[Devel,RHEL7,COMMIT] fs/block_dev: fix NULL ptr deref in freeze_bdev()

Submitted by Konstantin Khorenko on Aug. 20, 2016, 9:36 a.m.

Details

Message ID 201608200936.u7K9aOb1000851@finist_cl7.x64_64.work.ct
State New
Series "ploop: add support for dm-crypted ploops"
Headers show

Commit Message

Konstantin Khorenko Aug. 20, 2016, 9:36 a.m.
The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.28.2.vz7.17.2
------>
commit f61336fc4ae681ede82ea8f6243473f74c4ef9a3
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Sat Aug 20 13:36:24 2016 +0400

    fs/block_dev: fix NULL ptr deref in freeze_bdev()
    
    freeze_bdev() called twice on the same block device without
    mounted filesystem will lead to NULL-ptr deref:
    
     BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
     IP: [<ffffffff810b1729>] up_read+0x29/0x40
    
     Call Trace:
      [<ffffffff8121d2b6>] drop_super+0x16/0x30
      [<ffffffff8125942b>] freeze_bdev+0x4b/0xd0
      [<ffffffff815236db>] __dm_suspend+0xeb/0x220
      [<ffffffff8152bfa0>] ? table_load+0x390/0x390
      [<ffffffff81526aca>] dm_suspend+0xda/0x100
      [<ffffffff810b171f>] ? up_read+0x1f/0x40
      [<ffffffff8152c130>] dev_suspend+0x190/0x250
      [<ffffffff8152ca17>] ctl_ioctl+0x247/0x520
      [<ffffffff8152cd03>] dm_ctl_ioctl+0x13/0x20
      [<ffffffff8122f11e>] do_vfs_ioctl+0x27e/0x550
      [<ffffffff8122f444>] SyS_ioctl+0x54/0xa0
      [<ffffffff816bda09>] system_call_fastpath+0x16/0x1b
    
    Check get_super() result to fix that.
    
    https://jira.sw.ru/browse/PSBM-50858
    
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Acked-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
---
 fs/block_dev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/block_dev.c b/fs/block_dev.c
index 4575c62..325ee71 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -227,7 +227,8 @@  struct super_block *freeze_bdev(struct block_device *bdev)
 		 * thaw_bdev drops it.
 		 */
 		sb = get_super(bdev);
-		drop_super(sb);
+		if (sb)
+			drop_super(sb);
 		mutex_unlock(&bdev->bd_fsfreeze_mutex);
 		return sb;
 	}