1. Patchew
  2. linux
  3. View series

[PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()

Alexandr Sapozhnkiov posted 1 patch 2 months, 3 weeks ago 
drivers/md/dm-snap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
Posted by Alexandr Sapozhnkiov 2 months, 3 weeks ago 
From: Alexandr Sapozhnikov <alsp705@gmail.com>

Return value of a function '__lookup_origin' is dereferenced 
at dm-snap.c:596 without checking for NULL, but it is usually 
checked for this function

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>

---
 drivers/md/dm-snap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
index 4668b2cd98f4..105f6e768ad1 100644
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -590,12 +590,15 @@ static int register_snapshot(struct dm_snapshot *snap)
  */
 static void reregister_snapshot(struct dm_snapshot *s)
 {
+	struct origin *o;
 	struct block_device *bdev = s->origin->bdev;
 
 	down_write(&_origins_lock);
+	o = __lookup_origin(s->origin->bdev);
 
 	list_del(&s->list);
-	__insert_snapshot(__lookup_origin(bdev), s);
+	if (o)
+		__insert_snapshot(o, s);
 
 	up_write(&_origins_lock);
 }
-- 
2.43.0
Re: [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
Posted by kernel test robot 2 months, 3 weeks ago 
Hi Alexandr,

kernel test robot noticed the following build warnings:

[auto build test WARNING on device-mapper-dm/for-next]
[also build test WARNING on linus/master v6.17-rc7 next-20250922]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Alexandr-Sapozhnkiov/md-fix-NULL-pointer-dereference-at-reregister_snapshot/20250922-224522
base:   https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git for-next
patch link:    https://lore.kernel.org/r/20250922144239.11-1-alsp705%40gmail.com
patch subject: [PATCH 5.10] md: fix NULL pointer dereference at reregister_snapshot()
config: s390-randconfig-002-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231318.YYdqPhnu-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project cafc064fc7a96b3979a023ddae1da2b499d6c954)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231318.YYdqPhnu-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509231318.YYdqPhnu-lkp@intel.com/

All warnings (new ones prefixed by >>):

   In file included from <built-in>:3:
   In file included from include/linux/compiler_types.h:171:
   include/linux/compiler-clang.h:28:9: warning: '__SANITIZE_ADDRESS__' macro redefined [-Wmacro-redefined]
      28 | #define __SANITIZE_ADDRESS__
         |         ^
   <built-in>:369:9: note: previous definition is here
     369 | #define __SANITIZE_ADDRESS__ 1
         |         ^
>> drivers/md/dm-snap.c:597:23: warning: unused variable 'bdev' [-Wunused-variable]
     597 |         struct block_device *bdev = s->origin->bdev;
         |                              ^~~~
   2 warnings generated.


vim +/bdev +597 drivers/md/dm-snap.c

c1f0c183f6acc6 Mike Snitzer         2009-12-10  590  
c1f0c183f6acc6 Mike Snitzer         2009-12-10  591  /*
c1f0c183f6acc6 Mike Snitzer         2009-12-10  592   * Move snapshot to correct place in list according to chunk size.
c1f0c183f6acc6 Mike Snitzer         2009-12-10  593   */
c1f0c183f6acc6 Mike Snitzer         2009-12-10  594  static void reregister_snapshot(struct dm_snapshot *s)
c1f0c183f6acc6 Mike Snitzer         2009-12-10  595  {
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22  596  	struct origin *o;
c1f0c183f6acc6 Mike Snitzer         2009-12-10 @597  	struct block_device *bdev = s->origin->bdev;
c1f0c183f6acc6 Mike Snitzer         2009-12-10  598  
c1f0c183f6acc6 Mike Snitzer         2009-12-10  599  	down_write(&_origins_lock);
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22  600  	o = __lookup_origin(s->origin->bdev);
c1f0c183f6acc6 Mike Snitzer         2009-12-10  601  
c1f0c183f6acc6 Mike Snitzer         2009-12-10  602  	list_del(&s->list);
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22  603  	if (o)
8125cedd7aa81d Alexandr Sapozhnikov 2025-09-22  604  		__insert_snapshot(o, s);
^1da177e4c3f41 Linus Torvalds       2005-04-16  605  
^1da177e4c3f41 Linus Torvalds       2005-04-16  606  	up_write(&_origins_lock);
^1da177e4c3f41 Linus Torvalds       2005-04-16  607  }
^1da177e4c3f41 Linus Torvalds       2005-04-16  608  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.