* [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation @ 2026-06-17 6:00 ghuicao 2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao 2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao 0 siblings, 2 replies; 5+ messages in thread From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw) To: Mike Snitzer Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui From: Cao Guanghui <caoguanghui@kylinos.cn> This series fixes two issues in dm-era: 1. metadata_open() returns NULL on kzalloc failure, but era_ctr() only checks IS_ERR(), causing a NULL pointer dereference. 2. era_ctr() replaces actual error codes from dm_get_device() and dm_set_target_max_io_len() with hardcoded -EINVAL, making diagnosis harder for users. Both are straightforward fixes with no functional change for the success path. Cao Guanghui (2): dm era: fix NULL pointer dereference in metadata_open() dm era: fix error code propagation in era_ctr() drivers/md/dm-era-target.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() 2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao @ 2026-06-17 6:00 ` ghuicao 2026-06-18 11:55 ` Su Yue 2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao 1 sibling, 1 reply; 5+ messages in thread From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw) To: Mike Snitzer Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui From: Cao Guanghui <caoguanghui@kylinos.cn> metadata_open() returns NULL when kzalloc_obj() fails, but the caller era_ctr() only checks IS_ERR(md). Since IS_ERR(NULL) returns false, the NULL pointer is treated as a valid result and later assigned to era->md, leading to a NULL pointer dereference when the metadata is accessed. Fix this by returning ERR_PTR(-ENOMEM) on allocation failure, consistent with dm-cache-metadata.c, dm-thin-metadata.c, and dm-clone-metadata.c which all use ERR_PTR(-ENOMEM) for the same pattern. Fixes: eec40579d848 ("dm: add era target") Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn> --- drivers/md/dm-era-target.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c index 05285c04ff2c..08ce96e8cf4f 100644 --- a/drivers/md/dm-era-target.c +++ b/drivers/md/dm-era-target.c @@ -810,8 +810,10 @@ static struct era_metadata *metadata_open(struct block_device *bdev, int r; struct era_metadata *md = kzalloc_obj(*md); - if (!md) - return NULL; + if (!md) { + DMERR("could not allocate metadata struct"); + return ERR_PTR(-ENOMEM); + } md->bdev = bdev; md->block_size = block_size; -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() 2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao @ 2026-06-18 11:55 ` Su Yue 0 siblings, 0 replies; 5+ messages in thread From: Su Yue @ 2026-06-18 11:55 UTC (permalink / raw) To: ghuicao Cc: Mike Snitzer, Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui On Wed 17 Jun 2026 at 14:00, ghuicao@163.com wrote: > From: Cao Guanghui <caoguanghui@kylinos.cn> > > metadata_open() returns NULL when kzalloc_obj() fails, but the > caller era_ctr() only checks IS_ERR(md). Since IS_ERR(NULL) > returns false, the NULL pointer is treated as a valid result > and later assigned to era->md, leading to a NULL pointer > dereference when the metadata is accessed. > > Fix this by returning ERR_PTR(-ENOMEM) on allocation failure, > consistent with dm-cache-metadata.c, dm-thin-metadata.c, and > dm-clone-metadata.c which all use ERR_PTR(-ENOMEM) for the > same pattern. > > Fixes: eec40579d848 ("dm: add era target") > Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn> > Reviewed-by: Su Yue <glass.su@suse.com> > --- > drivers/md/dm-era-target.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/md/dm-era-target.c > b/drivers/md/dm-era-target.c > index 05285c04ff2c..08ce96e8cf4f 100644 > --- a/drivers/md/dm-era-target.c > +++ b/drivers/md/dm-era-target.c > @@ -810,8 +810,10 @@ static struct era_metadata > *metadata_open(struct block_device *bdev, > int r; > struct era_metadata *md = kzalloc_obj(*md); > > - if (!md) > - return NULL; > + if (!md) { > + DMERR("could not allocate metadata struct"); > + return ERR_PTR(-ENOMEM); > + } > > md->bdev = bdev; > md->block_size = block_size; ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] dm era: fix error code propagation in era_ctr() 2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao 2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao @ 2026-06-17 6:00 ` ghuicao 2026-06-18 11:58 ` Su Yue 1 sibling, 1 reply; 5+ messages in thread From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw) To: Mike Snitzer Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui From: Cao Guanghui <caoguanghui@kylinos.cn> era_ctr() replaces the actual error codes returned by dm_get_device() and dm_set_target_max_io_len() with hardcoded -EINVAL, discarding the real reason for the failure (e.g. -ENODEV, -ENOMEM). This makes it harder for users to diagnose problems and is inconsistent with other dm targets (dm-thin, dm-verity, dm-flakey, dm-ebs) which propagate the original error. Fix all three sites to return 'r' instead of -EINVAL. Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn> --- drivers/md/dm-era-target.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c index 08ce96e8cf4f..4eb1c4f90e1b 100644 --- a/drivers/md/dm-era-target.c +++ b/drivers/md/dm-era-target.c @@ -1488,7 +1488,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv) if (r) { ti->error = "Error opening metadata device"; era_destroy(era); - return -EINVAL; + return r; } r = dm_get_device(ti, argv[1], BLK_OPEN_READ | BLK_OPEN_WRITE, @@ -1496,7 +1496,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv) if (r) { ti->error = "Error opening data device"; era_destroy(era); - return -EINVAL; + return r; } r = sscanf(argv[2], "%u%c", &era->sectors_per_block, &dummy); @@ -1510,7 +1510,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv) if (r) { ti->error = "could not set max io len"; era_destroy(era); - return -EINVAL; + return r; } if (!valid_block_size(era->sectors_per_block)) { -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] dm era: fix error code propagation in era_ctr() 2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao @ 2026-06-18 11:58 ` Su Yue 0 siblings, 0 replies; 5+ messages in thread From: Su Yue @ 2026-06-18 11:58 UTC (permalink / raw) To: ghuicao Cc: Mike Snitzer, Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui On Wed 17 Jun 2026 at 14:00, ghuicao@163.com wrote: > From: Cao Guanghui <caoguanghui@kylinos.cn> > > era_ctr() replaces the actual error codes returned by > dm_get_device() > and dm_set_target_max_io_len() with hardcoded -EINVAL, > discarding > the real reason for the failure (e.g. -ENODEV, -ENOMEM). This > makes > it harder for users to diagnose problems and is inconsistent > with > other dm targets (dm-thin, dm-verity, dm-flakey, dm-ebs) which > propagate the original error. > > Fix all three sites to return 'r' instead of -EINVAL. > > Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn> > Reviewed-by: Su Yue <glass.su@suse.com> > --- > drivers/md/dm-era-target.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/md/dm-era-target.c > b/drivers/md/dm-era-target.c > index 08ce96e8cf4f..4eb1c4f90e1b 100644 > --- a/drivers/md/dm-era-target.c > +++ b/drivers/md/dm-era-target.c > @@ -1488,7 +1488,7 @@ static int era_ctr(struct dm_target *ti, > unsigned int argc, char **argv) > if (r) { > ti->error = "Error opening metadata device"; > era_destroy(era); > - return -EINVAL; > + return r; > } > > r = dm_get_device(ti, argv[1], BLK_OPEN_READ | BLK_OPEN_WRITE, > @@ -1496,7 +1496,7 @@ static int era_ctr(struct dm_target *ti, > unsigned int argc, char **argv) > if (r) { > ti->error = "Error opening data device"; > era_destroy(era); > - return -EINVAL; > + return r; > } > > r = sscanf(argv[2], "%u%c", &era->sectors_per_block, &dummy); > @@ -1510,7 +1510,7 @@ static int era_ctr(struct dm_target *ti, > unsigned int argc, char **argv) > if (r) { > ti->error = "could not set max io len"; > era_destroy(era); > - return -EINVAL; > + return r; > } > > if (!valid_block_size(era->sectors_per_block)) { ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-18 12:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao 2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao 2026-06-18 11:55 ` Su Yue 2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao 2026-06-18 11:58 ` Su Yue
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.