Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp2731483pxb; Mon, 31 Jan 2022 03:07:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxzz8QtQOpmTmHB5yGEXriRQtNzL6f5cxBazq1JfA+oJfJS+FrNiONEvRDtMtFnDdKCb1BB X-Received: by 2002:a17:902:a509:: with SMTP id s9mr20917824plq.134.1643627256822; Mon, 31 Jan 2022 03:07:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643627256; cv=none; d=google.com; s=arc-20160816; b=oTmoxYwb0IiAOYhAaaQmTZVM+GdE/4DNhL55RlsKJYv7szJFKZwIBZSEwknXk/8bBp hSnZtpv+u8V+9tJmA6ky8v5EHGnI/xhgg3teGgtYS3sgXT+3bgSS7Cs09W1s227M7J+9 vFS7LmHQfsSCGJR+4SawqyLvnz5efm3TO4OS2G9318ykc0w7KsdpYQ/wiZ3T8H42kalT fM5DilFByd1ROTlp23iGe6A/Jsh6s8qSajhrP3rUIWXLRCCh40bvtRRxJFCM7CzA4z2s O7Ze08GD9e3Bo8/AOldr9+gGZh/gMSJilNQ7nh+tLg1OcH/FP/53Vmq/ctqkZK5Ik/0o wIpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-signature; bh=d2GA+HB9wkXuvJ87Q5v9+tVwtDvLVyKwD4FaXVR7w/o=; b=oY8VbQaD/UHxwDi5c0p9nYQsyPlrGaBeKiTVYwPPOWbTQiQCTXCJ8zBRZUU6H9ICWu GSLgYmQuQwNllUVVlQenb5+5rRFDWfO9tKIYElP+TEa5ghk7XwVJtwG10dMKorG2FNSc vz3EHXVRS0QI+bYcUEOQeobJP+7oTAHYL5fb5//1Ysx/2yc2gVudLnywlhXVQnyWQ//q 528A7UxFiURxKroqoV8C6AbMdooXuI3gcJ3EoNasBacdhcHLb8sqA1z5pqPisX9fMEyi dVs0wboYaWgLKi1XSReYq3my569KoW2Ke+TSr1tq57c5VThGMZuHiHBPQQtLVx7HMhKI Gb0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=DI6zpOJ0; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k9si12091741pll.623.2022.01.31.03.07.26; Mon, 31 Jan 2022 03:07:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=DI6zpOJ0; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349321AbiA1Oee (ORCPT + 99 others); Fri, 28 Jan 2022 09:34:34 -0500 Received: from smtp-out1.suse.de ([195.135.220.28]:50068 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245467AbiA1Oec (ORCPT ); Fri, 28 Jan 2022 09:34:32 -0500 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 11E3E212B6; Fri, 28 Jan 2022 14:34:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1643380471; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d2GA+HB9wkXuvJ87Q5v9+tVwtDvLVyKwD4FaXVR7w/o=; b=DI6zpOJ0NGhzaEDdD7SETWObyvEMJuMN2HG4tDoaEoUuTrqR5bOU46Kx71fSwOhtkPXkbz xi+EaKrZ+nW2VDWN2zPSMGLHi7zRwimNnMTcAlXQ3aJ53dcSHe6HeivP62/E+HUnXmwz1/ 5dq9nykKOsKasURE16XF0XaU7SM224I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1643380471; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d2GA+HB9wkXuvJ87Q5v9+tVwtDvLVyKwD4FaXVR7w/o=; b=b0/Syh2DRN7jH5yGFNsRc6tAWcgNZbKrApZ3DL2gF3VFeWCbVJsiH1lgZsYc1OpoDbDe5u JDQ18XtSsKn++dAg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 73EF913B02; Fri, 28 Jan 2022 14:34:29 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id HXBbDvX+82G4KAAAMHmgww (envelope-from ); Fri, 28 Jan 2022 14:34:29 +0000 Message-ID: <4c38baa1-9cb8-2ba5-36c0-251afc6e615b@suse.de> Date: Fri, 28 Jan 2022 22:34:27 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH] bcache: Fix a NULL or wild pointer dereference in btree_gc_rewrite_node() Content-Language: en-US To: Greg KH Cc: kjlu@umn.edu, Kent Overstreet , linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org, Zhou Qingyang References: <20220124164701.53525-1-zhou1615@umn.edu> From: Coly Li In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/28/22 6:17 PM, Greg KH wrote: > On Tue, Jan 25, 2022 at 12:47:01AM +0800, Zhou Qingyang wrote: >> In btree_gc_rewrite_node(), btree_node_alloc_replacement() is assigned to >> n and return error code or NULL on failure. n is passed to >> bch_btree_node_write_sync() and there is a dereference of it in >> bch_btree_node_write_sync() without checks, which may lead to wild >> pointer dereference or NULL pointer dereference depending on n. >> >> Fix this bug by adding IS_ERR_OR_NULL check of n. >> >> This bug was found by a static analyzer. >> >> Builds with 'make allyesconfig' show no new warnings, >> and our static analyzer no longer warns about this code. >> >> Fixes: ("bcache: Rework btree cache reserve handling") >> Signed-off-by: Zhou Qingyang >> --- >> The analysis employs differential checking to identify inconsistent >> security operations (e.g., checks or kfrees) between two code paths >> and confirms that the inconsistent operations are not recovered in the >> current function or the callers, so they constitute bugs. >> >> Note that, as a bug found by static analysis, it can be a false >> positive or hard to trigger. Multiple researchers have cross-reviewed >> the bug. >> >> drivers/md/bcache/btree.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c >> index 88c573eeb598..06d42292e86c 100644 >> --- a/drivers/md/bcache/btree.c >> +++ b/drivers/md/bcache/btree.c >> @@ -1504,6 +1504,8 @@ static int btree_gc_rewrite_node(struct btree *b, struct btree_op *op, >> return 0; >> >> n = btree_node_alloc_replacement(replace, NULL); >> + if (IS_ERR_OR_NULL(n)) >> + return 0; >> >> /* recheck reserve after allocating replacement node */ >> if (btree_check_reserve(b, NULL)) { >> -- >> 2.25.1 >> > As stated before, umn.edu is still not allowed to contribute to the > Linux kernel. Please work with your administration to resolve this > issue. > Copied. Thanks for the reminding. Coly Li