dm-raid: fix possible NULL dereference with undefined raid type

jtstrs · Mikulas Patocka · commit 2f6cfd6d7cb1 · 2025-12-10T19:28:22.000+01:00
rs->raid_type is assigned from get_raid_type_by_ll(), which may return NULL. This NULL value could be dereferenced later in the condition 'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'. Add a fail-fast check to return early with an error if raid_type is NULL, similar to other uses of this function. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: 33e53f0 ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping") Signed-off-by: Alexey Simakov <bigalex934@gmail.com> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
@@ -2287,6 +2287,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev)
 
 			mddev->reshape_position = le64_to_cpu(sb->reshape_position);
 			rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout);
+			if (!rs->raid_type)
+				return -EINVAL;
 		}
 
 	} else {

Original file line number	Diff line number	Diff line change
`@@ -2287,6 +2287,8 @@ static int super_init_validation(struct raid_set rs, struct md_rdev rdev)`
`2287`	`2287`
`2288`	`2288`	`mddev->reshape_position = le64_to_cpu(sb->reshape_position);`
`2289`	`2289`	`rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout);`
	`2290`	`+ if (!rs->raid_type)`
	`2291`	`+ return -EINVAL;`
`2290`	`2292`	`}`
`2291`	`2293`
`2292`	`2294`	`} else {`