Commit 643a1e33 authored Jul 07, 2023 by Li Lingfeng Committed by openeuler-sync-bot Jul 12, 2023

dm thin metadata: check fail_io before using data_sm

mainline inclusion
from mainline-v6.4-rc8
commit cb65b282
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7FITX
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.4-rc7&id=cb65b282c9640c27d3129e2e04b711ce1b352838



----------------------------------------

Must check pmd->fail_io before using pmd->data_sm since
pmd->data_sm may be destroyed by other processes.

       P1(kworker)                             P2(message)
do_worker
 process_prepared
  process_prepared_discard_passdown_pt2
   dm_pool_dec_data_range
                                    pool_message
                                     commit
                                      dm_pool_commit_metadata
                                        ↓
                                       // commit failed
                                      metadata_operation_failed
                                       abort_transaction
                                        dm_pool_abort_metadata
                                         __open_or_format_metadata
                                           ↓
                                          dm_sm_disk_open
                                            ↓
                                           // open failed
                                           // pmd->data_sm is NULL
    dm_sm_dec_blocks
      ↓
     // try to access pmd->data_sm --> UAF

As shown above, if dm_pool_commit_metadata() and
dm_pool_abort_metadata() fail in pool_message process, kworker may
trigger UAF.

Fixes: be500ed7 ("dm space maps: improve performance with inc/dec on ranges of blocks")
Cc: stable@vger.kernel.org
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>

Conflicts:
  drivers/md/dm-thin-metadata.c
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
(cherry picked from commit 26d0b2da)

parent 3cb64cbb

drivers/md/dm-thin-metadata.c

+23 −13

Original line number	Diff line number	Diff line
		@@ -1771,13 +1771,15 @@ int dm_thin_remove_range(struct dm_thin_device *td,

		int dm_pool_block_is_shared(struct dm_pool_metadata pmd, dm_block_t b, bool result)
		{
		int r;
		int r = -EINVAL;
		uint32_t ref_count;

		down_read(&pmd->root_lock);
		if (!pmd->fail_io) {
		r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
		if (!r)
		*result = (ref_count > 1);
		}
		up_read(&pmd->root_lock);

		return r;
		@@ -1788,11 +1790,15 @@ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_
		int r = 0;

		pmd_write_lock(pmd);
		if (!pmd->fail_io) {
		for (; b != e; b++) {
		r = dm_sm_inc_block(pmd->data_sm, b);
		if (r)
		break;
		}
		} else {
		r = -EINVAL;
		}
		pmd_write_unlock(pmd);

		return r;
		@@ -1800,14 +1806,18 @@ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_

		int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e)
		{
		int r = 0;
		int r = -EINVAL;

		pmd_write_lock(pmd);
		if (!pmd->fail_io) {
		for (; b != e; b++) {
		r = dm_sm_dec_block(pmd->data_sm, b);
		if (r)
		break;
		}
		} else {
		r = -EINVAL;
		}
		pmd_write_unlock(pmd);

		return r;