Unverified Commit e3cb4359 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9804 CVE-2024-36478 

Merge Pull Request from: @ci-robot 
 
PR sync from: Li Nan <linan122@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/AEEKWR3UVW4Z3UTKNRJIUEPZEBO76DKX/ 
Damien Le Moal (1):
  null_blk: Fix return value of nullb_device_power_store()

Yu Kuai (1):
  null_blk: fix null-ptr-dereference while configuring 'power' and
    'submit_queues'


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/IA7D6H 
 
Link:https://gitee.com/openeuler/kernel/pulls/9804

 

Reviewed-by: default avatarYu Kuai <yukuai3@huawei.com>
Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents c071fab7 ea8f1240

drivers/block/null_blk/main.c

+27 −14
Original line number Diff line number Diff line
@@ -392,13 +392,25 @@ static int nullb_update_nr_hw_queues(struct nullb_device *dev, 
static int nullb_apply_submit_queues(struct nullb_device *dev,

				     unsigned int submit_queues)

{

	return nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);

	int ret;



	mutex_lock(&lock);

	ret = nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);

	mutex_unlock(&lock);



	return ret;

}



static int nullb_apply_poll_queues(struct nullb_device *dev,

				   unsigned int poll_queues)

{

	return nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);

	int ret;



	mutex_lock(&lock);

	ret = nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);

	mutex_unlock(&lock);



	return ret;

}



NULLB_DEVICE_ATTR(size, ulong, NULL);
@@ -444,28 +456,32 @@ static ssize_t nullb_device_power_store(struct config_item *item, 
	if (ret < 0)

		return ret;



	ret = count;

	mutex_lock(&lock);

	if (!dev->power && newp) {

		if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags))

			return count;

			goto out;



		ret = null_add_dev(dev);

		if (ret) {

			clear_bit(NULLB_DEV_FL_UP, &dev->flags);

			return ret;

			goto out;

		}



		set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);

		dev->power = newp;

		ret = count;

	} else if (dev->power && !newp) {

		if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {

			mutex_lock(&lock);

			dev->power = newp;

			null_del_dev(dev->nullb);

			mutex_unlock(&lock);

		}

		clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);

	}



	return count;

out:

	mutex_unlock(&lock);

	return ret;

}



CONFIGFS_ATTR(nullb_device_, power);
@@ -2153,15 +2169,12 @@ static int null_add_dev(struct nullb_device *dev) 
	nullb->q->queuedata = nullb;

	blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q);



	mutex_lock(&lock);

	rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL);

	if (rv < 0) {

		mutex_unlock(&lock);

	if (rv < 0)

		goto out_cleanup_zone;

	}



	nullb->index = rv;

	dev->index = rv;

	mutex_unlock(&lock);



	blk_queue_logical_block_size(nullb->q, dev->blocksize);

	blk_queue_physical_block_size(nullb->q, dev->blocksize);
@@ -2185,9 +2198,7 @@ static int null_add_dev(struct nullb_device *dev) 
	if (rv)

		goto out_ida_free;



	mutex_lock(&lock);

	list_add_tail(&nullb->list, &nullb_list);

	mutex_unlock(&lock);



	pr_info("disk %s created\n", nullb->disk_name);
@@ -2236,7 +2247,9 @@ static int null_create_dev(void) 
	if (!dev)

		return -ENOMEM;



	mutex_lock(&lock);

	ret = null_add_dev(dev);

	mutex_unlock(&lock);

	if (ret) {

		null_free_dev(dev);

		return ret;