Check the return value of md_bitmap_get_counter() in case it returns
NULL pointer, which will result in a null pointer dereference.
Signed-off-by: Li Zhong <[email protected]>
---
drivers/md/md-bitmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index bf6dffadbe6f..06ab1098ff99 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -2195,7 +2195,7 @@ int md_bitmap_resize(struct bitmap *bitmap, sector_t blocks,
if (set) {
bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1);
- if (*bmc_new == 0) {
+ if (bmc_new && *bmc_new == 0) {
/* need to set on-disk bits too. */
sector_t end = block + new_blocks;
sector_t start = block >> chunkshift;
--
2.25.1
Hi Li,
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Li-Zhong/drivers-md-md-bitmap-check-the-return-value-of-md_bitmap_get_counter/20220909-121143
base: git://git.kernel.org/pub/scm/linux/kernel/git/song/md.git md-next
config: m68k-randconfig-m031-20220909
compiler: m68k-linux-gcc (GCC) 12.1.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
smatch warnings:
drivers/md/md-bitmap.c:2211 md_bitmap_resize() error: we previously assumed 'bmc_new' could be null (see line 2198)
vim +/bmc_new +2211 drivers/md/md-bitmap.c
c9d65032282943 drivers/md/bitmap.c Guoqing Jiang 2016-05-02 2184 } else
c9d65032282943 drivers/md/bitmap.c Guoqing Jiang 2016-05-02 2185 bitmap->counts.bp[page].count += 1;
c9d65032282943 drivers/md/bitmap.c Guoqing Jiang 2016-05-02 2186 }
c9d65032282943 drivers/md/bitmap.c Guoqing Jiang 2016-05-02 2187 }
c9d65032282943 drivers/md/bitmap.c Guoqing Jiang 2016-05-02 2188
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2189 for (block = 0; block < blocks; ) {
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2190 bitmap_counter_t *bmc_old, *bmc_new;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2191 int set;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2192
e64e4018d57271 drivers/md/md-bitmap.c Andy Shevchenko 2018-08-01 2193 bmc_old = md_bitmap_get_counter(&old_counts, block, &old_blocks, 0);
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2194 set = bmc_old && NEEDED(*bmc_old);
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2195
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2196 if (set) {
e64e4018d57271 drivers/md/md-bitmap.c Andy Shevchenko 2018-08-01 2197 bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1);
a0b3a521efba6a drivers/md/md-bitmap.c Li Zhong 2022-09-08 @2198 if (bmc_new && *bmc_new == 0) {
^^^^^^^
New check for NULL
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2199 /* need to set on-disk bits too. */
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2200 sector_t end = block + new_blocks;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2201 sector_t start = block >> chunkshift;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2202 start <<= chunkshift;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2203 while (start < end) {
e64e4018d57271 drivers/md/md-bitmap.c Andy Shevchenko 2018-08-01 2204 md_bitmap_file_set_bit(bitmap, block);
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2205 start += 1 << chunkshift;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2206 }
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2207 *bmc_new = 2;
e64e4018d57271 drivers/md/md-bitmap.c Andy Shevchenko 2018-08-01 2208 md_bitmap_count_page(&bitmap->counts, block, 1);
e64e4018d57271 drivers/md/md-bitmap.c Andy Shevchenko 2018-08-01 2209 md_bitmap_set_pending(&bitmap->counts, block);
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2210 }
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 @2211 *bmc_new |= NEEDED_MASK;
^^^^^^^^
Unchecked dereference
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2212 if (new_blocks < old_blocks)
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2213 old_blocks = new_blocks;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2214 }
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2215 block += old_blocks;
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2216 }
d60b479d177a57 drivers/md/bitmap.c NeilBrown 2012-05-22 2217
0868b99c214a3d drivers/md/md-bitmap.c Zdenek Kabelac 2017-11-08 2218 if (bitmap->counts.bp != old_counts.bp) {
On Thu, Sep 8, 2022 at 9:09 PM Li Zhong <[email protected]> wrote:
>
> Check the return value of md_bitmap_get_counter() in case it returns
> NULL pointer, which will result in a null pointer dereference.
>
> Signed-off-by: Li Zhong <[email protected]>
Somehow I didn't get v2 of this in my inbox. So replying to v1:
Applied v2 to md-next.
Thanks,
Song
> ---
> drivers/md/md-bitmap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
> index bf6dffadbe6f..06ab1098ff99 100644
> --- a/drivers/md/md-bitmap.c
> +++ b/drivers/md/md-bitmap.c
> @@ -2195,7 +2195,7 @@ int md_bitmap_resize(struct bitmap *bitmap, sector_t blocks,
>
> if (set) {
> bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1);
> - if (*bmc_new == 0) {
> + if (bmc_new && *bmc_new == 0) {
> /* need to set on-disk bits too. */
> sector_t end = block + new_blocks;
> sector_t start = block >> chunkshift;
> --
> 2.25.1
>