[PATCH] nvme: avoid NULL pointer dereference in error recovery path
Christoph Hellwig
hch at lst.de
Wed Apr 5 12:43:57 PDT 2017
On Wed, Apr 05, 2017 at 04:40:37PM -0300, Guilherme G. Piccoli wrote:
> It's possible that driver fails to recover from a PCI error and the
> PCI core (or arch PCI specifics, like EEH in PowerPC) starts a process
> of device removal. While this removal process is happening, if another
> PCI error is triggered, we might have a NULL address for
> "struct *nvme_dev", pointed by "pci_dev *driver_data" - for example this
> happens if nvme_remove() already have set that pci_dev struct's field
> to NULL.
>
> In this case, the driver error handler functions will dereferece a NULL
> pointer, causing a kernel oops. This patch checks for NULL pointer on
> error handlers and in case "driver_data" points to NULL, it aborts the
> error recovery path and return a fail error value to PCI core.
I think this needs to be fixed at a higher level, that is the PCI
core. Once you have the callbacks run in parallel a simple null check
isn't going to fix this but every single access to the structure
is a possible use after free.
More information about the Linux-nvme
mailing list