SCSI: Fix NULL pointer dereference in runtime PM

The routines in scsi_rpm.c assume that if a runtime-PM callback is invoked for a SCSI device, it can only mean that the device's driver has asked the block layer to handle the runtime power management (by calling blk_pm_runtime_init(), which among other things sets q->dev). However, this assumption turns out to be wrong for things like the ses driver. Normally ses devices are not allowed to do runtime PM, but userspace can override this setting. If this happens, the kernel gets a NULL pointer dereference when blk_post_runtime_resume() tries to use the uninitialized q->dev pointer. This patch fixes the problem by calling the block layer's runtime-PM routines only if the device's driver really does have a runtime-PM callback routine. Since ses doesn't define any such callbacks, the crash won't occur. This fixes Bugzilla #101371. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Stanisław Pitucha <viraptor@gmail.com> Reported-by: Ilan Cohen <ilanco@gmail.com> Tested-by: Ilan Cohen <ilanco@gmail.com> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> Cc: stable@vger.kernel.org Signed-off-by: James Bottomley <JBottomley@Odin.com>
author: Alan Stern <stern@rowland.harvard.edu> 2015-08-17 11:02:42 -0400
committer: James Bottomley <JBottomley@Odin.com> 2015-08-18 11:14:14 -0400
commit: 49718f0fb8c9af192b33d8af3a2826db04025371 (patch)
tree: 87bdf3db6df2eb7d62327f1f761298223c756ae9
parent: db196935d9562abec4510f48d887bc1f1e054fcf (diff)
1 files changed, 11 insertions, 11 deletions
diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c
index 9e43ae1d2163..e4b799837948 100644
--- a/drivers/scsi/scsi_pm.c
+++ b/drivers/scsi/scsi_pm.c
@@ -217,15 +217,15 @@ static int sdev_runtime_suspend(struct device *dev)
 {
        const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
        struct scsi_device *sdev = to_scsi_device(dev);
-        int err;
+        int err = 0;
-        err = blk_pre_runtime_suspend(sdev->request_queue);
+        if (pm && pm->runtime_suspend) {
-        if (err)
+                err = blk_pre_runtime_suspend(sdev->request_queue);
-                return err;
+                if (err)
-        if (pm && pm->runtime_suspend)
+                        return err;
                err = pm->runtime_suspend(dev);
-        blk_post_runtime_suspend(sdev->request_queue, err);
+                blk_post_runtime_suspend(sdev->request_queue, err);
+        }
        return err;
 }
@@ -248,11 +248,11 @@ static int sdev_runtime_resume(struct device *dev)
        const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
        int err = 0;
-        blk_pre_runtime_resume(sdev->request_queue);
+        if (pm && pm->runtime_resume) {
-        if (pm && pm->runtime_resume)
+                blk_pre_runtime_resume(sdev->request_queue);
                err = pm->runtime_resume(dev);
-        blk_post_runtime_resume(sdev->request_queue, err);
+                blk_post_runtime_resume(sdev->request_queue, err);
+        }
        return err;
 }
author	Alan Stern <stern@rowland.harvard.edu>	2015-08-17 11:02:42 -0400
committer	James Bottomley <JBottomley@Odin.com>	2015-08-18 11:14:14 -0400
commit	49718f0fb8c9af192b33d8af3a2826db04025371 (patch)
tree	87bdf3db6df2eb7d62327f1f761298223c756ae9
parent	db196935d9562abec4510f48d887bc1f1e054fcf (diff)

diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c index 9e43ae1d2163..e4b799837948 100644 --- a/drivers/scsi/scsi_pm.c +++ b/drivers/scsi/scsi_pm.c
@@ -217,15 +217,15 @@ static int sdev_runtime_suspend(struct device *dev)
217	{	217	{
218	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;	218	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
219	struct scsi_device *sdev = to_scsi_device(dev);	219	struct scsi_device *sdev = to_scsi_device(dev);
220	int err;	220	int err = 0;
221		221
222	err = blk_pre_runtime_suspend(sdev->request_queue);	222	if (pm && pm->runtime_suspend) {
223	if (err)	223	err = blk_pre_runtime_suspend(sdev->request_queue);
224	return err;	224	if (err)
225	if (pm && pm->runtime_suspend)	225	return err;
226	err = pm->runtime_suspend(dev);	226	err = pm->runtime_suspend(dev);
227	blk_post_runtime_suspend(sdev->request_queue, err);	227	blk_post_runtime_suspend(sdev->request_queue, err);
228		228	}
229	return err;	229	return err;
230	}	230	}
231		231
@@ -248,11 +248,11 @@ static int sdev_runtime_resume(struct device *dev)
248	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;	248	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
249	int err = 0;	249	int err = 0;
250		250
251	blk_pre_runtime_resume(sdev->request_queue);	251	if (pm && pm->runtime_resume) {
252	if (pm && pm->runtime_resume)	252	blk_pre_runtime_resume(sdev->request_queue);
253	err = pm->runtime_resume(dev);	253	err = pm->runtime_resume(dev);
254	blk_post_runtime_resume(sdev->request_queue, err);	254	blk_post_runtime_resume(sdev->request_queue, err);
255		255	}
256	return err;	256	return err;
257	}	257	}
258		258