[dm-devel] [PATCH] dm: dm-zone: Fix NULL pointer dereference in dm_zone_map_bio()
Damien Le Moal
damien.lemoal at opensource.wdc.com
Mon Apr 11 13:05:58 UTC 2022
On 4/11/22 22:02, Ming Lei wrote:
> On Mon, Apr 11, 2022 at 06:38:38PM +0900, Damien Le Moal wrote:
>> Commit 0fbb4d93b38b ("dm: add dm_submit_bio_remap interface") changed
>> the alloc_io() function to delay the initialization of struct dm_io
>> orig_bio field, leaving this field as NULL until the first call to
>> __split_and_process_bio() is executed for the user submitted BIO. This
>> change causes a NULL pointer dereference in dm_zone_map_bio() when the
>> original user BIO is inspected to detect the need for zone append
>> command emulation.
>>
>> Avoid this problem by adding a struct clone_info *ci argument to the
>> __map_bio() function and a struct bio *orig_bio argument to
>> dm_zone_map_bio(). Doing so, the call to dm_zone_map_bio() can be passed
>> directly a pointer to the original user BIO using the bio field of
>> struct clone_info.
>>
>> Fixes: 0fbb4d93b38b ("dm: add dm_submit_bio_remap interface")
>> Signed-off-by: Damien Le Moal <damien.lemoal at opensource.wdc.com>
>> ---
>> drivers/md/dm-zone.c | 3 +--
>> drivers/md/dm.c | 10 +++++-----
>> drivers/md/dm.h | 5 +++--
>> 3 files changed, 9 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/md/dm-zone.c b/drivers/md/dm-zone.c
>> index c1ca9be4b79e..772161f0b029 100644
>> --- a/drivers/md/dm-zone.c
>> +++ b/drivers/md/dm-zone.c
>> @@ -513,13 +513,12 @@ static bool dm_need_zone_wp_tracking(struct bio *orig_bio)
>> /*
>> * Special IO mapping for targets needing zone append emulation.
>> */
>> -int dm_zone_map_bio(struct dm_target_io *tio)
>> +int dm_zone_map_bio(struct dm_target_io *tio, struct bio *orig_bio)
>> {
>> struct dm_io *io = tio->io;
>> struct dm_target *ti = tio->ti;
>> struct mapped_device *md = io->md;
>> struct request_queue *q = md->queue;
>> - struct bio *orig_bio = io->orig_bio;
>> struct bio *clone = &tio->clone;
>> unsigned int zno;
>> blk_status_t sts;
>> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
>> index 3c5fad7c4ee6..1d8f24f04c7d 100644
>> --- a/drivers/md/dm.c
>> +++ b/drivers/md/dm.c
>> @@ -1258,7 +1258,7 @@ static noinline void __set_swap_bios_limit(struct mapped_device *md, int latch)
>> mutex_unlock(&md->swap_bios_lock);
>> }
>>
>> -static void __map_bio(struct bio *clone)
>> +static void __map_bio(struct clone_info *ci, struct bio *clone)
>> {
>> struct dm_target_io *tio = clone_to_tio(clone);
>> int r;
>> @@ -1287,7 +1287,7 @@ static void __map_bio(struct bio *clone)
>> * map operation.
>> */
>> if (dm_emulate_zone_append(io->md))
>> - r = dm_zone_map_bio(tio);
>> + r = dm_zone_map_bio(tio, ci->bio);
>
> It depends if bio_split() in dm_split_and_process_bio() can be triggered
> for dm-zone. If it can be triggered, here the actual original bio should
> be the one returned from bio_split().
It was like this before commit 0fbb4d93b38b... I will check again though.
>
> Thanks,
> Ming
>
--
Damien Le Moal
Western Digital Research
More information about the dm-devel
mailing list