| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250922144239.11-1-alsp705@gmail.com>
Date: Mon, 22 Sep 2025 17:42:37 +0300
From: Alexandr Sapozhnkiov <alsp705@...il.com>
To: Alasdair Kergon <agk@...hat.com>,
Mike Snitzer <snitzer@...hat.com>,
dm-devel@...hat.com,
linux-kernel@...r.kernel.org
Cc: Alexandr Sapozhnikov <alsp705@...il.com>,
linux-media@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
From: Alexandr Sapozhnikov <alsp705@...il.com>
Return value of a function '__lookup_origin' is dereferenced
at dm-snap.c:596 without checking for NULL, but it is usually
checked for this function
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Signed-off-by: Alexandr Sapozhnikov <alsp705@...il.com>
---
drivers/md/dm-snap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
index 4668b2cd98f4..105f6e768ad1 100644
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -590,12 +590,15 @@ static int register_snapshot(struct dm_snapshot *snap)
*/
static void reregister_snapshot(struct dm_snapshot *s)
{
+ struct origin *o;
struct block_device *bdev = s->origin->bdev;
down_write(&_origins_lock);
+ o = __lookup_origin(s->origin->bdev);
list_del(&s->list);
- __insert_snapshot(__lookup_origin(bdev), s);
+ if (o)
+ __insert_snapshot(o, s);
up_write(&_origins_lock);
}
--
2.43.0
Powered by blists - more mailing lists