[Devel] [PATCH RHEL9 COMMIT] dm-ploop: fix crash on accessing zero file and mtfile array

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 4 14:41:17 MSK 2025 

The commit is pushed to "branch-rh9-5.14.0-427.44.1.vz9.80.x-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh9-5.14.0-427.44.1.vz9.80.37
------>
commit 969b2bbc9c46ce659b8c15198a7367be61a07db0
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Wed Jun 4 18:17:15 2025 +0800

    dm-ploop: fix crash on accessing zero file and mtfile array
    
    In case ploop_add_deltas_stack fails before setting up all deltas or
    ploop_add_delta fails before setting up delta file or mtfile, error
    handling will lead to ploop_destroy and we will crash on NULL pointer
    access there.
    
    So let's check file and mtfile before accessing into them.
    
    Fixes: b5eb75576860 ("dm-ploop: sync when suspended or stopping")
    Fixes: 6ec02a1642d5 ("dm-ploop: use filp per thread")
    
    https://virtuozzo.atlassian.net/browse/VSTOR-108029
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    Feature: dm-ploop: ploop target driver
---
 drivers/md/dm-ploop-target.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/md/dm-ploop-target.c b/drivers/md/dm-ploop-target.c
index de549f7633aff..8fa0043a71420 100644
--- a/drivers/md/dm-ploop-target.c
+++ b/drivers/md/dm-ploop-target.c
@@ -203,13 +203,16 @@ static void ploop_destroy(struct ploop *ploop)
 		percpu_ref_exit(&ploop->inflight_bios_ref[i]);
 	/* Nobody uses it after destroy_workqueue() */
 	while (ploop->nr_deltas-- > 0) {
-		vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
-
-		if (ploop->deltas[ploop->nr_deltas].file)
+		if (ploop->deltas[ploop->nr_deltas].file) {
+			vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
 			fput(ploop->deltas[ploop->nr_deltas].file);
-		for (i = 0; i < ploop->nkt_runners; i++) {
-			if (ploop->deltas[ploop->nr_deltas].mtfile[i])
-				fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+		}
+
+		if (ploop->deltas[ploop->nr_deltas].mtfile) {
+			for (i = 0; i < ploop->nkt_runners; i++) {
+				if (ploop->deltas[ploop->nr_deltas].mtfile[i])
+					fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+			}
 		}
 		kfree(ploop->deltas[ploop->nr_deltas].mtfile);
 	}

More information about the Devel mailing list