Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S3000417AbdDZNY4 (ORCPT <rfc822;w@1wt.eu>);
        Wed, 26 Apr 2017 09:24:56 -0400
Received: from mail-wm0-f54.google.com ([74.125.82.54]:33277 "EHLO
        mail-wm0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2993735AbdDZNYj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Apr 2017 09:24:39 -0400
Date: Wed, 26 Apr 2017 15:24:36 +0200
From: Lars Ellenberg <lars.ellenberg@linbit.com>
To: Heloise <os@iscas.ac.cn>
Cc: philipp.reisner@linbit.com, drbd-dev@lists.linbit.com,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drbd:fix null pointer deref in _drbd_md_sync_page_io
Message-ID: <20170426132436.GA15697@soda.linbit>
Mail-Followup-To: Heloise <os@iscas.ac.cn>, philipp.reisner@linbit.com,
        drbd-dev@lists.linbit.com, linux-kernel@vger.kernel.org
References: <1493200177-10699-1-git-send-email-os@iscas.ac.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1493200177-10699-1-git-send-email-os@iscas.ac.cn>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1638
Lines: 60

On Wed, Apr 26, 2017 at 02:49:37AM -0700, Heloise wrote:
> The return value of bio_alloc_drbd can be NULL and is used without

No, apparently it cannot, because it is basically a mempool_alloc()
with GFP_NOIO, it may sleep, but it will loop "forever" and not return NULL.

So rather fix that nonsense in bio_alloc_drbd, see below:

Thanks,

    Lars

diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index 92c60cb..9ffd940 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -150,15 +150,10 @@ static const struct block_device_operations drbd_ops = {
 
 struct bio *bio_alloc_drbd(gfp_t gfp_mask)
 {
-	struct bio *bio;
-
 	if (!drbd_md_io_bio_set)
 		return bio_alloc(gfp_mask, 1);
 
-	bio = bio_alloc_bioset(gfp_mask, 1, drbd_md_io_bio_set);
-	if (!bio)
-		return NULL;
-	return bio;
+	return bio_alloc_bioset(gfp_mask, 1, drbd_md_io_bio_set);
 }
 
 #ifdef __CHECKER__


> validation, which may cause null-pointer dereference, fix it.
> 
> Signed-off-by: Heloise <os@iscas.ac.cn>
> ---
>  drivers/block/drbd/drbd_actlog.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/block/drbd/drbd_actlog.c b/drivers/block/drbd/drbd_actlog.c
> index 8d7bcfa..d6bb30e 100644
> --- a/drivers/block/drbd/drbd_actlog.c
> +++ b/drivers/block/drbd/drbd_actlog.c
> @@ -151,6 +151,10 @@ static int _drbd_md_sync_page_io(struct drbd_device *device,
>  	op_flags |= REQ_SYNC;
>  
>  	bio = bio_alloc_drbd(GFP_NOIO);
> +	if (!bio) {
> +		err = -ENOMEM;
> +		return err;
> +	}
>  	bio->bi_bdev = bdev->md_bdev;
>  	bio->bi_iter.bi_sector = sector;
>  	err = -EIO;
> -- 
> 2.1.0