Re: [PATCH] st: fix corruption of the st_modedef structures in st_set_options()

"Kai Mäkisara (Kolumbus)" <kai.makisara@xxxxxxxxxxx> · Wed, 12 Feb 2014 22:45:51 +0200

On 11.2.2014, at 23.22, Maurizio Lombardi <mlombard@xxxxxxxxxx> wrote:

> When copying the st_modedef structures the devs pointers must be preserved
> in the same way as with the cdevs pointers.
> 
> This fixes bug 70271: https://bugzilla.kernel.org/show_bug.cgi?id=70271
> 
> [  135.037052] BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
> [  135.045048] IP: [<ffffffff812af6a1>] kernfs_find_ns+0x21/0x150
> [  135.050999] PGD 220623067 PUD 222171067 PMD 0
...
> [  135.357859] Code: ff eb e3 0f 1f 80 00 00 00 00 55 48 89 e5 48 83 ec 30 48 89 5d d8 4c 89 65 e0 4c 89 6d e8 4c 89 75 f0 4c 89 7d f8 66 66 66 66 90 <44> 0f b7 bf 98 00 00 00 8b 05 71 6d 87 00 48 89 fb 49 89 f4 49
> [  135.378282] RIP  [<ffffffff812af6a1>] kernfs_find_ns+0x21/0x150
> [  135.384355]  RSP <ffff8802206e5c98>
> [  135.387881] CR2: 0000000000000098
> [  135.391298] ---[ end trace 1968409221ddb3c8 ]---
> 
> Signed-off-by: Maurizio Lombardi <mlombard@xxxxxxxxxx>

Acked-by: Kai Mäkisara <kai.makisara@xxxxxxxxxxx>

> ---
> drivers/scsi/st.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
> index a1d6986..afc834e 100644
> --- a/drivers/scsi/st.c
> +++ b/drivers/scsi/st.c
> @@ -2198,12 +2198,19 @@ static int st_set_options(struct scsi_tape *STp, long options)
> 	struct st_modedef *STm;
> 	char *name = tape_name(STp);
> 	struct cdev *cd0, *cd1;
> +	struct device *d0, *d1;
> 
> 	STm = &(STp->modes[STp->current_mode]);
> 	if (!STm->defined) {
> -		cd0 = STm->cdevs[0]; cd1 = STm->cdevs[1];
> +		cd0 = STm->cdevs[0];
> +		cd1 = STm->cdevs[1];
> +		d0  = STm->devs[0];
> +		d1  = STm->devs[1];
> 		memcpy(STm, &(STp->modes[0]), sizeof(struct st_modedef));
> -		STm->cdevs[0] = cd0; STm->cdevs[1] = cd1;
> +		STm->cdevs[0] = cd0;
> +		STm->cdevs[1] = cd1;
> +		STm->devs[0]  = d0;
> +		STm->devs[1]  = d1;
> 		modes_defined = 1;
>                 DEBC(printk(ST_DEB_MSG
>                             "%s: Initialized mode %d definition from mode 0\n",
> -- 
> Maurizio Lombardi

Thanks,
Kai

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html