Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3534613pxb; Mon, 24 Jan 2022 11:37:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJwRBvS/SuPrxMNOfKYI3kWZg+il+vfmPUkKB9y+1UNPhHcCCNBtGrmO93409wShvqG9SEYF X-Received: by 2002:a17:90a:7ac3:: with SMTP id b3mr3370170pjl.136.1643053046901; Mon, 24 Jan 2022 11:37:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053046; cv=none; d=google.com; s=arc-20160816; b=msaKtTfIcH3axTYHzBOVodzsbs9z4mRd7EAdewGb4krJ4YGHk1jOEaRZt5FZmQM/Qm Q0jwEpMRC0+5rOxrtS+sZnN8yEIfuSVnxz/Rw0VFjxk7uxzfRjoW2Kzc9OKGrtn/2o2u MdokR8qcQajRPskoOLS37Z937TfcUWnmIp+j31g0aYZ8ozk/wdyCaDwZuN5XXBVgLtTm JgiR2sfAE6cq2cuicE16n0yKkJ8z938A/vWC8LPua2/uEOMWjLYkpIrSFIdXDU/wdFWJ hXBOaNrzFUV9fulbROYRotFcA3w142GZ8BFxC9chFdf6We3a/x6+hPg5N2EtHHP3XWgo DLOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=i98tmVoJeC0eQ+zcA+l102zpTFZNjsWcE56+L4IvPRA=; b=NEfYlEElGtSNkxSjAFfr2AT5x99QhPoik7hGo/W4ylOXhFu7thWfHJkyFTq46kJnAN /nkxRhorKp7fdv6wXSBF7EcaRPCQV1l7P5t+NOVP+2o6Teihm0aYKmWFw27I/W0nZ/pH gS02UXugIjlgXFTS7cUhh7QzQpIwY3kbDE8YkBF4WmioQ3fkdprH9FDUJ1eIVxxOPKS8 f34vheavsoOv0NiaBm9EG4/UC5EDTVP5MHWP9jO5fjg8R3m8F1SOl65rw/YTceLh3Ak/ aqgm6lnTO8ensX0SlY4Ighht4oWWWnLAGxzhu0Bv3XrhHEwdo40D2puPz5WxAjQhmqxx BrBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=fmEmp2An; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 27si204310pjd.93.2022.01.24.11.37.14; Mon, 24 Jan 2022 11:37:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=fmEmp2An; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243885AbiAXQrN (ORCPT + 99 others); Mon, 24 Jan 2022 11:47:13 -0500 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:50364 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243424AbiAXQrL (ORCPT ); Mon, 24 Jan 2022 11:47:11 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4JjG9W0bTyz9vjCF for ; Mon, 24 Jan 2022 16:47:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxoXPmLz9dK2 for ; Mon, 24 Jan 2022 10:47:10 -0600 (CST) Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4JjG9V5bz2z9vjCS for ; Mon, 24 Jan 2022 10:47:10 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4JjG9V5bz2z9vjCS DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4JjG9V5bz2z9vjCS Received: by mail-pj1-f72.google.com with SMTP id ay18-20020a17090b031200b001b53c85761aso7412005pjb.6 for ; Mon, 24 Jan 2022 08:47:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=i98tmVoJeC0eQ+zcA+l102zpTFZNjsWcE56+L4IvPRA=; b=fmEmp2AnDhlqnBVhNNKp9HUrLlvl1EbxSJADCJj75bll08ktE0omUjKSWchdDP4xEh NN2ik9BpXLqOliky5cWJYNkbQ+MdJmOS/xplHosHCbNynThNZ9NMguspHPm7fakUOZjD bNw9idxBOnFpRxGVJKi3ItlCd7FioMDaWjBR8srPVEgywtJhclcx9bn/aspHKqyX+lTG KLyjvWqpeqieQoMzJJOZxNEyXNOru0nADVQlQbWb7PARam/+GswW/YKpmMihSWfPlmk1 NiRa8Vnaqqh+7ZG0sNwA/oiv0sTdycNkVNqGAlqjp87Zp5ovqcnuurw4/OnJi8vrkGY4 4/Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=i98tmVoJeC0eQ+zcA+l102zpTFZNjsWcE56+L4IvPRA=; b=45XUsfrFh531ZbIBKZV9akNVX2t+UjIe2ZrJ5IOeZMnVJ2VQHOnCQTAV3B9dUFVPmK cZ4aryzB2ulU92xthnXTEMyUcAFdzbBz61UoB97t00s9L1eA9IdlwBVeKbqTnLKTkvNJ IUDboXMQ7H3UOGWUjDmhXo3Bt8t4q8RvTfS9egsD6SO2Q0U1Ft8Yh9oZ1iFB93LXCgPG SCmIdynXbbykKzhMwLYfI+yqfevKQA2CWBztEfIJi3PmJ+FCIQhC5amMQzuD15H7m3PA EgmjdzoCGbpAUqLhsJAyh99/ETSj9OhvPVgy2K8/OQfaHdPaAqLxMn+CQkcngTotygUU lt4w== X-Gm-Message-State: AOAM532o3H1LQWqmo3hsAh4hgL/dhgJBLt1hqLKxgRohVM6my3O1xeKc 5L0m4nGNwpu8pVwWxOEdhN8dri9nlwME9orya59f78xa+UdZn1pi8MNTH9rV+lKcf2/pmBQJwJ+ DDjPIrwofJu5t6HB1kT/nrRphS/j6 X-Received: by 2002:a63:f1a:: with SMTP id e26mr12360923pgl.590.1643042829967; Mon, 24 Jan 2022 08:47:09 -0800 (PST) X-Received: by 2002:a63:f1a:: with SMTP id e26mr12360906pgl.590.1643042829728; Mon, 24 Jan 2022 08:47:09 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id y8sm12833578pgs.31.2022.01.24.08.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 08:47:09 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Coly Li , Kent Overstreet , linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] bcache: Fix a NULL or wild pointer dereference in btree_gc_rewrite_node() Date: Tue, 25 Jan 2022 00:47:01 +0800 Message-Id: <20220124164701.53525-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In btree_gc_rewrite_node(), btree_node_alloc_replacement() is assigned to n and return error code or NULL on failure. n is passed to bch_btree_node_write_sync() and there is a dereference of it in bch_btree_node_write_sync() without checks, which may lead to wild pointer dereference or NULL pointer dereference depending on n. Fix this bug by adding IS_ERR_OR_NULL check of n. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: ("bcache: Rework btree cache reserve handling") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/md/bcache/btree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 88c573eeb598..06d42292e86c 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -1504,6 +1504,8 @@ static int btree_gc_rewrite_node(struct btree *b, struct btree_op *op, return 0; n = btree_node_alloc_replacement(replace, NULL); + if (IS_ERR_OR_NULL(n)) + return 0; /* recheck reserve after allocating replacement node */ if (btree_check_reserve(b, NULL)) { -- 2.25.1