[thirdparty/kernel/stable-queue.git] / releases / 4.4.157 / partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch

From foo@baz Mon Sep 17 12:15:09 CEST 2018
From: Mauricio Faria de Oliveira <mfo@canonical.com>
Date: Wed, 25 Jul 2018 22:46:28 -0300
Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures

From: Mauricio Faria de Oliveira <mfo@canonical.com>

[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ]

The if-block that sets a successful return value in aix_partition()
uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.

For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
initialized, but are used anyway if alloc_pvd() succeeds after it.

So, make the alloc_pvd() call conditional on their initialization.

This has been hit when attaching an apparently corrupted/stressed
AIX LUN, misleading the kernel to pr_warn() invalid data and hang.

    [...] partition (null) (11 pp's found) is not contiguous
    [...] partition (null) (2 pp's found) is not contiguous
    [...] partition (null) (3 pp's found) is not contiguous
    [...] partition (null) (64 pp's found) is not contiguous

Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/partitions/aix.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/block/partitions/aix.c
+++ b/block/partitions/aix.c
@@ -177,7 +177,7 @@ int aix_partition(struct parsed_partitio
 	u32 vgda_sector = 0;
 	u32 vgda_len = 0;
 	int numlvs = 0;
-	struct pvd *pvd;
+	struct pvd *pvd = NULL;
 	struct lv_info {
 		unsigned short pps_per_lv;
 		unsigned short pps_found;
@@ -231,10 +231,11 @@ int aix_partition(struct parsed_partitio
 				if (lvip[i].pps_per_lv)
 					foundlvs += 1;
 			}
+			/* pvd loops depend on n[].name and lvip[].pps_per_lv */
+			pvd = alloc_pvd(state, vgda_sector + 17);
 		}
 		put_dev_sector(sect);
 	}
-	pvd = alloc_pvd(state, vgda_sector + 17);
 	if (pvd) {
 		int numpps = be16_to_cpu(pvd->pp_count);
 		int psn_part1 = be32_to_cpu(pvd->psn_part1);
Commit	Line	Data
7be860c4 GKH	1	From foo@baz Mon Sep 17 12:15:09 CEST 2018
	2	From: Mauricio Faria de Oliveira <mfo@canonical.com>
	3	Date: Wed, 25 Jul 2018 22:46:28 -0300
	4	Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures
	5
	6	From: Mauricio Faria de Oliveira <mfo@canonical.com>
	7
	8	[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ]
	9
	10	The if-block that sets a successful return value in aix_partition()
	11	uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized.
	12
	13	For example, if 'numlvs' is zero or alloc_lvn() fails, neither is
	14	initialized, but are used anyway if alloc_pvd() succeeds after it.
	15
	16	So, make the alloc_pvd() call conditional on their initialization.
	17
	18	This has been hit when attaching an apparently corrupted/stressed
	19	AIX LUN, misleading the kernel to pr_warn() invalid data and hang.
	20
	21	[...] partition (null) (11 pp's found) is not contiguous
	22	[...] partition (null) (2 pp's found) is not contiguous
	23	[...] partition (null) (3 pp's found) is not contiguous
	24	[...] partition (null) (64 pp's found) is not contiguous
	25
	26	Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files")
	27	Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
	28	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	29	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	30	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	31	---
	32	block/partitions/aix.c \| 5 +++--
	33	1 file changed, 3 insertions(+), 2 deletions(-)
	34
	35	--- a/block/partitions/aix.c
	36	+++ b/block/partitions/aix.c
	37	@@ -177,7 +177,7 @@ int aix_partition(struct parsed_partitio
	38	u32 vgda_sector = 0;
	39	u32 vgda_len = 0;
	40	int numlvs = 0;
	41	- struct pvd *pvd;
	42	+ struct pvd *pvd = NULL;
	43	struct lv_info {
	44	unsigned short pps_per_lv;
	45	unsigned short pps_found;
	46	@@ -231,10 +231,11 @@ int aix_partition(struct parsed_partitio
	47	if (lvip[i].pps_per_lv)
	48	foundlvs += 1;
	49	}
	50	+ /* pvd loops depend on n[].name and lvip[].pps_per_lv */
	51	+ pvd = alloc_pvd(state, vgda_sector + 17);
	52	}
	53	put_dev_sector(sect);
	54	}
	55	- pvd = alloc_pvd(state, vgda_sector + 17);
	56	if (pvd) {
	57	int numpps = be16_to_cpu(pvd->pp_count);
	58	int psn_part1 = be32_to_cpu(pvd->psn_part1);