On 31.05.2017 23:43, Bart Van Assche wrote:
> Since the pktcdvd driver only supports request queues for which
> struct scsi_request is the first member of their private request
> data, refuse to register block layer queues for which struct
> scsi_request is not the first member of the private data.
>
> References: commit 82ed4db499b8 ("block: split scsi_request out of struct request")
> Signed-off-by: Bart Van Assche <bart.vanassche@xxxxxxxxxxx>
> Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>
> Reviewed-by: Christoph Hellwig <hch@xxxxxx>
> Cc: Omar Sandoval <osandov@xxxxxx>
> ---
> drivers/block/pktcdvd.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
> index 205b865ebeb9..42e3c880a8a5 100644
> --- a/drivers/block/pktcdvd.c
> +++ b/drivers/block/pktcdvd.c
> @@ -2583,6 +2583,11 @@ static int pkt_new_dev(struct pktcdvd_device *pd, dev_t dev)
> bdev = bdget(dev);
> if (!bdev)
> return -ENOMEM;
> + if (!blk_queue_scsi_passthrough(bdev_get_queue(bdev))) {
> + WARN_ONCE(true, "Attempt to register a non-SCSI queue\n");
> + bdput(bdev);
> + return -EINVAL;
> + }
> ret = blkdev_get(bdev, FMODE_READ | FMODE_NDELAY, NULL);
> if (ret)
> return ret;
>
This commit causes a NULL pointer dereference when adding a pktcdvd
mapping.
Reproducing it is simple:
# pktsetup 1 /dev/cdrom
Specifically, the NULL dereference happens inside bdev_get_queue(bdev),
which is supposed to return bdev->bd_disk->queue, but in this case
bdev->bd_disk is NULL.
If I revert this commit the mapping is added correctly (tested on 4.14.10,
but there haven't been any changes to pktcdvd.c and bdev_get_queue() in
4.15-rc5).
Maciej
