The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-123.1.2.vz7.4.10 ------> commit b60174a217555f4bf9d0c37616fba4a4cb8561dd Author: Kirill Tkhai <ktk...@odin.com> Date: Wed May 6 18:14:24 2015 +0400
ve/tty: Prevent iteration with NULL dev in device_destroy_namespace() We must check class_find_device() return value before we call namespace method. Otherwise, we may pass NULL as device in ve_namespace like in below: [ 4.455518] BUG: unable to handle kernel NULL pointer dereference at 0000000000000278 [ 4.456336] IP: [<ffffffff81233caa>] ve_namespace+0xa/0x40 [ 4.456336] PGD 0 [ 4.456336] Oops: 0000 [#1] SMP [ 4.456336] Modules linked in: [ 4.456336] CPU: 1 PID: 1 Comm: swapper/0 ve: 0 Not tainted 3.10.0-123.1.2.el7.ovz.4.8.x86_64 #1 ovz.4.8 [ 4.456336] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 [ 4.456336] task: ffff8800777e0000 ti: ffff8800777e8000 task.ti: ffff8800777e8000 [ 4.456336] RIP: 0010:[<ffffffff81233caa>] [<ffffffff81233caa>] ve_namespace+0xa/0x40 [ 4.456336] RSP: 0000:ffff8800777e99c8 EFLAGS: 00010286 [ 4.456336] RAX: ffffffff81233ca0 RBX: 0000000000000000 RCX: 0000000000000000 [ 4.456336] RDX: 000000000000091e RSI: ffff8800777e99e4 RDI: 0000000000000000 [ 4.456336] RBP: ffff8800777e99d0 R08: 0000000000000000 R09: 0000000000000004 [ 4.456336] R10: 00000000001c2000 R11: 0000000000000000 R12: ffffffff81960d60 [ 4.456336] R13: 0000000000000000 R14: ffffffff819656a0 R15: ffffffff81991380 [ 4.456336] FS: 0000000000000000(0000) GS:ffff88007a880000(0000) knlGS:0000000000000000 [ 4.456336] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 4.456336] CR2: 0000000000000278 CR3: 00000000018ae000 CR4: 00000000000007e0 [ 4.456336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4.456336] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 4.456336] Stack: [ 4.456336] 0000000000000000 ffff8800777e9a00 ffffffff813a1585 0040004281335d74 [ 4.456336] ffff88006f348000 0000000000000002 ffff88006f36c380 ffff8800777e9a20 [ 4.456336] ffffffff8135b2a2 ffffffff821f7bf0 ffff88006f36c2b0 ffff8800777e9a50 [ 4.456336] Call Trace: [ 4.456336] [<ffffffff813a1585>] device_destroy_namespace+0x25/0x80 [ 4.456336] [<ffffffff8135b2a2>] tty_unregister_device+0x32/0x60 [ 4.456336] [<ffffffff8137bc4e>] uart_remove_one_port+0x9e/0x130 [ 4.456336] [<ffffffff81380a5e>] serial8250_register_8250_port+0xae/0x390 [ 4.456336] [<ffffffff81385b18>] pciserial_init_ports+0x118/0x210 [ 4.456336] [<ffffffff81385ced>] pciserial_init_one+0xdd/0x200 [ 4.456336] [<ffffffff812d5915>] local_pci_probe+0x45/0xa0 [ 4.456336] [<ffffffff812d6d05>] ? pci_match_device+0xc5/0xd0 [ 4.456336] [<ffffffff812d6e89>] pci_device_probe+0x139/0x150 [ 4.456336] [<ffffffff813a3d37>] driver_probe_device+0x87/0x390 [ 4.456336] [<ffffffff813a4113>] __driver_attach+0x93/0xa0 [ 4.456336] [<ffffffff813a4080>] ? __device_attach+0x40/0x40 [ 4.456336] [<ffffffff813a1ac3>] bus_for_each_dev+0x73/0xc0 [ 4.456336] [<ffffffff813a378e>] driver_attach+0x1e/0x20 [ 4.456336] [<ffffffff813a32e0>] bus_add_driver+0x200/0x2d0 [ 4.456336] [<ffffffff813a4794>] driver_register+0x64/0xf0 [ 4.456336] [<ffffffff812d6b75>] __pci_register_driver+0xa6/0xc0 [ 4.456336] [<ffffffff81a2eadb>] ? early_serial_setup+0x129/0x129 [ 4.456336] [<ffffffff81a2eaf4>] serial_pci_driver_init+0x19/0x1b [ 4.456336] [<ffffffff810020e2>] do_one_initcall+0xe2/0x190 [ 4.456336] [<ffffffff819ed14f>] kernel_init_freeable+0x17d/0x21c [ 4.456336] [<ffffffff819ec92b>] ? do_early_param+0x88/0x88 [ 4.456336] [<ffffffff815a8010>] ? rest_init+0x80/0x80 [ 4.456336] [<ffffffff815a801e>] kernel_init+0xe/0x180 [ 4.456336] [<ffffffff815d5f2c>] ret_from_fork+0x7c/0xb0 [ 4.456336] [<ffffffff815a8010>] ? rest_init+0x80/0x80 [ 4.456336] [<ffffffff815a801e>] kernel_init+0xe/0x180 [ 4.456336] [<ffffffff815d5f2c>] ret_from_fork+0x7c/0xb0 [ 4.456336] [<ffffffff815a8010>] ? rest_init+0x80/0x80 [ 4.456336] Code: ff ff ff 66 0f 1f 44 00 00 49 89 45 18 e9 35 ff ff ff 0f 0b 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 53 <48> 83 bf 78 02 00 00 00 48 89 fb 74 11 48 c7 c0 c0 cb 8e 81 5b 0x278 is groups atribute offset in structure device. The patch fixes the problem and makes the check logic similar to logic in device_destroy(). https://jira.sw.ru/browse/PSBM-33239 Signed-off-by: Kirill Tkhai <ktk...@odin.com> --- drivers/base/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/base/core.c b/drivers/base/core.c index 98e8e3b..6583bec 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -1840,12 +1840,14 @@ void device_destroy_namespace(struct class *class, dev_t devt, void *ns) { struct device *dev = NULL; - do { + for (;;) { dev = class_find_device(class, dev, &devt, __match_devt); + if (!dev) + break; if (!class->namespace || (class->namespace(dev) == ns)) break; - } while (dev); + } if (dev) { put_device(dev); _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel