[Devel] [PATCH VZ9] dm-ploop: fix crash on accessing zero file and mtfile array
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Wed Jun 4 13:17:15 MSK 2025
In case ploop_add_deltas_stack fails before setting up all deltas or
ploop_add_delta fails before setting up delta file or mtfile, error
handling will lead to ploop_destroy and we will crash on NULL pointer
access there.
So let's check file and mtfile before accessing into them.
Fixes: b5eb75576860 ("dm-ploop: sync when suspended or stopping")
Fixes: 6ec02a1642d5 ("dm-ploop: use filp per thread")
https://virtuozzo.atlassian.net/browse/VSTOR-108029
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Feature: dm-ploop: ploop target driver
---
drivers/md/dm-ploop-target.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/md/dm-ploop-target.c b/drivers/md/dm-ploop-target.c
index de549f7633af..8fa0043a7142 100644
--- a/drivers/md/dm-ploop-target.c
+++ b/drivers/md/dm-ploop-target.c
@@ -203,13 +203,16 @@ static void ploop_destroy(struct ploop *ploop)
percpu_ref_exit(&ploop->inflight_bios_ref[i]);
/* Nobody uses it after destroy_workqueue() */
while (ploop->nr_deltas-- > 0) {
- vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
-
- if (ploop->deltas[ploop->nr_deltas].file)
+ if (ploop->deltas[ploop->nr_deltas].file) {
+ vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
fput(ploop->deltas[ploop->nr_deltas].file);
- for (i = 0; i < ploop->nkt_runners; i++) {
- if (ploop->deltas[ploop->nr_deltas].mtfile[i])
- fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+ }
+
+ if (ploop->deltas[ploop->nr_deltas].mtfile) {
+ for (i = 0; i < ploop->nkt_runners; i++) {
+ if (ploop->deltas[ploop->nr_deltas].mtfile[i])
+ fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+ }
}
kfree(ploop->deltas[ploop->nr_deltas].mtfile);
}
--
2.49.0
More information about the Devel
mailing list