[4.2.y-ckt stable] Patch "SCSI: Fix NULL pointer dereference in runtime PM" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Jan 15 20:12:19 UTC 2016 

This is a note to let you know that I have just added a patch titled

    SCSI: Fix NULL pointer dereference in runtime PM

to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue

This patch is scheduled to be released in version 4.2.8-ckt2.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 4.2.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

---8<------------------------------------------------------------

>From b18daf129c3ed7d0992fcf55fe3d0eadf4f898ee Mon Sep 17 00:00:00 2001
From: Ken Xue <ken.xue at amd.com>
Date: Tue, 1 Dec 2015 14:45:46 +0800
Subject: SCSI: Fix NULL pointer dereference in runtime PM

commit 4fd41a8552afc01054d9d9fc7f1a63c324867d27 upstream.

The routines in scsi_pm.c assume that if a runtime-PM callback is
invoked for a SCSI device, it can only mean that the device's driver
has asked the block layer to handle the runtime power management (by
calling blk_pm_runtime_init(), which among other things sets q->dev).

However, this assumption turns out to be wrong for things like the ses
driver.  Normally ses devices are not allowed to do runtime PM, but
userspace can override this setting.  If this happens, the kernel gets
a NULL pointer dereference when blk_post_runtime_resume() tries to use
the uninitialized q->dev pointer.

This patch fixes the problem by checking q->dev in block layer before
handle runtime PM. Since ses doesn't define any PM callbacks and call
blk_pm_runtime_init(), the crash won't occur.

This fixes Bugzilla #101371.
https://bugzilla.kernel.org/show_bug.cgi?id=101371

More discussion can be found from below link.
http://marc.info/?l=linux-scsi&m=144163730531875&w=2

Signed-off-by: Ken Xue <Ken.Xue at amd.com>
Acked-by: Alan Stern <stern at rowland.harvard.edu>
Cc: Xiangliang Yu <Xiangliang.Yu at amd.com>
Cc: James E.J. Bottomley <JBottomley at odin.com>
Cc: Jens Axboe <axboe at kernel.dk>
Cc: Michael Terry <Michael.terry at canonical.com>
Signed-off-by: Jens Axboe <axboe at fb.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 block/blk-core.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/block/blk-core.c b/block/blk-core.c
index 56c08e1..4a9b995 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -3273,6 +3273,9 @@ int blk_pre_runtime_suspend(struct request_queue *q)
 {
 	int ret = 0;

+	if (!q->dev)
+		return ret;
+
 	spin_lock_irq(q->queue_lock);
 	if (q->nr_pending) {
 		ret = -EBUSY;
@@ -3300,6 +3303,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend);
  */
 void blk_post_runtime_suspend(struct request_queue *q, int err)
 {
+	if (!q->dev)
+		return;
+
 	spin_lock_irq(q->queue_lock);
 	if (!err) {
 		q->rpm_status = RPM_SUSPENDED;
@@ -3324,6 +3330,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend);
  */
 void blk_pre_runtime_resume(struct request_queue *q)
 {
+	if (!q->dev)
+		return;
+
 	spin_lock_irq(q->queue_lock);
 	q->rpm_status = RPM_RESUMING;
 	spin_unlock_irq(q->queue_lock);
@@ -3346,6 +3355,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume);
  */
 void blk_post_runtime_resume(struct request_queue *q, int err)
 {
+	if (!q->dev)
+		return;
+
 	spin_lock_irq(q->queue_lock);
 	if (!err) {
 		q->rpm_status = RPM_ACTIVE;
--
1.9.1

More information about the kernel-team mailing list