On Sun, May 03, 2020 at 03:02:21PM +0800, Dongyang Zhan wrote: > I am a security researcher, my name is Dongyang Zhan. I found a potential bug in > /drivers/md/dm-region-hash.c in Linux 4.10.17. I hope you can help me to confirm it. > __rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory allocation failures of nreg. > Source code: > struct dm_region *reg, *nreg; > nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC); > if (unlikely(!nreg)) > nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL); > nreg->state = rh->log->type->in_sync(rh->log, region, 1) ? > DM_RH_CLEAN : DM_RH_NOSYNC; > If the statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);) fails, > dereferencing this pointer (nreg->state) will cause null pointer dereference. * %__GFP_NOFAIL: The VM implementation _must_ retry infinitely: the caller * cannot handle allocation failures. The allocation could block * indefinitely but will never return with failure. Testing for * failure is pointless. Alasdair -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
