Skip to content

Commit

Permalink
dm: fix use-after-free in dm_put_live_table_bio
Browse files Browse the repository at this point in the history 
dm_put_live_table_bio is called from the end of dm_submit_bio.
However, at this point, the bio may be already finished and the caller
may have freed the bio. Consequently, dm_put_live_table_bio accesses
the stale "bio" pointer.

Fix this bug by loading the bi_opf value and passing it to
dm_get_live_table_bio and dm_put_live_table_bio instead of the bio.

This bug was found by running the lvm2 testsuite with kasan.

Fixes: 563a225 ("dm: introduce dm_{get,put}_live_table_bio called from dm_submit_bio")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
  • Loading branch information
Mikulas Patocka authored and Mike Snitzer committed Jun 16, 2022
1 parent 10eb3a0 commit 5d7362d
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions drivers/md/dm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -715,18 +715,18 @@ static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU)
}

static inline struct dm_table *dm_get_live_table_bio(struct mapped_device *md,
int *srcu_idx, struct bio *bio)
int *srcu_idx, unsigned bio_opf)
{
if (bio->bi_opf & REQ_NOWAIT)
if (bio_opf & REQ_NOWAIT)
return dm_get_live_table_fast(md);
else
return dm_get_live_table(md, srcu_idx);
}

static inline void dm_put_live_table_bio(struct mapped_device *md, int srcu_idx,
struct bio *bio)
unsigned bio_opf)
{
if (bio->bi_opf & REQ_NOWAIT)
if (bio_opf & REQ_NOWAIT)
dm_put_live_table_fast(md);
else
dm_put_live_table(md, srcu_idx);
Expand Down Expand Up @@ -1715,8 +1715,9 @@ static void dm_submit_bio(struct bio *bio)
struct mapped_device *md = bio->bi_bdev->bd_disk->private_data;
int srcu_idx;
struct dm_table *map;
unsigned bio_opf = bio->bi_opf;

map = dm_get_live_table_bio(md, &srcu_idx, bio);
map = dm_get_live_table_bio(md, &srcu_idx, bio_opf);

/* If suspended, or map not yet available, queue this IO for later */
if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) ||
Expand All @@ -1732,7 +1733,7 @@ static void dm_submit_bio(struct bio *bio)

dm_split_and_process_bio(md, map, bio);
out:
dm_put_live_table_bio(md, srcu_idx, bio);
dm_put_live_table_bio(md, srcu_idx, bio_opf);
}

static bool dm_poll_dm_io(struct dm_io *io, struct io_comp_batch *iob,
Expand Down

0 comments on commit 5d7362d

Please sign in to comment.