Commit cb65b28
dm thin metadata: check fail_io before using data_sm
Must check pmd->fail_io before using pmd->data_sm since
pmd->data_sm may be destroyed by other processes.
P1(kworker) P2(message)
do_worker
process_prepared
process_prepared_discard_passdown_pt2
dm_pool_dec_data_range
pool_message
commit
dm_pool_commit_metadata
↓
// commit failed
metadata_operation_failed
abort_transaction
dm_pool_abort_metadata
__open_or_format_metadata
↓
dm_sm_disk_open
↓
// open failed
// pmd->data_sm is NULL
dm_sm_dec_blocks
↓
// try to access pmd->data_sm --> UAF
As shown above, if dm_pool_commit_metadata() and
dm_pool_abort_metadata() fail in pool_message process, kworker may
trigger UAF.
Fixes: be500ed ("dm space maps: improve performance with inc/dec on ranges of blocks")
Cc: stable@vger.kernel.org
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>1 parent 2760904 commit cb65b28
1 file changed
Lines changed: 12 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1756 | 1756 | | |
1757 | 1757 | | |
1758 | 1758 | | |
1759 | | - | |
| 1759 | + | |
1760 | 1760 | | |
1761 | 1761 | | |
1762 | 1762 | | |
1763 | | - | |
1764 | | - | |
1765 | | - | |
| 1763 | + | |
| 1764 | + | |
| 1765 | + | |
| 1766 | + | |
| 1767 | + | |
1766 | 1768 | | |
1767 | 1769 | | |
1768 | 1770 | | |
1769 | 1771 | | |
1770 | 1772 | | |
1771 | 1773 | | |
1772 | 1774 | | |
1773 | | - | |
| 1775 | + | |
1774 | 1776 | | |
1775 | 1777 | | |
1776 | | - | |
| 1778 | + | |
| 1779 | + | |
1777 | 1780 | | |
1778 | 1781 | | |
1779 | 1782 | | |
1780 | 1783 | | |
1781 | 1784 | | |
1782 | 1785 | | |
1783 | 1786 | | |
1784 | | - | |
| 1787 | + | |
1785 | 1788 | | |
1786 | 1789 | | |
1787 | | - | |
| 1790 | + | |
| 1791 | + | |
1788 | 1792 | | |
1789 | 1793 | | |
1790 | 1794 | | |
| |||
0 commit comments