diff mbox series

dm: fix a crash if blk_alloc_disk fails

Message ID 16e9030d-e55c-47eb-1a2a-dff8a50e6627@redhat.com (mailing list archive)
State Accepted, archived
Delegated to: Mikulas Patocka
Headers show
Series dm: fix a crash if blk_alloc_disk fails | expand

Commit Message

Mikulas Patocka Oct. 7, 2024, 11:38 a.m. UTC 
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:cleanup_mapped_device+0x202/0x580 drivers/md/dm.c:2198
> Code: 03 80 3c 02 00 0f 85 28 03 00 00 48 8b 9d 08 02 00 00 48 b8 00
> 00 00 00 00 fc ff df 48 8d bb 98 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c
> 02 00 0f 85 19 03 00 00 48 c7 c7 00 57 39 8f 48 c7 83 98 00
> RSP: 0018:ffffc9000e5f7b80 EFLAGS: 00010217
> RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: ffffffff8169176c
> RDX: 0000000000000011 RSI: 0000000000000004 RDI: 000000000000008c
> RBP: ffff888047717000 R08: 0000000000000001 R09: fffff52001cbef62
> R10: 0000000000000003 R11: 0000000000000000 R12: ffff888047717208
> R13: ffff888047717090 R14: ffff888047717208 R15: ffff88802ba3d9e8
> FS:  00005555642a83c0(0000) GS:ffff88802ba00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fe48631f1f8 CR3: 0000000000c22000 CR4: 0000000000750ef0
> PKRU: 55555554
> ----------------
> Code disassembly (best guess):
>    0: 03 80 3c 02 00 0f     add    0xf00023c(%rax),%eax
>    6: 85 28                 test   %ebp,(%rax)
>    8: 03 00                 add    (%rax),%eax
>    a: 00 48 8b             add    %cl,-0x75(%rax)
>    d: 9d                   popf
>    e: 08 02                 or     %al,(%rdx)
>   10: 00 00                 add    %al,(%rax)
>   12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
>   19: fc ff df
>   1c: 48 8d bb 98 00 00 00 lea    0x98(%rbx),%rdi
>   23: 48 89 fa             mov    %rdi,%rdx
>   26: 48 c1 ea 03           shr    $0x3,%rdx
> * 2a: 80 3c 02 00           cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
>   2e: 0f 85 19 03 00 00     jne    0x34d
>   34: 48 c7 c7 00 57 39 8f mov    $0xffffffff8f395700,%rdi
>   3b: 48                   rex.W
>   3c: c7                   .byte 0xc7
>   3d: 83                   .byte 0x83
>   3e: 98                   cwtl
> 
> 
> Syzkaller reproducer:
> # {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
> Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
> NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
> KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
> Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
> HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false
> FaultCall:0 FaultNth:0}}
> ioctl$KGPT_CEC_ADAP_S_LOG_ADDRS(0xffffffffffffffff, 0xc05c6104,
> &(0x7f0000000080)={"8072609d", 0x4, 0x6, 0x8, 0xffff, 0x6,
> "000780427bee50eb00", '\x00\a\x00', "8529b501", "3bf5c9d5",
> ["f1c758509a071a2ded4470ab", "fe1285a1e9c9879d543c15d2",
> "d6de4e2d5ae55cebb6bac1e1", "dd8866305b4f75e67daa6d8b"]})
> r0 = openat$KGPT_SYZKALM_dm_ctl(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
> ioctl$KGPT_DM_DEV_STATUS(r0, 0xc138fd07,
> &(0x7f0000000080)="58c18237165e55872d5dacbed6a0")
> ioctl$KGPT_DM_DEV_CREATE(r0, 0xc138fd03, &(0x7f0000000080)) (fail_nth: 8)

Hi

Here I'm submitting a patch for this bug.

Mikulas


From: Mikulas Patocka <mpatocka@redhat.com>

If blk_alloc_disk fails, the variable md->disk is set to an error value. 
cleanup_mapped_device will see that md->disk is non-NULL and it will 
attempt to access it, causing a crash on this statement 
"md->disk->private_data = NULL;".

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Closes: https://marc.info/?l=dm-devel&m=172824125004329&w=2
Cc: stable@vger.kernel.org

---
 drivers/md/dm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Nitesh Shetty Oct. 8, 2024, 6:32 a.m. UTC | #1 
On 07/10/24 01:38PM, Mikulas Patocka wrote:
>
>Hi
>
>Here I'm submitting a patch for this bug.
>
>Mikulas
>
>
>From: Mikulas Patocka <mpatocka@redhat.com>
>
>If blk_alloc_disk fails, the variable md->disk is set to an error value.
>cleanup_mapped_device will see that md->disk is non-NULL and it will
>attempt to access it, causing a crash on this statement
>"md->disk->private_data = NULL;".
>
>Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
>Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
>Closes: https://marc.info/?l=dm-devel&m=172824125004329&w=2
>Cc: stable@vger.kernel.org

Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
diff mbox series

Patch

Index: linux-2.6/drivers/md/dm.c
===================================================================
--- linux-2.6.orig/drivers/md/dm.c	2024-09-30 16:40:54.000000000 +0200
+++ linux-2.6/drivers/md/dm.c	2024-10-07 13:23:40.000000000 +0200
@@ -2290,8 +2290,10 @@  static struct mapped_device *alloc_dev(i
 	 * override accordingly.
 	 */
 	md->disk = blk_alloc_disk(NULL, md->numa_node_id);
-	if (IS_ERR(md->disk))
+	if (IS_ERR(md->disk)) {
+		md->disk = NULL;
 		goto bad;
+	}
 	md->queue = md->disk->queue;
 
 	init_waitqueue_head(&md->wait);