[thirdparty/kernel/stable-queue.git] / releases / 4.9.45 / xen-blkfront-use-a-right-index-when-checking-requests.patch

From b15bd8cb37598afb2963f7eb9e2de468d2d60a2f Mon Sep 17 00:00:00 2001
From: Munehisa Kamata <kamatam@amazon.com>
Date: Wed, 9 Aug 2017 15:31:40 -0700
Subject: xen-blkfront: use a right index when checking requests

From: Munehisa Kamata <kamatam@amazon.com>

commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream.

Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of
git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch
'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume()
has been using an index for iterating ring_info to check request when
iterating blk_shadow in an inner loop. This seems to have been
accidentally introduced during the massive rewrite of the block layer
macros in the commits.

This may cause crash like this:

[11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610
....
[11798.061063] Call Trace:
[11798.061063]  [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140
[11798.061063]  [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150
[11798.061063]  [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110
[11798.061063]  [<ffffffff813f3a08>] device_resume+0x88/0x190
[11798.061063]  [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0
[11798.061063]  [<ffffffff813f5221>] dpm_resume_end+0x11/0x20
[11798.061063]  [<ffffffff813950a8>] do_suspend+0xe8/0x1a0
[11798.061063]  [<ffffffff813954bd>] shutdown_handler+0xfd/0x130
[11798.061063]  [<ffffffff8139aba0>] ? split+0x110/0x110
[11798.061063]  [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120
[11798.061063]  [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110
[11798.061063]  [<ffffffff8108fe57>] kthread+0xd7/0xf0
[11798.061063]  [<ffffffff811da811>] ? kfree+0x121/0x170
[11798.061063]  [<ffffffff8108fd80>] ? kthread_park+0x60/0x60
[11798.061063]  [<ffffffff810863b0>] ?  call_usermodehelper_exec_work+0xb0/0xb0
[11798.061063]  [<ffffffff810864ea>] ?  call_usermodehelper_exec_async+0x13a/0x140
[11798.061063]  [<ffffffff81534a45>] ret_from_fork+0x25/0x30

Use the right index in the inner loop.

Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block")
Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
Reviewed-by: Thomas Friebel <friebelt@amazon.de>
Reviewed-by: Eduardo Valentin <eduval@amazon.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Roger Pau Monne <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/xen-blkfront.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -2112,9 +2112,9 @@ static int blkfront_resume(struct xenbus
 			/*
 			 * Get the bios in the request so we can re-queue them.
 			 */
-			if (req_op(shadow[i].request) == REQ_OP_FLUSH ||
-			    req_op(shadow[i].request) == REQ_OP_DISCARD ||
-			    req_op(shadow[i].request) == REQ_OP_SECURE_ERASE ||
+			if (req_op(shadow[j].request) == REQ_OP_FLUSH ||
+			    req_op(shadow[j].request) == REQ_OP_DISCARD ||
+			    req_op(shadow[j].request) == REQ_OP_SECURE_ERASE ||
 			    shadow[j].request->cmd_flags & REQ_FUA) {
 				/*
 				 * Flush operations don't contain bios, so
Commit	Line	Data
93c5a571 GKH	1	From b15bd8cb37598afb2963f7eb9e2de468d2d60a2f Mon Sep 17 00:00:00 2001
	2	From: Munehisa Kamata <kamatam@amazon.com>
	3	Date: Wed, 9 Aug 2017 15:31:40 -0700
	4	Subject: xen-blkfront: use a right index when checking requests
	5
	6	From: Munehisa Kamata <kamatam@amazon.com>
	7
	8	commit b15bd8cb37598afb2963f7eb9e2de468d2d60a2f upstream.
	9
	10	Since commit d05d7f40791c ("Merge branch 'for-4.8/core' of
	11	git://git.kernel.dk/linux-block") and 3fc9d690936f ("Merge branch
	12	'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume()
	13	has been using an index for iterating ring_info to check request when
	14	iterating blk_shadow in an inner loop. This seems to have been
	15	accidentally introduced during the massive rewrite of the block layer
	16	macros in the commits.
	17
	18	This may cause crash like this:
	19
	20	[11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
	21	[11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610
	22	....
	23	[11798.061063] Call Trace:
	24	[11798.061063] [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140
	25	[11798.061063] [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150
	26	[11798.061063] [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110
	27	[11798.061063] [<ffffffff813f3a08>] device_resume+0x88/0x190
	28	[11798.061063] [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0
	29	[11798.061063] [<ffffffff813f5221>] dpm_resume_end+0x11/0x20
	30	[11798.061063] [<ffffffff813950a8>] do_suspend+0xe8/0x1a0
	31	[11798.061063] [<ffffffff813954bd>] shutdown_handler+0xfd/0x130
	32	[11798.061063] [<ffffffff8139aba0>] ? split+0x110/0x110
	33	[11798.061063] [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120
	34	[11798.061063] [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110
	35	[11798.061063] [<ffffffff8108fe57>] kthread+0xd7/0xf0
	36	[11798.061063] [<ffffffff811da811>] ? kfree+0x121/0x170
	37	[11798.061063] [<ffffffff8108fd80>] ? kthread_park+0x60/0x60
	38	[11798.061063] [<ffffffff810863b0>] ? call_usermodehelper_exec_work+0xb0/0xb0
	39	[11798.061063] [<ffffffff810864ea>] ? call_usermodehelper_exec_async+0x13a/0x140
	40	[11798.061063] [<ffffffff81534a45>] ret_from_fork+0x25/0x30
	41
	42	Use the right index in the inner loop.
	43
	44	Fixes: d05d7f40791c ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block")
	45	Fixes: 3fc9d690936f ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block")
	46	Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
	47	Reviewed-by: Thomas Friebel <friebelt@amazon.de>
	48	Reviewed-by: Eduardo Valentin <eduval@amazon.com>
	49	Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	50	Cc: Juergen Gross <jgross@suse.com>
	51	Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
	52	Reviewed-by: Roger Pau Monne <roger.pau@citrix.com>
	53	Cc: xen-devel@lists.xenproject.org
	54	Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
	55	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	56
	57	---
	58	drivers/block/xen-blkfront.c \| 6 +++---
	59	1 file changed, 3 insertions(+), 3 deletions(-)
	60
	61	--- a/drivers/block/xen-blkfront.c
	62	+++ b/drivers/block/xen-blkfront.c
	63	@@ -2112,9 +2112,9 @@ static int blkfront_resume(struct xenbus
	64	/*
65	* Get the bios in the request so we can re-queue them.
66	*/
67	- if (req_op(shadow[i].request) == REQ_OP_FLUSH \|\|
68	- req_op(shadow[i].request) == REQ_OP_DISCARD \|\|
69	- req_op(shadow[i].request) == REQ_OP_SECURE_ERASE \|\|
70	+ if (req_op(shadow[j].request) == REQ_OP_FLUSH \|\|
71	+ req_op(shadow[j].request) == REQ_OP_DISCARD \|\|
72	+ req_op(shadow[j].request) == REQ_OP_SECURE_ERASE \|\|
73	shadow[j].request->cmd_flags & REQ_FUA) {
74	/*
75	* Flush operations don't contain bios, so