207111 – Possible null pointer dereference in __rh_alloc()

Bug 207111 - Possible null pointer dereference in __rh_alloc()

Summary: Possible null pointer dereference in __rh_alloc()

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	drivers_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-05 15:17 UTC by Dongyang Zhan
Modified:	2020-04-05 15:17 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	Linux 4.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dongyang Zhan 2020-04-05 15:17:20 UTC

An issue was discovered in the in the Linux kernel 4.17. __rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory allocation failures of nreg. 

The code link: https://elixir.bootlin.com/linux/v4.10.17/source/drivers/md/dm-region-hash.c#L286

Source code:

struct dm_region *reg, *nreg;

nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
if (unlikely(!nreg))
		nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);

nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
		DM_RH_CLEAN : DM_RH_NOSYNC;

Comments:
If this statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);) fails,
referencing this pointer (nreg->state) will cause null pointer dereference.

Note You need to log in before you can comment on or make changes to this bug.