[Devel] [PATCH RHEL9 COMMIT] dm-ploop: fix crash on accessing zero file and mtfile array

Wed, 04 Jun 2025 04:42:54 -0700 

The commit is pushed to "branch-rh9-5.14.0-427.44.1.vz9.80.x-ovz" and will 
appear at g...@bitbucket.org:openvz/vzkernel.git
after rh9-5.14.0-427.44.1.vz9.80.37
------>
commit 969b2bbc9c46ce659b8c15198a7367be61a07db0
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Wed Jun 4 18:17:15 2025 +0800

    dm-ploop: fix crash on accessing zero file and mtfile array
    
    In case ploop_add_deltas_stack fails before setting up all deltas or
    ploop_add_delta fails before setting up delta file or mtfile, error
    handling will lead to ploop_destroy and we will crash on NULL pointer
    access there.
    
    So let's check file and mtfile before accessing into them.
    
    Fixes: b5eb75576860 ("dm-ploop: sync when suspended or stopping")
    Fixes: 6ec02a1642d5 ("dm-ploop: use filp per thread")
    
    https://virtuozzo.atlassian.net/browse/VSTOR-108029
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    Acked-by: Konstantin Khorenko <khore...@virtuozzo.com>
    
    Feature: dm-ploop: ploop target driver
---
 drivers/md/dm-ploop-target.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/md/dm-ploop-target.c b/drivers/md/dm-ploop-target.c
index de549f7633aff..8fa0043a71420 100644
--- a/drivers/md/dm-ploop-target.c
+++ b/drivers/md/dm-ploop-target.c
@@ -203,13 +203,16 @@ static void ploop_destroy(struct ploop *ploop)
                percpu_ref_exit(&ploop->inflight_bios_ref[i]);
        /* Nobody uses it after destroy_workqueue() */
        while (ploop->nr_deltas-- > 0) {
-               vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
-
-               if (ploop->deltas[ploop->nr_deltas].file)
+               if (ploop->deltas[ploop->nr_deltas].file) {
+                       vfs_fsync(ploop->deltas[ploop->nr_deltas].file, 1);
                        fput(ploop->deltas[ploop->nr_deltas].file);
-               for (i = 0; i < ploop->nkt_runners; i++) {
-                       if (ploop->deltas[ploop->nr_deltas].mtfile[i])
-                               fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+               }
+
+               if (ploop->deltas[ploop->nr_deltas].mtfile) {
+                       for (i = 0; i < ploop->nkt_runners; i++) {
+                               if (ploop->deltas[ploop->nr_deltas].mtfile[i])
+                                       
fput(ploop->deltas[ploop->nr_deltas].mtfile[i]);
+                       }
                }
                kfree(ploop->deltas[ploop->nr_deltas].mtfile);
        }
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to