dm thin metadata: Fix use-after-free in dm_bm_set_read_only

Ye Bin · snitm · commit 3a653b205f29 · 2020-09-02T13:38:40.000-04:00
The following error ocurred when testing disk online/offline:

[  301.798344] device-mapper: thin: 253:5: aborting current metadata transaction
[  301.848441] device-mapper: thin: 253:5: failed to abort metadata transaction
[  301.849206] Aborting journal on device dm-26-8.
[  301.850489] EXT4-fs error (device dm-26) in __ext4_new_inode:943: Journal has aborted
[  301.851095] EXT4-fs (dm-26): Delayed block allocation failed for inode 398742 at logical offset 181 with max blocks 19 with error 30
[  301.854476] BUG: KASAN: use-after-free in dm_bm_set_read_only+0x3a/0x40 [dm_persistent_data]

Reason is:

 metadata_operation_failed
    abort_transaction
        dm_pool_abort_metadata
	    __create_persistent_data_objects
	        r = __open_or_format_metadata
	        if (r) --&gt; If failed will free pmd-&gt;bm but pmd-&gt;bm not set NULL
		    dm_block_manager_destroy(pmd-&gt;bm);
    set_pool_mode
	dm_pool_metadata_read_only(pool-&gt;pmd);
	dm_bm_set_read_only(pmd-&gt;bm);  --&gt; use-after-free

Add checks to see if pmd-&gt;bm is NULL in dm_bm_set_read_only and
dm_bm_set_read_write functions.  If bm is NULL it means creating the
bm failed and so dm_bm_is_read_only must return true.

Signed-off-by: Ye Bin &lt;yebin10@huawei.com&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer &lt;snitzer@redhat.com&gt;
diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
@@ -958,7 +958,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)
 	}
 
 	pmd_write_lock_in_core(pmd);
-	if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) {
+	if (!pmd->fail_io && !dm_bm_is_read_only(pmd->bm)) {
 		r = __commit_transaction(pmd);
 		if (r < 0)
 			DMWARN("%s: __commit_transaction() failed, error = %d",
diff --git a/drivers/md/persistent-data/dm-block-manager.c b/drivers/md/persistent-data/dm-block-manager.c
@@ -493,7 +493,7 @@ int dm_bm_write_lock(struct dm_block_manager *bm,
 	void *p;
 	int r;
 
-	if (bm->read_only)
+	if (dm_bm_is_read_only(bm))
 		return -EPERM;
 
 	p = dm_bufio_read(bm->bufio, b, (struct dm_buffer **) result);
@@ -562,7 +562,7 @@ int dm_bm_write_lock_zero(struct dm_block_manager *bm,
 	struct buffer_aux *aux;
 	void *p;
 
-	if (bm->read_only)
+	if (dm_bm_is_read_only(bm))
 		return -EPERM;
 
 	p = dm_bufio_new(bm->bufio, b, (struct dm_buffer **) result);
@@ -602,7 +602,7 @@ EXPORT_SYMBOL_GPL(dm_bm_unlock);
 
 int dm_bm_flush(struct dm_block_manager *bm)
 {
-	if (bm->read_only)
+	if (dm_bm_is_read_only(bm))
 		return -EPERM;
 
 	return dm_bufio_write_dirty_buffers(bm->bufio);
@@ -616,19 +616,21 @@ void dm_bm_prefetch(struct dm_block_manager *bm, dm_block_t b)
 
 bool dm_bm_is_read_only(struct dm_block_manager *bm)
 {
-	return bm->read_only;
+	return (bm ? bm->read_only : true);
 }
 EXPORT_SYMBOL_GPL(dm_bm_is_read_only);
 
 void dm_bm_set_read_only(struct dm_block_manager *bm)
 {
-	bm->read_only = true;
+	if (bm)
+		bm->read_only = true;
 }
 EXPORT_SYMBOL_GPL(dm_bm_set_read_only);
 
 void dm_bm_set_read_write(struct dm_block_manager *bm)
 {
-	bm->read_only = false;
+	if (bm)
+		bm->read_only = false;
 }
 EXPORT_SYMBOL_GPL(dm_bm_set_read_write);
 

Original file line number	Diff line number	Diff line change
`@@ -958,7 +958,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)`
`958`	`958`	`}`
`959`	`959`
`960`	`960`	`pmd_write_lock_in_core(pmd);`
`961`		`- if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) {`
	`961`	`+ if (!pmd->fail_io && !dm_bm_is_read_only(pmd->bm)) {`
`962`	`962`	`r = __commit_transaction(pmd);`
`963`	`963`	`if (r < 0)`
`964`	`964`	`DMWARN("%s: __commit_transaction() failed, error = %d",`
Original file line number	Diff line number	Diff line change
`@@ -493,7 +493,7 @@ int dm_bm_write_lock(struct dm_block_manager *bm,`
`493`	`493`	`void *p;`
`494`	`494`	`int r;`
`495`	`495`
`496`		`- if (bm->read_only)`
	`496`	`+ if (dm_bm_is_read_only(bm))`
`497`	`497`	`return -EPERM;`
`498`	`498`
`499`	`499`	`p = dm_bufio_read(bm->bufio, b, (struct dm_buffer **) result);`
`@@ -562,7 +562,7 @@ int dm_bm_write_lock_zero(struct dm_block_manager *bm,`
`562`	`562`	`struct buffer_aux *aux;`
`563`	`563`	`void *p;`
`564`	`564`
`565`		`- if (bm->read_only)`
	`565`	`+ if (dm_bm_is_read_only(bm))`
`566`	`566`	`return -EPERM;`
`567`	`567`
`568`	`568`	`p = dm_bufio_new(bm->bufio, b, (struct dm_buffer **) result);`
`@@ -602,7 +602,7 @@ EXPORT_SYMBOL_GPL(dm_bm_unlock);`
`602`	`602`
`603`	`603`	`int dm_bm_flush(struct dm_block_manager *bm)`
`604`	`604`	`{`
`605`		`- if (bm->read_only)`
	`605`	`+ if (dm_bm_is_read_only(bm))`
`606`	`606`	`return -EPERM;`
`607`	`607`
`608`	`608`	`return dm_bufio_write_dirty_buffers(bm->bufio);`
`@@ -616,19 +616,21 @@ void dm_bm_prefetch(struct dm_block_manager *bm, dm_block_t b)`
`616`	`616`
`617`	`617`	`bool dm_bm_is_read_only(struct dm_block_manager *bm)`
`618`	`618`	`{`
`619`		`- return bm->read_only;`
	`619`	`+ return (bm ? bm->read_only : true);`
`620`	`620`	`}`
`621`	`621`	`EXPORT_SYMBOL_GPL(dm_bm_is_read_only);`
`622`	`622`
`623`	`623`	`void dm_bm_set_read_only(struct dm_block_manager *bm)`
`624`	`624`	`{`
`625`		`- bm->read_only = true;`
	`625`	`+ if (bm)`
	`626`	`+ bm->read_only = true;`
`626`	`627`	`}`
`627`	`628`	`EXPORT_SYMBOL_GPL(dm_bm_set_read_only);`
`628`	`629`
`629`	`630`	`void dm_bm_set_read_write(struct dm_block_manager *bm)`
`630`	`631`	`{`
`631`		`- bm->read_only = false;`
	`632`	`+ if (bm)`
	`633`	`+ bm->read_only = false;`
`632`	`634`	`}`
`633`	`635`	`EXPORT_SYMBOL_GPL(dm_bm_set_read_write);`
`634`	`636`