redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/md/persistent-data
History
Ye Bin 291144f111 dm thin metadata: Fix use-after-free in dm_bm_set_read_only 
commit 3a653b205f upstream.

The following error ocurred when testing disk online/offline:

[  301.798344] device-mapper: thin: 253:5: aborting current metadata transaction
[  301.848441] device-mapper: thin: 253:5: failed to abort metadata transaction
[  301.849206] Aborting journal on device dm-26-8.
[  301.850489] EXT4-fs error (device dm-26) in __ext4_new_inode:943: Journal has aborted
[  301.851095] EXT4-fs (dm-26): Delayed block allocation failed for inode 398742 at logical offset 181 with max blocks 19 with error 30
[  301.854476] BUG: KASAN: use-after-free in dm_bm_set_read_only+0x3a/0x40 [dm_persistent_data]

Reason is:

 metadata_operation_failed
    abort_transaction
        dm_pool_abort_metadata
	    __create_persistent_data_objects
	        r = __open_or_format_metadata
	        if (r) --> If failed will free pmd->bm but pmd->bm not set NULL
		    dm_block_manager_destroy(pmd->bm);
    set_pool_mode
	dm_pool_metadata_read_only(pool->pmd);
	dm_bm_set_read_only(pmd->bm);  --> use-after-free

Add checks to see if pmd->bm is NULL in dm_bm_set_read_only and
dm_bm_set_read_write functions.  If bm is NULL it means creating the
bm failed and so dm_bm_is_read_only must return true.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-09-09 19:12:36 +02:00
..
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-array.c dm persistent data: add cursor skip functions to the cursor APIs 2017-02-16 13:12:50 -05:00
dm-array.h dm persistent data: add cursor skip functions to the cursor APIs 2017-02-16 13:12:50 -05:00
dm-bitset.c dm persistent data: add cursor skip functions to the cursor APIs 2017-02-16 13:12:50 -05:00
dm-bitset.h dm persistent data: add cursor skip functions to the cursor APIs 2017-02-16 13:12:50 -05:00
dm-block-manager.c dm thin metadata: Fix use-after-free in dm_bm_set_read_only 2020-09-09 19:12:36 +02:00
dm-block-manager.h dm block manager: remove an unused argument from dm_block_manager_create() 2017-04-27 17:08:41 -04:00
dm-btree-internal.h dm persistent data: eliminate unnecessary return values 2015-10-31 19:06:02 -04:00
dm-btree-remove.c dm btree: increase rebalance threshold in __rebalance2() 2019-12-21 11:04:57 +01:00
dm-btree-spine.c dm persistent data: eliminate unnecessary return values 2015-10-31 19:06:02 -04:00
dm-btree.c dm btree: fix order of block initialization in btree_split_beneath 2019-08-22 16:11:23 -04:00
dm-btree.h dm persistent data: add cursor skip functions to the cursor APIs 2017-02-16 13:12:50 -05:00
dm-persistent-data-internal.h
dm-space-map-common.c dm space map common: fix to ensure new block isn't already in use 2020-02-11 04:35:26 -08:00
dm-space-map-common.h dm space map common: fix to ensure new block isn't already in use 2020-02-11 04:35:26 -08:00
dm-space-map-disk.c dm space map common: fix to ensure new block isn't already in use 2020-02-11 04:35:26 -08:00
dm-space-map-disk.h
dm-space-map-metadata.c dm space map common: fix to ensure new block isn't already in use 2020-02-11 04:35:26 -08:00
dm-space-map-metadata.h dm thin: allow metadata space larger than supported to go unused 2014-02-27 11:49:08 -05:00
dm-space-map.h dm persistent data: add threshold callback to space map 2013-05-10 14:37:20 +01:00
dm-transaction-manager.c dm persistent data: eliminate unnecessary return values 2015-10-31 19:06:02 -04:00
dm-transaction-manager.h dm persistent data: eliminate unnecessary return values 2015-10-31 19:06:02 -04:00