From patchwork Fri Apr  1 14:34:18 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
X-Patchwork-Id: 8725291
Return-Path: <linux-block-owner@kernel.org>
X-Original-To: patchwork-linux-block@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id AD3A59F3D1
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri,  1 Apr 2016 14:34:28 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C8E23203C3
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri,  1 Apr 2016 14:34:27 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id DD7B9203A4
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri,  1 Apr 2016 14:34:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759166AbcDAOe0 (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Fri, 1 Apr 2016 10:34:26 -0400
Received: from mail-wm0-f49.google.com ([74.125.82.49]:35804 "EHLO
	mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1759154AbcDAOeZ (ORCPT
	<rfc822; linux-block@vger.kernel.org>); Fri, 1 Apr 2016 10:34:25 -0400
Received: by mail-wm0-f49.google.com with SMTP id 191so22195603wmq.0;
	Fri, 01 Apr 2016 07:34:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=pb/Lea2aAByMcOSvSfJbMQBl0RKgud3XUtXp3m0vKRo=;
	b=uRJS42AP/7Q0Rj84t4VatHlQZ+o1r5T/dd4vV6rSQTwB8dxd/JBu6WXPlCccSF86N6
	Ou7gZ1jIMYXkUEJXjbgoCAiW0GKDlzmBwXfRb4bn8Za8R9fH5GD2T+YKhemOsSRavlNC
	F1OiKBDG1I3sPYipjf3AQn3JgFJBX3avPUz2fHA755rgiyrNtuChV1U0gygk7KS4X8xc
	GwLE4XsLBYSKksEi3espE+Yk4iinyZteMPdqgh0arWjxaJvEDUEWk9iYFJY8HeACqfi4
	/uGLrIlPtUFbEje1COwxKAcv3+XB059BvRG1qP23ptouU2A7FSPPPL5iFNRiewPmVhkK
	7Ubg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=pb/Lea2aAByMcOSvSfJbMQBl0RKgud3XUtXp3m0vKRo=;
	b=QCF8Cw7TEmMsVWvdbqgiqTSkCd3b4SEfplt2iMs3meTxziwIC3mf8kLqQJoFT0UGc1
	4vSc0mZjL6sPomrvNgdjkBBLrEmvuPZV/b+0fP9vkExoz8Xgsv46dvM2izliJuW5FYCY
	WCETPiDSTlnhBmUUj3uHHeB08IROfGthKjdpeoYit7LeVSnyCo06OAKqY+86R7lQHuRF
	3ZMmqwQggA+MANbfiku8UgMfZLEBp+GYN3zdchbeWt6eynmGAWj7sbNl6c3RoDnc5nmt
	Lmx69/a/h2kLR5FmnNJ1sUCkyAtsc9kslifyGE97uXkNGDxZ7INGNdfFXPoRtsk8s7Ic
	1ACA==
X-Gm-Message-State: 
 AD7BkJKlXEX6Uv7m2WstUDKCx4V844eZGG1vip3eoe8dPbYuRMQ0MkovYxxTJPYfMacSTg==
X-Received: by 10.28.138.198 with SMTP id m189mr4295004wmd.19.1459521263920;
	Fri, 01 Apr 2016 07:34:23 -0700 (PDT)
Received: from sudip-tp.dyn.ducie.codethink.co.uk
	(82-70-136-246.dsl.in-addr.zen.co.uk. [82.70.136.246])
	by smtp.gmail.com with ESMTPSA id
	xx3sm14213965wjc.32.2016.04.01.07.34.22
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 01 Apr 2016 07:34:22 -0700 (PDT)
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
	Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
	Johannes Thumshirn <jthumshirn@suse.de>
Subject: [PATCH v2] block: fix possible NULL dereference
Date: Fri,  1 Apr 2016 15:34:18 +0100
Message-Id: <1459521258-18534-1-git-send-email-sudipm.mukherjee@gmail.com>
X-Mailer: git-send-email 2.1.4
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,
	T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

We were checking for iter to be NULL after dereferencing it. There is
actually no need to check for iter to be NULL as all the callers of
blk_rq_map_user_iov() does call it with a valid pointer to
struct iov_iter.
But as iter->count can be NULL so the assignment to copy is being done
after checking for it.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
---

v2: removed the check for iter
v1: moved the assignment to copy after check for iter and iter->count


 block/blk-map.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index a54f054..e15b4aa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -126,14 +126,15 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 			const struct iov_iter *iter, gfp_t gfp_mask)
 {
 	struct iovec iov, prv = {.iov_base = NULL, .iov_len = 0};
-	bool copy = (q->dma_pad_mask & iter->count) || map_data;
+	bool copy;
 	struct bio *bio = NULL;
 	struct iov_iter i;
 	int ret;
 
-	if (!iter || !iter->count)
+	if (!iter->count)
 		return -EINVAL;
 
+	copy = (q->dma_pad_mask & iter->count) || map_data;
 	iov_for_each(iov, i, *iter) {
 		unsigned long uaddr = (unsigned long) iov.iov_base;