoWfArbE9w
4aqrn3WrWxCrn3C34Yyr1fuFWYyr1jgr48uF1xKwsxZFW7XFn7Gr98WF15Wa1DAFW2ka4r
Ca10gr1ayr40vjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
9fnUUIcSsGvfJTRUUUbSkYFVCjjxCrM7AC8VAFwI0_Gr0_Xr1l1xkIjI8I6I8E6xAIw20E
Y4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwV
A0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x02
67AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I
0E14v26rxl6s0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l
5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67
AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7Cj
xVA2Y2ka0xkIwI1lw4CEc2x0rVAKj4xxMxkF7I0En4kS14v26r1q6r43MxAIw28IcxkI7V
AKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj
r7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6x
IIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAI
w20EY4v20xvaj40_Wr1j6rW3Jr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aV
CY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU1vJmUUUUUU==
X-CM-SenderInfo: polqt0awwwqx5xdzvxpfor3voofrz/
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,MAY_BE_FORGED,
RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]);
Thu, 07 Dec 2023 23:14:41 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784696994426255625
X-GMAIL-MSGID: 1784696994426255625
|
| Series |
ubi: block: fix null-pointer-dereference in ubiblock_create()
|
|
Commit Message
Li Nan
Dec. 8, 2023, 7:13 a.m. UTC
From: Li Nan <linan122@huawei.com> If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in ubiblock_create(), but dev->gd has not been assigned yet at this time, and accessing it will trigger a null-pointer-dereference issue. Fix it by put gd directly. Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/mtd/ubi/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
在 2023/12/8 15:13, linan666@huaweicloud.com 写道: > From: Li Nan <linan122@huawei.com> > > If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in > ubiblock_create(), but dev->gd has not been assigned yet at this time, and > accessing it will trigger a null-pointer-dereference issue. Fix it by put > gd directly. Function 'put_disk()' checks disk whether is NULL, so I think it's a 'memleak' problem, not a null-ptr-deref problem. > > Signed-off-by: Li Nan <linan122@huawei.com> > --- > drivers/mtd/ubi/block.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c > index 309a42aeaa4c..654bd7372cd8 100644 > --- a/drivers/mtd/ubi/block.c > +++ b/drivers/mtd/ubi/block.c > @@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi) > list_del(&dev->list); > idr_remove(&ubiblock_minor_idr, gd->first_minor); > out_cleanup_disk: > - put_disk(dev->gd); > + put_disk(gd); For memleak solution: Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> > out_free_tags: > blk_mq_free_tag_set(&dev->tag_set); > out_free_dev:
在 2023/12/8 15:29, Zhihao Cheng 写道: > 在 2023/12/8 15:13, linan666@huaweicloud.com 写道: >> From: Li Nan <linan122@huawei.com> >> >> If idr_alloc() fails, dev->gd will be put after goto out_cleanup_disk in >> ubiblock_create(), but dev->gd has not been assigned yet at this time, >> and >> accessing it will trigger a null-pointer-dereference issue. Fix it by put >> gd directly. > Function 'put_disk()' checks disk whether is NULL, so I think it's a > 'memleak' problem, not a null-ptr-deref problem. >> Damn, I overlooked it here. Thanks for your review, I will fix the log in v2. >> Signed-off-by: Li Nan <linan122@huawei.com> >> --- >> drivers/mtd/ubi/block.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c >> index 309a42aeaa4c..654bd7372cd8 100644 >> --- a/drivers/mtd/ubi/block.c >> +++ b/drivers/mtd/ubi/block.c >> @@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi) >> list_del(&dev->list); >> idr_remove(&ubiblock_minor_idr, gd->first_minor); >> out_cleanup_disk: >> - put_disk(dev->gd); >> + put_disk(gd); > > For memleak solution: > > Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> > >> out_free_tags: >> blk_mq_free_tag_set(&dev->tag_set); >> out_free_dev: > > > .
diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 309a42aeaa4c..654bd7372cd8 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -434,7 +434,7 @@ int ubiblock_create(struct ubi_volume_info *vi) list_del(&dev->list); idr_remove(&ubiblock_minor_idr, gd->first_minor); out_cleanup_disk: - put_disk(dev->gd); + put_disk(gd); out_free_tags: blk_mq_free_tag_set(&dev->tag_set); out_free_dev: