> Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:cleanup_mapped_device+0x202/0x580 drivers/md/dm.c:2198 > Code: 03 80 3c 02 00 0f 85 28 03 00 00 48 8b 9d 08 02 00 00 48 b8 00 > 00 00 00 00 fc ff df 48 8d bb 98 00 00 00 48 89 fa 48 c1 ea 03 <80> 3c > 02 00 0f 85 19 03 00 00 48 c7 c7 00 57 39 8f 48 c7 83 98 00 > RSP: 0018:ffffc9000e5f7b80 EFLAGS: 00010217 > RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: ffffffff8169176c > RDX: 0000000000000011 RSI: 0000000000000004 RDI: 000000000000008c > RBP: ffff888047717000 R08: 0000000000000001 R09: fffff52001cbef62 > R10: 0000000000000003 R11: 0000000000000000 R12: ffff888047717208 > R13: ffff888047717090 R14: ffff888047717208 R15: ffff88802ba3d9e8 > FS: 00005555642a83c0(0000) GS:ffff88802ba00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fe48631f1f8 CR3: 0000000000c22000 CR4: 0000000000750ef0 > PKRU: 55555554 > ---------------- > Code disassembly (best guess): > 0: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax > 6: 85 28 test %ebp,(%rax) > 8: 03 00 add (%rax),%eax > a: 00 48 8b add %cl,-0x75(%rax) > d: 9d popf > e: 08 02 or %al,(%rdx) > 10: 00 00 add %al,(%rax) > 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax > 19: fc ff df > 1c: 48 8d bb 98 00 00 00 lea 0x98(%rbx),%rdi > 23: 48 89 fa mov %rdi,%rdx > 26: 48 c1 ea 03 shr $0x3,%rdx > * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction > 2e: 0f 85 19 03 00 00 jne 0x34d > 34: 48 c7 c7 00 57 39 8f mov $0xffffffff8f395700,%rdi > 3b: 48 rex.W > 3c: c7 .byte 0xc7 > 3d: 83 .byte 0x83 > 3e: 98 cwtl > > > Syzkaller reproducer: > # {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 > Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false > NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false > KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false > Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false > HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false > FaultCall:0 FaultNth:0}} > ioctl$KGPT_CEC_ADAP_S_LOG_ADDRS(0xffffffffffffffff, 0xc05c6104, > &(0x7f0000000080)={"8072609d", 0x4, 0x6, 0x8, 0xffff, 0x6, > "000780427bee50eb00", '\x00\a\x00', "8529b501", "3bf5c9d5", > ["f1c758509a071a2ded4470ab", "fe1285a1e9c9879d543c15d2", > "d6de4e2d5ae55cebb6bac1e1", "dd8866305b4f75e67daa6d8b"]}) > r0 = openat$KGPT_SYZKALM_dm_ctl(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) > ioctl$KGPT_DM_DEV_STATUS(r0, 0xc138fd07, > &(0x7f0000000080)="58c18237165e55872d5dacbed6a0") > ioctl$KGPT_DM_DEV_CREATE(r0, 0xc138fd03, &(0x7f0000000080)) (fail_nth: 8) Hi Here I'm submitting a patch for this bug. Mikulas From: Mikulas Patocka <mpatocka@xxxxxxxxxx> If blk_alloc_disk fails, the variable md->disk is set to an error value. cleanup_mapped_device will see that md->disk is non-NULL and it will attempt to access it, causing a crash on this statement "md->disk->private_data = NULL;". Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx> Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx> Closes: https://marc.info/?l=dm-devel&m=172824125004329&w=2 Cc: stable@xxxxxxxxxxxxxxx --- drivers/md/dm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Index: linux-2.6/drivers/md/dm.c =================================================================== --- linux-2.6.orig/drivers/md/dm.c 2024-09-30 16:40:54.000000000 +0200 +++ linux-2.6/drivers/md/dm.c 2024-10-07 13:23:40.000000000 +0200 @@ -2290,8 +2290,10 @@ static struct mapped_device *alloc_dev(i * override accordingly. */ md->disk = blk_alloc_disk(NULL, md->numa_node_id); - if (IS_ERR(md->disk)) + if (IS_ERR(md->disk)) { + md->disk = NULL; goto bad; + } md->queue = md->disk->queue; init_waitqueue_head(&md->wait);