From patchwork Tue Jan  2 19:39:48 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bart Van Assche <bart.vanassche@wdc.com>
X-Patchwork-Id: 10141269
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	58CE86035E for <patchwork-linux-block@patchwork.kernel.org>;
	Tue,  2 Jan 2018 19:40:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 48D6528DEA
	for <patchwork-linux-block@patchwork.kernel.org>;
	Tue,  2 Jan 2018 19:40:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3D0E128E06; Tue,  2 Jan 2018 19:40:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA7B728DEA
	for <patchwork-linux-block@patchwork.kernel.org>;
	Tue,  2 Jan 2018 19:40:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751428AbeABTkQ (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Tue, 2 Jan 2018 14:40:16 -0500
Received: from esa6.hgst.iphmx.com ([216.71.154.45]:18571 "EHLO
	esa6.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751127AbeABTkQ (ORCPT
	<rfc822; linux-block@vger.kernel.org>); Tue, 2 Jan 2018 14:40:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com;
	t=1514922016; x=1546458016;
	h=from:to:cc:subject:date:message-id:in-reply-to: references;
	bh=A71qVBnuTUmj4fhynD0+tikiuz4yELYybg7k9zRczIo=;
	b=mwlmOrRwQor4K0+iVlE1OvHgfZawLu3TPEnljQUAoxv9UlKyG9kgoN0w
	bDs8WqSK/30wNE3Su9z6b4A+W05aR9lDC29IvnZd17GGgKP+ZyDY82Z+M
	vaiCycoErIPtvw1XSSnV29hgofBJGh37L7ltEQnvq+iRcv16OiqWM3zA9
	sIyA3vD0uh0RSj+W0VfLH4ybcjh2rlZA8XS7w4BdiOuUvAvm+PChQ/pro
	dS22eAUbULdwP52kHHHHOzBMY30AarCPYYBIqYm4YSQLO6ncAn89PVtQ3
	bTPUxvI1MF95FKDZzS3qTdFtKFHLPhGsxw5XkP7MwRbFJg3QnTkSAatzL
	Q==;
X-IronPort-AV: E=Sophos;i="5.45,498,1508774400"; d="scan'208";a="67991994"
Received: from h199-255-45-15.hgst.com (HELO uls-op-cesaep02.wdc.com)
	([199.255.45.15])
	by ob1.hgst.iphmx.com with ESMTP; 03 Jan 2018 03:40:16 +0800
Received: from uls-op-cesaip02.wdc.com ([10.248.3.37])
	by uls-op-cesaep02.wdc.com with ESMTP; 02 Jan 2018 11:36:04 -0800
Received: from thinkpad-bart.sdcorp.global.sandisk.com (HELO
	thinkpad-bart.int.fusionio.com) ([10.11.171.236])
	by uls-op-cesaip02.wdc.com with ESMTP; 02 Jan 2018 11:40:14 -0800
From: Bart Van Assche <bart.vanassche@wdc.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
	Bart Van Assche <bart.vanassche@wdc.com>,
	"Maciej S . Szmigiero" <mail@maciej.szmigiero.name>,
	stable@vger.kernel.org
Subject: [PATCH 2/2] pktcdvd: Fix a recently introduced NULL pointer
	dereference
Date: Tue,  2 Jan 2018 11:39:48 -0800
Message-Id: <20180102193948.22656-3-bart.vanassche@wdc.com>
X-Mailer: git-send-email 2.15.1
In-Reply-To: <20180102193948.22656-1-bart.vanassche@wdc.com>
References: <20180102193948.22656-1-bart.vanassche@wdc.com>
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Call bdev_get_queue(bdev) after bdev->bd_disk has been initialized
instead of just before that pointer has been initialized. This patch
avoids that the following command

pktsetup 1 /dev/sr0

triggers the following kernel crash:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000548
IP: pkt_setup_dev+0x2db/0x670 [pktcdvd]
CPU: 2 PID: 724 Comm: pktsetup Not tainted 4.15.0-rc4-dbg+ #1
Call Trace:
 pkt_ctl_ioctl+0xce/0x1c0 [pktcdvd]
 do_vfs_ioctl+0x8e/0x670
 SyS_ioctl+0x3c/0x70
 entry_SYSCALL_64_fastpath+0x23/0x9a

Reported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: commit ca18d6f769d2 ("block: Make most scsi_req_init() calls implicit")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Tested-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Cc: <stable@vger.kernel.org> # v4.13
---
 drivers/block/pktcdvd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
index 2659b2534073..531a0915066b 100644
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2579,14 +2579,14 @@ static int pkt_new_dev(struct pktcdvd_device *pd, dev_t dev)
 	bdev = bdget(dev);
 	if (!bdev)
 		return -ENOMEM;
+	ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
+	if (ret)
+		return ret;
 	if (!blk_queue_scsi_passthrough(bdev_get_queue(bdev))) {
 		WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
-		bdput(bdev);
+		blkdev_put(bdev, FMODE_READ | FMODE_NDELAY);
 		return -EINVAL;
 	}
-	ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
-	if (ret)
-		return ret;
 
 	/* This is safe, since we have a reference from open(). */
 	__module_get(THIS_MODULE);