[PATCH] nvme: fix NULL pointer dereference

From: Tong Zhang
Date: Wed Sep 16 2020 - 13:54:49 EST

Next message: David Brazdil: "Re: [PATCH v2 00/10] Independent per-CPU data section for nVHE"
Previous message: Jonathan Cameron: "Re: [PATCH v2] iio: stm32-dac: Replace indio_dev->mlock with own device lock"
Next in thread: Keith Busch: "Re: [PATCH] nvme: fix NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

blk_mq_tag_to_rq can return NULL and this condition must be checked

[ 147.861050] BUG: KASAN: null-ptr-deref in nvme_irq+0xfc/0x410
[ 147.861326] Write of size 2 at addr 0000000000000122 by task kworker/u4:1/56
[ 147.861675]
[ 147.861756] CPU: 1 PID: 56 Comm: kworker/u4:1 Not tainted 5.9.0-rc4+ #83
[ 147.862657] Workqueue: nvme-wq nvme_scan_work
[ 147.862876] Call Trace:
[ 147.863002] <IRQ>
[ 147.863112] dump_stack+0x7d/0xb0
[ 147.863280] kasan_report.cold+0x6a/0x7e
[ 147.863478] ? nvme_irq+0xfc/0x410
[ 147.863650] nvme_irq+0xfc/0x410
[ 147.863815] ? __x64_sys_getrandom+0xb0/0xb0
[ 147.864030] ? nvme_del_cq_end+0x70/0x70
[ 147.864229] __handle_irq_event_percpu+0x69/0x280
[ 147.864465] handle_irq_event_percpu+0x6a/0xe0
[ 147.864689] ? __handle_irq_event_percpu+0x280/0x280
[ 147.864939] ? _raw_spin_lock+0x75/0xd0
[ 147.865131] ? _raw_read_lock_irq+0x30/0x30
[ 147.865345] handle_irq_event+0x57/0x86
[ 147.865537] handle_edge_irq+0xe5/0x2d0
[ 147.865732] asm_call_on_stack+0x12/0x20
[ 147.865929] </IRQ>
[ 147.866038] common_interrupt+0xad/0x110
[ 147.866236] asm_common_interrupt+0x1e/0x40
[ 147.866447] RIP: 0010:__asan_load4+0x40/0xa0
[ 147.866663] Code: 00 00 ff 48 39 f8 77 56 48 8d 47 03 48 89 c2 83 e2 07 48 83 fa 02 76 2f 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 0f b6 04 08 <84>0
[ 147.867577] RSP: 0000:ffff8880666e6d48 EFLAGS: 00000a06
[ 147.867837] RAX: 0000000000000000 RBX: ffff8880666e6e28 RCX: dffffc0000000000
[ 147.868190] RDX: 0000000000000003 RSI: ffffffffb053e44f RDI: ffff8880666e6e30
[ 147.868544] RBP: 0000000000000013 R08: ffffffffafb5ee6f R09: fffffbfff64977ad
[ 147.868897] R10: ffffffffb24bbd63 R11: fffffbfff64977ac R12: ffffffffb053e44f
[ 147.869250] R13: 0000000000000000 R14: ffff8880666d8040 R15: 0000000000000130

Signed-off-by: Tong Zhang <ztong0001@xxxxxxxxx>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 899d2f4d7ab6..725d2263a0f5 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -960,6 +960,8 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx)
}

req = blk_mq_tag_to_rq(nvme_queue_tagset(nvmeq), cqe->command_id);
+ if (!req)
+ return;
trace_nvme_sq(req, cqe->sq_head, nvmeq->sq_tail);
if (!nvme_try_complete_req(req, cqe->status, cqe->result))
nvme_pci_complete_rq(req);
--
2.25.1

Next message: David Brazdil: "Re: [PATCH v2 00/10] Independent per-CPU data section for nVHE"
Previous message: Jonathan Cameron: "Re: [PATCH v2] iio: stm32-dac: Replace indio_dev->mlock with own device lock"
Next in thread: Keith Busch: "Re: [PATCH] nvme: fix NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]