Re: [PATCH] paride/pcd: Fix potential NULL pointer dereference and mem leak

From: Jens Axboe
Date: Fri Apr 05 2019 - 11:25:06 EST

On 4/4/19 8:14 PM, Yue Haibing wrote:
> From: YueHaibing <yuehaibing@xxxxxxxxxx>
>
> Syzkaller report this:
>
> pcd: pcd version 1.07, major 46, nice 0
> pcd0: Autoprobe failed
> pcd: No CD-ROM drive found
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 1 PID: 4525 Comm: syz-executor.0 Not tainted 5.1.0-rc3+ #8
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> RIP: 0010:pcd_init+0x95c/0x1000 [pcd]
> Code: c4 ab f7 48 89 d8 48 c1 e8 03 80 3c 28 00 74 08 48 89 df e8 56 a3 da f7 4c 8b 23 49 8d bc 24 80 05 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 74 05 e8 39 a3 da f7 49 8b bc 24 80 05 00 00 e8 cc b2
> RSP: 0018:ffff8881e84df880 EFLAGS: 00010202
> RAX: 00000000000000b0 RBX: ffffffffc155a088 RCX: ffffffffc1508935
> RDX: 0000000000040000 RSI: ffffc900014f0000 RDI: 0000000000000580
> RBP: dffffc0000000000 R08: ffffed103ee658b8 R09: ffffed103ee658b8
> R10: 0000000000000001 R11: ffffed103ee658b7 R12: 0000000000000000
> R13: ffffffffc155a778 R14: ffffffffc155a4a8 R15: 0000000000000003
> FS: 00007fe71bee3700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055a7334441a8 CR3: 00000001e9674003 CR4: 00000000007606e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> ? 0xffffffffc1508000
> ? 0xffffffffc1508000
> do_one_initcall+0xbc/0x47d init/main.c:901
> do_init_module+0x1b5/0x547 kernel/module.c:3456
> load_module+0x6405/0x8c10 kernel/module.c:3804
> __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
> do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x462e99
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fe71bee2c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
> RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
> RBP: 00007fe71bee2c70 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe71bee36bc
> R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
> Modules linked in: pcd(+) paride solos_pci atm ts_fsm rtc_mt6397 mac80211 nhc_mobility nhc_udp nhc_ipv6 nhc_hop nhc_dest nhc_fragment nhc_routing 6lowpan rtc_cros_ec memconsole intel_xhci_usb_role_switch roles rtc_wm8350 usbcore industrialio_triggered_buffer kfifo_buf industrialio asc7621 dm_era dm_persistent_data dm_bufio dm_mod tpm gnss_ubx gnss_serial serdev gnss max2165 cpufreq_dt hid_penmount hid menf21bmc_wdt rc_core n_tracesink ide_gd_mod cdns_csi2tx v4l2_fwnode videodev media pinctrl_lewisburg pinctrl_intel iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd
> ide_pci_generic piix input_leds cryptd glue_helper psmouse ide_core intel_agp serio_raw intel_gtt ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: bmc150_magn]
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace d873691c3cd69f56 ]---
>
> If alloc_disk fails in pcd_init_units, cd->disk will be
> NULL, however in pcd_detect and pcd_exit, it's not check
> this before free.It may result a NULL pointer dereference.
>
> Also when register_blkdev failed, blk_cleanup_queue() and
> blk_mq_free_tag_set() should be called to free resources.

Applied, thanks. Not surprising since pf was broken as well.

--
Jens Axboe