* [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation
@ 2026-06-17 6:00 ghuicao
2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao
2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao
0 siblings, 2 replies; 5+ messages in thread
From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw)
To: Mike Snitzer
Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel,
linux-kernel, Cao Guanghui
From: Cao Guanghui <caoguanghui@kylinos.cn>
This series fixes two issues in dm-era:
1. metadata_open() returns NULL on kzalloc failure, but era_ctr() only
checks IS_ERR(), causing a NULL pointer dereference.
2. era_ctr() replaces actual error codes from dm_get_device() and
dm_set_target_max_io_len() with hardcoded -EINVAL, making diagnosis
harder for users.
Both are straightforward fixes with no functional change for the
success path.
Cao Guanghui (2):
dm era: fix NULL pointer dereference in metadata_open()
dm era: fix error code propagation in era_ctr()
drivers/md/dm-era-target.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--
2.25.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open()
2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao
@ 2026-06-17 6:00 ` ghuicao
2026-06-18 11:55 ` Su Yue
2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao
1 sibling, 1 reply; 5+ messages in thread
From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw)
To: Mike Snitzer
Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel,
linux-kernel, Cao Guanghui
From: Cao Guanghui <caoguanghui@kylinos.cn>
metadata_open() returns NULL when kzalloc_obj() fails, but the
caller era_ctr() only checks IS_ERR(md). Since IS_ERR(NULL)
returns false, the NULL pointer is treated as a valid result
and later assigned to era->md, leading to a NULL pointer
dereference when the metadata is accessed.
Fix this by returning ERR_PTR(-ENOMEM) on allocation failure,
consistent with dm-cache-metadata.c, dm-thin-metadata.c, and
dm-clone-metadata.c which all use ERR_PTR(-ENOMEM) for the
same pattern.
Fixes: eec40579d848 ("dm: add era target")
Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn>
---
drivers/md/dm-era-target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c
index 05285c04ff2c..08ce96e8cf4f 100644
--- a/drivers/md/dm-era-target.c
+++ b/drivers/md/dm-era-target.c
@@ -810,8 +810,10 @@ static struct era_metadata *metadata_open(struct block_device *bdev,
int r;
struct era_metadata *md = kzalloc_obj(*md);
- if (!md)
- return NULL;
+ if (!md) {
+ DMERR("could not allocate metadata struct");
+ return ERR_PTR(-ENOMEM);
+ }
md->bdev = bdev;
md->block_size = block_size;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] dm era: fix error code propagation in era_ctr()
2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao
2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao
@ 2026-06-17 6:00 ` ghuicao
2026-06-18 11:58 ` Su Yue
1 sibling, 1 reply; 5+ messages in thread
From: ghuicao @ 2026-06-17 6:00 UTC (permalink / raw)
To: Mike Snitzer
Cc: Alasdair Kergon, Mikulas Patocka, Benjamin Marzinski, dm-devel,
linux-kernel, Cao Guanghui
From: Cao Guanghui <caoguanghui@kylinos.cn>
era_ctr() replaces the actual error codes returned by dm_get_device()
and dm_set_target_max_io_len() with hardcoded -EINVAL, discarding
the real reason for the failure (e.g. -ENODEV, -ENOMEM). This makes
it harder for users to diagnose problems and is inconsistent with
other dm targets (dm-thin, dm-verity, dm-flakey, dm-ebs) which
propagate the original error.
Fix all three sites to return 'r' instead of -EINVAL.
Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn>
---
drivers/md/dm-era-target.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c
index 08ce96e8cf4f..4eb1c4f90e1b 100644
--- a/drivers/md/dm-era-target.c
+++ b/drivers/md/dm-era-target.c
@@ -1488,7 +1488,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv)
if (r) {
ti->error = "Error opening metadata device";
era_destroy(era);
- return -EINVAL;
+ return r;
}
r = dm_get_device(ti, argv[1], BLK_OPEN_READ | BLK_OPEN_WRITE,
@@ -1496,7 +1496,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv)
if (r) {
ti->error = "Error opening data device";
era_destroy(era);
- return -EINVAL;
+ return r;
}
r = sscanf(argv[2], "%u%c", &era->sectors_per_block, &dummy);
@@ -1510,7 +1510,7 @@ static int era_ctr(struct dm_target *ti, unsigned int argc, char **argv)
if (r) {
ti->error = "could not set max io len";
era_destroy(era);
- return -EINVAL;
+ return r;
}
if (!valid_block_size(era->sectors_per_block)) {
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open()
2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao
@ 2026-06-18 11:55 ` Su Yue
0 siblings, 0 replies; 5+ messages in thread
From: Su Yue @ 2026-06-18 11:55 UTC (permalink / raw)
To: ghuicao
Cc: Mike Snitzer, Alasdair Kergon, Mikulas Patocka,
Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui
On Wed 17 Jun 2026 at 14:00, ghuicao@163.com wrote:
> From: Cao Guanghui <caoguanghui@kylinos.cn>
>
> metadata_open() returns NULL when kzalloc_obj() fails, but the
> caller era_ctr() only checks IS_ERR(md). Since IS_ERR(NULL)
> returns false, the NULL pointer is treated as a valid result
> and later assigned to era->md, leading to a NULL pointer
> dereference when the metadata is accessed.
>
> Fix this by returning ERR_PTR(-ENOMEM) on allocation failure,
> consistent with dm-cache-metadata.c, dm-thin-metadata.c, and
> dm-clone-metadata.c which all use ERR_PTR(-ENOMEM) for the
> same pattern.
>
> Fixes: eec40579d848 ("dm: add era target")
> Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn>
>
Reviewed-by: Su Yue <glass.su@suse.com>
> ---
> drivers/md/dm-era-target.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/md/dm-era-target.c
> b/drivers/md/dm-era-target.c
> index 05285c04ff2c..08ce96e8cf4f 100644
> --- a/drivers/md/dm-era-target.c
> +++ b/drivers/md/dm-era-target.c
> @@ -810,8 +810,10 @@ static struct era_metadata
> *metadata_open(struct block_device *bdev,
> int r;
> struct era_metadata *md = kzalloc_obj(*md);
>
> - if (!md)
> - return NULL;
> + if (!md) {
> + DMERR("could not allocate metadata struct");
> + return ERR_PTR(-ENOMEM);
> + }
>
> md->bdev = bdev;
> md->block_size = block_size;
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] dm era: fix error code propagation in era_ctr()
2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao
@ 2026-06-18 11:58 ` Su Yue
0 siblings, 0 replies; 5+ messages in thread
From: Su Yue @ 2026-06-18 11:58 UTC (permalink / raw)
To: ghuicao
Cc: Mike Snitzer, Alasdair Kergon, Mikulas Patocka,
Benjamin Marzinski, dm-devel, linux-kernel, Cao Guanghui
On Wed 17 Jun 2026 at 14:00, ghuicao@163.com wrote:
> From: Cao Guanghui <caoguanghui@kylinos.cn>
>
> era_ctr() replaces the actual error codes returned by
> dm_get_device()
> and dm_set_target_max_io_len() with hardcoded -EINVAL,
> discarding
> the real reason for the failure (e.g. -ENODEV, -ENOMEM). This
> makes
> it harder for users to diagnose problems and is inconsistent
> with
> other dm targets (dm-thin, dm-verity, dm-flakey, dm-ebs) which
> propagate the original error.
>
> Fix all three sites to return 'r' instead of -EINVAL.
>
> Signed-off-by: Cao Guanghui <caoguanghui@kylinos.cn>
>
Reviewed-by: Su Yue <glass.su@suse.com>
> ---
> drivers/md/dm-era-target.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/md/dm-era-target.c
> b/drivers/md/dm-era-target.c
> index 08ce96e8cf4f..4eb1c4f90e1b 100644
> --- a/drivers/md/dm-era-target.c
> +++ b/drivers/md/dm-era-target.c
> @@ -1488,7 +1488,7 @@ static int era_ctr(struct dm_target *ti,
> unsigned int argc, char **argv)
> if (r) {
> ti->error = "Error opening metadata device";
> era_destroy(era);
> - return -EINVAL;
> + return r;
> }
>
> r = dm_get_device(ti, argv[1], BLK_OPEN_READ | BLK_OPEN_WRITE,
> @@ -1496,7 +1496,7 @@ static int era_ctr(struct dm_target *ti,
> unsigned int argc, char **argv)
> if (r) {
> ti->error = "Error opening data device";
> era_destroy(era);
> - return -EINVAL;
> + return r;
> }
>
> r = sscanf(argv[2], "%u%c", &era->sectors_per_block, &dummy);
> @@ -1510,7 +1510,7 @@ static int era_ctr(struct dm_target *ti,
> unsigned int argc, char **argv)
> if (r) {
> ti->error = "could not set max io len";
> era_destroy(era);
> - return -EINVAL;
> + return r;
> }
>
> if (!valid_block_size(era->sectors_per_block)) {
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-18 12:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 6:00 [PATCH 0/2] dm era: fix metadata_open NULL deref and error propagation ghuicao
2026-06-17 6:00 ` [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open() ghuicao
2026-06-18 11:55 ` Su Yue
2026-06-17 6:00 ` [PATCH 2/2] dm era: fix error code propagation in era_ctr() ghuicao
2026-06-18 11:58 ` Su Yue
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.