From 6d53a9fe5a1983490bc14b3a64d49fabb4ccc651 Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Fri, 2 Oct 2020 10:22:23 -0400 Subject: block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to userspace, since the compiler may leave a 3-byte hole in the middle of `cgc32`. Fix it by adding a padding field to `struct compat_cdrom_generic_command`. Cc: stable@vger.kernel.org Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi") Suggested-by: Dan Carpenter Suggested-by: Arnd Bergmann Reported-by: syzbot+85433a479a646a064ab3@syzkaller.appspotmail.com Signed-off-by: Peilin Ye Signed-off-by: Jens Axboe --- block/scsi_ioctl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c index ef722f04f88a..72108404718f 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -651,6 +651,7 @@ struct compat_cdrom_generic_command { compat_int_t stat; compat_caddr_t sense; unsigned char data_direction; + unsigned char pad[3]; compat_int_t quiet; compat_int_t timeout; compat_caddr_t reserved[1]; -- cgit From 4bab69093044ca81f394bd0780be1b71c5a4d308 Mon Sep 17 00:00:00 2001 From: Chaitanya Kulkarni Date: Tue, 6 Oct 2020 16:36:47 -0700 Subject: nvme-core: put ctrl ref when module ref get fail When try_module_get() fails in the nvme_dev_open() it returns without releasing the ctrl reference which was taken earlier. Put the ctrl reference which is taken before calling the try_module_get() in the error return code path. Fixes: 52a3974feb1a "nvme-core: get/put ctrl and transport module in nvme_dev_open/release()" Signed-off-by: Chaitanya Kulkarni Reviewed-by: Logan Gunthorpe Signed-off-by: Christoph Hellwig --- drivers/nvme/host/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 53c93836c7c6..ca516d68f14f 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -3265,8 +3265,10 @@ static int nvme_dev_open(struct inode *inode, struct file *file) } nvme_get_ctrl(ctrl); - if (!try_module_get(ctrl->ops->module)) + if (!try_module_get(ctrl->ops->module)) { + nvme_put_ctrl(ctrl); return -EINVAL; + } file->private_data = ctrl; return 0; -- cgit From 7370997d48520ad923e8eb4deb59ebf290396202 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Wed, 7 Oct 2020 14:40:09 +0200 Subject: partitions/ibm: fix non-DASD devices Don't error out if the dasd_biodasdinfo symbol is not available. Cc: stable@vger.kernel.org Fixes: 26d7e28e3820 ("s390/dasd: remove ioctl_by_bdev calls") Reported-by: Christian Borntraeger Signed-off-by: Christoph Hellwig Tested-by: Christian Borntraeger Reviewed-by: Stefan Haberland Signed-off-by: Jens Axboe --- block/partitions/ibm.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/block/partitions/ibm.c b/block/partitions/ibm.c index d6e18df9c53c..4b044e620d35 100644 --- a/block/partitions/ibm.c +++ b/block/partitions/ibm.c @@ -305,8 +305,6 @@ int ibm_partition(struct parsed_partitions *state) if (!disk->fops->getgeo) goto out_exit; fn = symbol_get(dasd_biodasdinfo); - if (!fn) - goto out_exit; blocksize = bdev_logical_block_size(bdev); if (blocksize <= 0) goto out_symbol; @@ -326,7 +324,7 @@ int ibm_partition(struct parsed_partitions *state) geo->start = get_start_sect(bdev); if (disk->fops->getgeo(bdev, geo)) goto out_freeall; - if (fn(disk, info)) { + if (!fn || fn(disk, info)) { kfree(info); info = NULL; } @@ -370,7 +368,8 @@ out_nolab: out_nogeo: kfree(info); out_symbol: - symbol_put(dasd_biodasdinfo); + if (fn) + symbol_put(dasd_biodasdinfo); out_exit: return res; } -- cgit