Bug 207111

Summary: Possible null pointer dereference in __rh_alloc()
Product: Drivers Reporter: Dongyang Zhan (zhandy)
Component: OtherAssignee: drivers_other
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Linux 4.17 Subsystem:
Regression: No Bisected commit-id:

Description Dongyang Zhan 2020-04-05 15:17:20 UTC 
An issue was discovered in the in the Linux kernel 4.17. __rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory allocation failures of nreg. 

The code link: https://elixir.bootlin.com/linux/v4.10.17/source/drivers/md/dm-region-hash.c#L286

Source code:

struct dm_region *reg, *nreg;

nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
if (unlikely(!nreg))
		nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);

nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
		DM_RH_CLEAN : DM_RH_NOSYNC;

Comments:
If this statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);) fails,
referencing this pointer (nreg->state) will cause null pointer dereference.