SCSI: Fix NULL pointer dereference in runtime PM (really closes: #801925)

3 files changed, 89 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 745df9ed1dc5..5cdd88713f74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (4.3.5-2) UNRELEASED; urgency=medium
+
+  * SCSI: Fix NULL pointer dereference in runtime PM (really closes: #801925)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Tue, 09 Feb 2016 20:48:32 +0000
+
 linux (4.3.5-1) unstable; urgency=medium
 
   * New upstream stable update:
diff --git a/debian/patches/bugfix/all/scsi-fix-null-pointer-dereference-in-runtime-pm.patch b/debian/patches/bugfix/all/scsi-fix-null-pointer-dereference-in-runtime-pm.patch
new file mode 100644
index 000000000000..640e8545b6ac
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-fix-null-pointer-dereference-in-runtime-pm.patch
@@ -0,0 +1,82 @@
+From: Ken Xue <ken.xue@amd.com>
+Date: Tue, 1 Dec 2015 14:45:46 +0800
+Subject: SCSI: Fix NULL pointer dereference in runtime PM
+Origin: https://git.kernel.org/linus/4fd41a8552afc01054d9d9fc7f1a63c324867d27
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=101371
+Bug-Debian: https://bugs.debian.org/801925
+
+The routines in scsi_pm.c assume that if a runtime-PM callback is
+invoked for a SCSI device, it can only mean that the device's driver
+has asked the block layer to handle the runtime power management (by
+calling blk_pm_runtime_init(), which among other things sets q->dev).
+
+However, this assumption turns out to be wrong for things like the ses
+driver.  Normally ses devices are not allowed to do runtime PM, but
+userspace can override this setting.  If this happens, the kernel gets
+a NULL pointer dereference when blk_post_runtime_resume() tries to use
+the uninitialized q->dev pointer.
+
+This patch fixes the problem by checking q->dev in block layer before
+handle runtime PM. Since ses doesn't define any PM callbacks and call
+blk_pm_runtime_init(), the crash won't occur.
+
+This fixes Bugzilla #101371.
+https://bugzilla.kernel.org/show_bug.cgi?id=101371
+
+More discussion can be found from below link.
+http://marc.info/?l=linux-scsi&m=144163730531875&w=2
+
+Signed-off-by: Ken Xue <Ken.Xue@amd.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: Xiangliang Yu <Xiangliang.Yu@amd.com>
+Cc: James E.J. Bottomley <JBottomley@odin.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Michael Terry <Michael.terry@canonical.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ block/blk-core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -3280,6 +3280,9 @@ int blk_pre_runtime_suspend(struct reque
+ {
+ 	int ret = 0;
+ 
++	if (!q->dev)
++		return ret;
++
+ 	spin_lock_irq(q->queue_lock);
+ 	if (q->nr_pending) {
+ 		ret = -EBUSY;
+@@ -3307,6 +3310,9 @@ EXPORT_SYMBOL(blk_pre_runtime_suspend);
+  */
+ void blk_post_runtime_suspend(struct request_queue *q, int err)
+ {
++	if (!q->dev)
++		return;
++
+ 	spin_lock_irq(q->queue_lock);
+ 	if (!err) {
+ 		q->rpm_status = RPM_SUSPENDED;
+@@ -3331,6 +3337,9 @@ EXPORT_SYMBOL(blk_post_runtime_suspend);
+  */
+ void blk_pre_runtime_resume(struct request_queue *q)
+ {
++	if (!q->dev)
++		return;
++
+ 	spin_lock_irq(q->queue_lock);
+ 	q->rpm_status = RPM_RESUMING;
+ 	spin_unlock_irq(q->queue_lock);
+@@ -3353,6 +3362,9 @@ EXPORT_SYMBOL(blk_pre_runtime_resume);
+  */
+ void blk_post_runtime_resume(struct request_queue *q, int err)
+ {
++	if (!q->dev)
++		return;
++
+ 	spin_lock_irq(q->queue_lock);
+ 	if (!err) {
+ 		q->rpm_status = RPM_ACTIVE;
diff --git a/debian/patches/series b/debian/patches/series
index 48392ef060ab..8d529f836014 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -142,3 +142,4 @@ bugfix/all/rt2x00-fix-monitor-mode-regression.patch
 bugfix/all/pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
 bugfix/all/fix-abi-changes-for-cve-2013-4312-fix.patch
 features/sparc/hwrng-n2-attach-on-t5-m5-t7-m7-sparc-cpus.patch
+bugfix/all/scsi-fix-null-pointer-dereference-in-runtime-pm.patch