From: Greg KH <gregkh@linuxfoundation.org>
To: Jeffle Xu <jefflexu@linux.alibaba.com>
Cc: snitzer@redhat.com, yebin10@huawei.com, stable@vger.kernel.org,
xiejingfeng@linux.alibaba.com, joseph.qi@linux.alibaba.com
Subject: Re: [PATCH] dm thin metadata: Fix use-after-free in dm_bm_set_read_only
Date: Sat, 18 Sep 2021 14:17:41 +0200 [thread overview]
Message-ID: <YUXY5bIxC+Fdjyeb@kroah.com> (raw)
In-Reply-To: <20210918023105.89503-1-jefflexu@linux.alibaba.com>
On Sat, Sep 18, 2021 at 10:31:05AM +0800, Jeffle Xu wrote:
> From: Ye Bin <yebin10@huawei.com>
>
> Hi Greg,
>
> Ye Bin had ever fixed a use-after-free of dm-thin in v5.9, and the
> complete patchset contains three patches:
>
> [1/3] d16ff19e69ab dm cache metadata: Avoid returning cmd->bm wild pointer on error
> [2/3] 219403d7e56f dm thin metadata: Avoid returning cmd->bm wild pointer on error
> [3/3] 3a653b205f29 dm thin metadata: Fix use-after-free in dm_bm_set_read_only
>
> However, 4.19.y stable only picks the former two patches [1]:
> [1/3] 67f03c3d6829 dm cache metadata: Avoid returning cmd->bm wild pointer on error
> [2/3] 2c00ee626ed4 dm thin metadata: Avoid returning cmd->bm wild pointer on error
>
> We encountered a NULL crash and xiejingfeng found that the omitted patch 3 can
> fix that. I'm not sure why patch 3 is not picked then, and we need this patch
> to fix this issue.
>
> [32402.449200] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
> [32402.459553] Oops: 0002 [#1] SMP NOPTI
> [32402.483982] RIP: 0010:dm_bm_set_read_only+0x5/0x10 [dm_persistent_data]
> [32402.588073] Call Trace:
> [32402.590522] dm_pool_metadata_read_only+0x22/0x30 [dm_thin_pool]
> [32402.596526] set_pool_mode+0x209/0x2e0 [dm_thin_pool]
> [32402.601579] metadata_operation_failed+0xd5/0xf0 [dm_thin_pool]
> [32402.607499] commit+0x91/0xf0 [dm_thin_pool]
> [32402.611771] pool_status+0x28a/0x700 [dm_thin_pool]
> [32402.616652] retrieve_status+0xa1/0x1c0 [dm_mod]
> [32402.627794] table_status+0x61/0xa0 [dm_mod]
> [32402.632068] ctl_ioctl+0x1b3/0x480 [dm_mod]
> [32402.636253] dm_ctl_ioctl+0xa/0x10 [dm_mod]
> [32402.640440] do_vfs_ioctl+0x9f/0x610
> [32402.653081] ksys_ioctl+0x70/0x80
> [32402.656393] __x64_sys_ioctl+0x16/0x20
> [32402.660145] do_syscall_64+0x7b/0x200
> [32402.663813] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [1] https://lore.kernel.org/lkml/20200908152225.086536876@linuxfoundation.org/
>
> ---
> commit 3a653b205f29b3f9827a01a0c88bfbcb0d169494 upstream.
>
> The following error ocurred when testing disk online/offline:
Now queued up, thanks.
greg k-h
next prev parent reply other threads:[~2021-09-18 12:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-18 2:31 [PATCH] dm thin metadata: Fix use-after-free in dm_bm_set_read_only Jeffle Xu
2021-09-18 12:17 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-09-18 2:26 Jeffle Xu
2021-09-18 2:32 ` JeffleXu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YUXY5bIxC+Fdjyeb@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=jefflexu@linux.alibaba.com \
--cc=joseph.qi@linux.alibaba.com \
--cc=snitzer@redhat.com \
--cc=stable@vger.kernel.org \
--cc=xiejingfeng@linux.alibaba.com \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.