korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-25 23:34:47 +08:00
Code Issues Packages Projects Releases Wiki Activity
96ba981f09
linux/drivers
History
Luo Meng f83131a307 dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 
[ Upstream commit 3534e5a5ed ]

Fault inject on pool metadata device reports:
  BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80
  Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950

  CPU: 7 PID: 950 Comm: dmsetup Tainted: G        W         5.19.0-rc6 #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_address_description.constprop.0.cold+0xeb/0x3f4
   kasan_report.cold+0xe6/0x147
   dm_pool_register_metadata_threshold+0x40/0x80
   pool_ctr+0xa0a/0x1150
   dm_table_add_target+0x2c8/0x640
   table_load+0x1fd/0x430
   ctl_ioctl+0x2c4/0x5a0
   dm_ctl_ioctl+0xa/0x10
   __x64_sys_ioctl+0xb3/0xd0
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0

This can be easily reproduced using:
  echo offline > /sys/block/sda/device/state
  dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10
  dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0"

If a metadata commit fails, the transaction will be aborted and the
metadata space maps will be destroyed. If a DM table reload then
happens for this failed thin-pool, a use-after-free will occur in
dm_sm_register_threshold_callback (called from
dm_pool_register_metadata_threshold).

Fix this by in dm_pool_register_metadata_threshold() by returning the
-EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr()
with a new error message: "Error registering metadata threshold".

Fixes: ac8c3f3df6 ("dm thin: generate event when metadata threshold passed")
Cc: stable@vger.kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-08-17 14:24:23 +02:00
..
accessibility tty: the rest, stop using tty_schedule_flip() 2022-07-29 17:25:32 +02:00
acpi ACPI: VIOT: Fix ACS setup 2022-08-17 14:23:11 +02:00
amba
android android: binder: stop saving a pointer to the VMA 2022-08-17 14:23:58 +02:00
ata ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() 2022-06-22 14:21:56 +02:00
atm
auxdisplay
base driver core: fix potential deadlock in __driver_attach 2022-08-17 14:23:45 +02:00
bcma
block null_blk: fix ida error handling in null_add_dev() 2022-08-17 14:24:00 +02:00
bluetooth Bluetooth: hci_intel: Add check for platform_driver_register 2022-08-17 14:23:34 +02:00
bus bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() 2022-08-17 14:23:10 +02:00
cdrom
char random: update comment from copy_to_user() -> copy_to_iter() 2022-06-29 09:03:31 +02:00
clk clk: qcom: gcc-msm8939: Fix weird field spacing in ftbl_gcc_camss_cci_clk 2022-08-17 14:23:55 +02:00
clocksource clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() 2022-07-07 17:53:32 +02:00
comedi comedi: vmk80xx: fix expression for tx buffer size 2022-06-22 14:22:03 +02:00
connector
counter
cpufreq cpufreq: pmac32-cpufreq: Fix refcount leak bug 2022-07-21 21:24:34 +02:00
cpuidle cpuidle: PSCI: Improve support for suspend-to-RAM for PSCI OSI mode 2022-06-09 10:22:33 +02:00
crypto crypto: hisilicon/sec - fix auth key size error 2022-08-17 14:23:35 +02:00
cxl cxl/port: Hold port reference until decoder release 2022-07-12 16:34:58 +02:00
dax dax: make sure inodes are flushed before destroy cache 2022-04-08 14:23:31 +02:00
dca
devfreq PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events 2022-07-07 17:53:27 +02:00
dio
dma dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t) 2022-08-17 14:23:56 +02:00
dma-buf dma-buf/poll: Get a file reference for outstanding fence callbacks 2022-07-12 16:34:51 +02:00
edac EDAC/ghes: Set the DIMM label unconditionally 2022-08-03 12:03:55 +02:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:36:22 +02:00
firewire firewire: core: extend card->lock in fw_core_handle_bus_reset 2022-05-12 12:30:05 +02:00
firmware firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails 2022-08-17 14:24:20 +02:00
fpga fpga: altera-pr-ip: fix unsigned comparison with less than zero 2022-08-17 14:23:41 +02:00
fsi fsi: occ: Force sequence numbering per OCC 2022-07-07 17:53:32 +02:00
gnss
gpio gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() 2022-08-17 14:23:56 +02:00
gpu drm/vc4: drv: Adopt the dma configuration from the HVS or V3D component 2022-08-17 14:24:20 +02:00
greybus
hid HID: amd_sfh: Handle condition of "no sensors" 2022-08-17 14:23:57 +02:00
hsi
hv Drivers: hv: vmbus: Release cpu lock in error case 2022-06-22 14:22:00 +02:00
hwmon hwmon: (drivetemp) Add module alias 2022-08-17 14:23:13 +02:00
hwspinlock
hwtracing intel_th: pci: Add Raptor Lake-S CPU support 2022-08-17 14:24:21 +02:00
i2c i2c: mux-gpmux: Add of_node_put() when breaking out of loop 2022-08-17 14:23:34 +02:00
i3c
idle intel_idle: Disable IBRS during long idle 2022-07-23 12:54:04 +02:00
iio iio: cros: Register FIFO callback after sensor is registered 2022-08-17 14:23:55 +02:00
infiniband RDMA/rxe: Fix error unwind in rxe_create_qp() 2022-08-17 14:23:59 +02:00
input Input: gscps2 - check return value of ioremap() in gscps2_probe() 2022-08-17 14:24:19 +02:00
interconnect interconnect: imx: fix max_node_id 2022-08-17 14:23:53 +02:00
iommu iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) 2022-08-17 14:24:22 +02:00
ipack
irqchip irqchip/mips-gic: Check the return value of ioremap() in gic_of_init() 2022-08-17 14:23:01 +02:00
isdn
leds
macintosh macintosh/adb: fix oob read in do_adb_query() function 2022-08-11 13:07:54 +02:00
mailbox mailbox: forward the hrtimer if not queued and under a lock 2022-06-09 10:23:12 +02:00
mcb
md dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-08-17 14:24:23 +02:00
media media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment 2022-08-17 14:23:28 +02:00
memory memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash 2022-07-12 16:34:52 +02:00
memstick memstick/ms_block: Fix a memory leak 2022-08-17 14:23:50 +02:00
message
mfd mfd: max77620: Fix refcount leak in max77620_initialise_fps 2022-08-17 14:24:09 +02:00
misc eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write() 2022-08-17 14:23:52 +02:00
mmc mmc: cavium-thunderx: Add of_node_put() when breaking out of loop 2022-08-17 14:23:57 +02:00
most
mtd mtd: spi-nor: fix spi_nor_spimem_setup_op() call in spi_nor_erase_{sector,chip}() 2022-08-17 14:23:58 +02:00
mux
net usbnet: smsc95xx: Fix deadlock on runtime resume 2022-08-17 14:24:20 +02:00
nfc NFC: nxp-nci: don't print header length mismatch on i2c error 2022-07-21 21:24:35 +02:00
ntb
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:53:24 +02:00
nvme nvme: catch -ENODEV from nvme_revalidate_zones again 2022-08-17 14:24:00 +02:00
nvmem
of of/fdt: declared return type does not match actual return type 2022-08-17 14:23:59 +02:00
opp opp: Fix error check in dev_pm_opp_attach_genpd() 2022-08-17 14:24:01 +02:00
parisc parisc: Check the return value of ioremap() in lba_driver_probe() 2022-08-17 14:22:51 +02:00
parport
pci PCI: qcom: Power on PHY before IPQ8074 DBI register accesses 2022-08-17 14:24:22 +02:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:36:02 +02:00
perf drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX 2022-08-17 14:23:14 +02:00
phy phy: stm32: fix error return in stm32_usbphyc_phy_init 2022-08-17 14:23:52 +02:00
pinctrl pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context 2022-07-29 17:25:20 +02:00
platform platform/olpc: Fix uninitialized data in debugfs write 2022-08-17 14:23:58 +02:00
pnp
power power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe 2022-07-29 17:25:10 +02:00
powercap
pps pps: clients: gpio: Propagate return value from pps_gpio_probe 2022-04-08 14:23:44 +02:00
ps3
ptp ptp: replace snprintf with sysfs_emit 2022-04-13 20:59:01 +02:00
pwm pwm: lpc18xx: Fix period handling 2022-08-17 14:23:16 +02:00
rapidio
ras
regulator regulator: of: Fix refcount leak bug in of_get_regulation_constraints() 2022-08-17 14:23:14 +02:00
remoteproc remoteproc: sysmon: Wait for SSCTL service to come up 2022-08-17 14:24:09 +02:00
reset reset: tegra-bpmp: Restore Handle errors in BPMP response 2022-04-27 14:38:55 +02:00
rpmsg rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge 2022-08-17 14:24:08 +02:00
rtc rtc: rx8025: fix 12/24 hour mode detection on RX-8035 2022-08-17 14:22:53 +02:00
s390 scsi: zfcp: Fix missing auto port scan and thus missing target ports 2022-08-17 14:24:16 +02:00
sbus
scsi scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand after VMID 2022-08-17 14:24:21 +02:00
sh
siox
slimbus slimbus: qcom: Fix IRQ check in qcom_slim_probe 2022-05-18 10:26:55 +02:00
soc soc: qcom: Make QCOM_RPMPD depend on PM 2022-08-17 14:23:14 +02:00
soundwire soundwire: revisit driver bind/unbind and callbacks 2022-08-17 14:23:48 +02:00
spi spi: tegra20-slink: fix UAF in tegra_slink_remove() 2022-08-17 14:23:12 +02:00
spmi
ssb
staging staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback 2022-08-17 14:23:50 +02:00
target target: remove an incorrect unmap zeroes data deduction 2022-06-09 10:22:47 +02:00
tc
tee
thermal thermal: sysfs: Fix cooling_device_stats_setup() error code path 2022-08-17 14:22:50 +02:00
thunderbolt thunderbolt: Use different lane for second DisplayPort tunnel 2022-06-14 18:36:20 +02:00
tty tty: 8250: Add support for Brainboxes PX cards. 2022-08-17 14:24:23 +02:00
uio
usb usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() 2022-08-17 14:24:01 +02:00
vdpa vduse: Tie vduse mgmtdev and its device 2022-07-21 21:24:33 +02:00
vfio vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used 2022-04-20 09:34:13 +02:00
vhost vringh: Fix loop descriptors check in the indirect cases 2022-06-14 18:36:24 +02:00
video video: fbdev: s3fb: Check the size of screen before memset_io() 2022-08-17 14:24:16 +02:00
virt virt: acrn: fix a memory leak in acrn_dev_ioctl() 2022-04-08 14:23:50 +02:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:24:33 +02:00
visorbus
vlynq
vme
w1 w1: w1_therm: fixes w1_seq for ds28ea00 sensors 2022-04-13 20:59:11 +02:00
watchdog watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() 2022-08-17 14:24:11 +02:00
xen xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE 2022-07-21 21:24:23 +02:00
zorro
Kconfig
Makefile