* [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
@ 2025-09-22 14:42 Alexandr Sapozhnkiov
2025-09-23 6:05 ` kernel test robot
0 siblings, 1 reply; 2+ messages in thread
From: Alexandr Sapozhnkiov @ 2025-09-22 14:42 UTC (permalink / raw)
To: Alasdair Kergon, Mike Snitzer, dm-devel, linux-kernel
Cc: Alexandr Sapozhnikov, linux-media, lvc-project
From: Alexandr Sapozhnikov <alsp705@gmail.com>
Return value of a function '__lookup_origin' is dereferenced
at dm-snap.c:596 without checking for NULL, but it is usually
checked for this function
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
---
drivers/md/dm-snap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
index 4668b2cd98f4..105f6e768ad1 100644
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -590,12 +590,15 @@ static int register_snapshot(struct dm_snapshot *snap)
*/
static void reregister_snapshot(struct dm_snapshot *s)
{
+ struct origin *o;
struct block_device *bdev = s->origin->bdev;
down_write(&_origins_lock);
+ o = __lookup_origin(s->origin->bdev);
list_del(&s->list);
- __insert_snapshot(__lookup_origin(bdev), s);
+ if (o)
+ __insert_snapshot(o, s);
up_write(&_origins_lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
2025-09-22 14:42 [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot() Alexandr Sapozhnkiov
@ 2025-09-23 6:05 ` kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2025-09-23 6:05 UTC (permalink / raw)
To: Alexandr Sapozhnkiov, Alasdair Kergon, Mike Snitzer, dm-devel,
linux-kernel
Cc: llvm, oe-kbuild-all, Alexandr Sapozhnikov, linux-media,
lvc-project
Hi Alexandr,
kernel test robot noticed the following build warnings:
[auto build test WARNING on device-mapper-dm/for-next]
[also build test WARNING on linus/master v6.17-rc7 next-20250922]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Alexandr-Sapozhnkiov/md-fix-NULL-pointer-dereference-at-reregister_snapshot/20250922-224522
base: https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git for-next
patch link: https://lore.kernel.org/r/20250922144239.11-1-alsp705%40gmail.com
patch subject: [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
config: s390-randconfig-002-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231318.YYdqPhnu-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project cafc064fc7a96b3979a023ddae1da2b499d6c954)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231318.YYdqPhnu-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509231318.YYdqPhnu-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from <built-in>:3:
In file included from include/linux/compiler_types.h:171:
include/linux/compiler-clang.h:28:9: warning: '__SANITIZE_ADDRESS__' macro redefined [-Wmacro-redefined]
28 | #define __SANITIZE_ADDRESS__
| ^
<built-in>:369:9: note: previous definition is here
369 | #define __SANITIZE_ADDRESS__ 1
| ^
>> drivers/md/dm-snap.c:597:23: warning: unused variable 'bdev' [-Wunused-variable]
597 | struct block_device *bdev = s->origin->bdev;
| ^~~~
2 warnings generated.
vim +/bdev +597 drivers/md/dm-snap.c
c1f0c183f6acc6 Mike Snitzer 2009-12-10 590
c1f0c183f6acc6 Mike Snitzer 2009-12-10 591 /*
c1f0c183f6acc6 Mike Snitzer 2009-12-10 592 * Move snapshot to correct place in list according to chunk size.
c1f0c183f6acc6 Mike Snitzer 2009-12-10 593 */
c1f0c183f6acc6 Mike Snitzer 2009-12-10 594 static void reregister_snapshot(struct dm_snapshot *s)
c1f0c183f6acc6 Mike Snitzer 2009-12-10 595 {
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22 596 struct origin *o;
c1f0c183f6acc6 Mike Snitzer 2009-12-10 @597 struct block_device *bdev = s->origin->bdev;
c1f0c183f6acc6 Mike Snitzer 2009-12-10 598
c1f0c183f6acc6 Mike Snitzer 2009-12-10 599 down_write(&_origins_lock);
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22 600 o = __lookup_origin(s->origin->bdev);
c1f0c183f6acc6 Mike Snitzer 2009-12-10 601
c1f0c183f6acc6 Mike Snitzer 2009-12-10 602 list_del(&s->list);
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22 603 if (o)
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22 604 __insert_snapshot(o, s);
^1da177e4c3f41 Linus Torvalds 2005-04-16 605
^1da177e4c3f41 Linus Torvalds 2005-04-16 606 up_write(&_origins_lock);
^1da177e4c3f41 Linus Torvalds 2005-04-16 607 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 608
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-23 6:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-22 14:42 [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot() Alexandr Sapozhnkiov
2025-09-23 6:05 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox