github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-05 21:15:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
c6cf21d8d5
linux/drivers
History
Luo Meng 5e2cf70515 dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 
[ Upstream commit 3534e5a5ed ]

Fault inject on pool metadata device reports:
  BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80
  Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950

  CPU: 7 PID: 950 Comm: dmsetup Tainted: G        W         5.19.0-rc6 #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_address_description.constprop.0.cold+0xeb/0x3f4
   kasan_report.cold+0xe6/0x147
   dm_pool_register_metadata_threshold+0x40/0x80
   pool_ctr+0xa0a/0x1150
   dm_table_add_target+0x2c8/0x640
   table_load+0x1fd/0x430
   ctl_ioctl+0x2c4/0x5a0
   dm_ctl_ioctl+0xa/0x10
   __x64_sys_ioctl+0xb3/0xd0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

This can be easily reproduced using:
  echo offline > /sys/block/sda/device/state
  dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10
  dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0"

If a metadata commit fails, the transaction will be aborted and the
metadata space maps will be destroyed. If a DM table reload then
happens for this failed thin-pool, a use-after-free will occur in
dm_sm_register_threshold_callback (called from
dm_pool_register_metadata_threshold).

Fix this by in dm_pool_register_metadata_threshold() by returning the
-EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr()
with a new error message: "Error registering metadata threshold".

Fixes: ac8c3f3df6 ("dm thin: generate event when metadata threshold passed")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-08-21 15:16:20 +02:00
..
accessibility tty: the rest, stop using tty_schedule_flip() 2022-07-29 17:19:28 +02:00
acpi ACPI: APEI: Fix _EINJ vs EFI_MEMORY_SP 2022-08-21 15:15:34 +02:00
amba
android
ata ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() 2022-06-22 14:13:14 +02:00
atm
auxdisplay
base driver core: fix potential deadlock in __driver_attach 2022-08-21 15:15:55 +02:00
bcma
block null_blk: fix ida error handling in null_add_dev() 2022-08-21 15:16:03 +02:00
bluetooth Bluetooth: hci_intel: Add check for platform_driver_register 2022-08-21 15:15:49 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-21 15:15:35 +02:00
cdrom
char random: update comment from copy_to_user() -> copy_to_iter() 2022-06-29 08:59:54 +02:00
clk clk: qcom: camcc-sdm845: Fix topology around titan_top power domain 2022-08-21 15:15:56 +02:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-07-07 17:52:23 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-21 21:20:14 +02:00
cpuidle
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-21 15:15:50 +02:00
dax
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:52:18 +02:00
dio
dma dmaengine: sf-pdma: Add multithread support for a DMA channel 2022-08-21 15:15:57 +02:00
dma-buf udmabuf: add back sanity check 2022-06-29 08:59:48 +02:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:00:50 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:32:43 +02:00
firewire
firmware firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails 2022-08-21 15:16:17 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-21 15:15:53 +02:00
fsi
gnss
gpio gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() 2022-08-21 15:16:01 +02:00
gpu drm/vc4: drv: Adopt the dma configuration from the HVS or V3D component 2022-08-21 15:16:16 +02:00
greybus
hid HID: hid-input: add Surface Go battery quirk 2022-08-21 15:16:15 +02:00
hsi
hv Drivers: hv: vmbus: Release cpu lock in error case 2022-06-22 14:13:16 +02:00
hwmon hwmon: (drivetemp) Add module alias 2022-08-21 15:15:35 +02:00
hwspinlock
hwtracing intel_th: pci: Add Raptor Lake-S CPU support 2022-08-21 15:16:17 +02:00
i2c i2c: mux-gpmux: Add of_node_put() when breaking out of loop 2022-08-21 15:15:49 +02:00
i3c
ide
idle intel_idle: Disable IBRS during long idle 2022-07-25 11:26:43 +02:00
iio iio: accel: bma400: Reordering of header files 2022-08-21 15:15:54 +02:00
infiniband RDMA/rxe: Fix error unwind in rxe_create_qp() 2022-08-21 15:16:03 +02:00
input Input: gscps2 - check return value of ioremap() in gscps2_probe() 2022-08-21 15:16:15 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-21 15:16:00 +02:00
iommu iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) 2022-08-21 15:16:17 +02:00
ipack
irqchip irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() 2022-08-21 15:15:29 +02:00
isdn
leds
lightnvm
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:06:47 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:21:18 +02:00
mcb
md dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-08-21 15:16:20 +02:00
media media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment 2022-08-21 15:15:46 +02:00
memory memory: samsung: exynos5422-dmc: Fix refcount leak in of_get_dram_timings 2022-06-29 08:59:54 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-21 15:15:58 +02:00
message
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-21 15:16:09 +02:00
misc eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() 2022-08-21 15:16:00 +02:00
mmc mmc: cavium-thunderx: Add of_node_put() when breaking out of loop 2022-08-21 15:16:01 +02:00
most
mtd mtd: rawnand: arasan: Fix clock rate in NV-DDR 2022-08-21 15:16:16 +02:00
mux
net usbnet: smsc95xx: Avoid link settings race on interrupt reception 2022-08-21 15:16:17 +02:00
nfc NFC: nxp-nci: don't print header length mismatch on i2c error 2022-07-21 21:20:14 +02:00
ntb
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:52:15 +02:00
nvme nvme: use command_id instead of req->tag in trace_nvme_complete_rq() 2022-08-21 15:16:03 +02:00
nvmem
of
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-21 15:16:04 +02:00
oprofile
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-21 15:15:23 +02:00
parport
pci PCI/AER: Iterate over error counters instead of error strings 2022-08-21 15:16:19 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:32:30 +02:00
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-21 15:15:36 +02:00
phy phy: qcom-qmp: fix pipe-clock imbalance on power-on failure 2022-06-14 18:32:32 +02:00
pinctrl pinctrl: stm32: fix optional IRQ support to gpios 2022-07-29 17:19:06 +02:00
platform platform/olpc: Fix uninitialized data in debugfs write 2022-08-21 15:16:02 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:19:10 +02:00
powercap
pps
ps3
ptp
pwm pwm: lpc18xx-sct: Convert to devm_platform_ioremap_resource() 2022-08-21 15:15:37 +02:00
rapidio
ras
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-21 15:15:36 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-21 15:16:08 +02:00
reset
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-21 15:16:08 +02:00
rtc rtc: mt6397: check return value after calling platform_get_resource() 2022-06-14 18:32:33 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-21 15:16:13 +02:00
sbus
scsi scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation tests 2022-08-21 15:16:14 +02:00
sfi
sh
siox
slimbus
soc soc: qcom: Make QCOM_RPMPD depend on PM 2022-08-21 15:15:36 +02:00
soundwire soundwire: bus_type: fix remove and shutdown support 2022-08-21 15:15:56 +02:00
spi spi: spi-rspi: Fix PIO fallback on RZ platforms 2022-08-21 15:15:31 +02:00
spmi
ssb
staging staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback 2022-08-21 15:15:57 +02:00
target
tc
tee
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-21 15:15:22 +02:00
thunderbolt
tty serial: 8250: Fold EndRun device support into OxSemi Tornado code 2022-08-21 15:16:19 +02:00
uio
usb usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() 2022-08-21 15:16:04 +02:00
vdpa vdpasim: allow to enable a vq repeatedly 2022-06-09 10:21:29 +02:00
vfio vfio/mdev: Make to_mdev_device() into a static inline 2022-08-21 15:16:07 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:32:45 +02:00
video video: fbdev: s3fb: Check the size of screen before memset_io() 2022-08-21 15:16:13 +02:00
virt
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:20:13 +02:00
visorbus
vlynq
vme
w1
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-21 15:16:10 +02:00
xen xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE 2022-07-29 17:19:07 +02:00
zorro
Kconfig
Makefile