hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I81XCK CVE: NA
---------------------------
NULL pointer dereference and uaf will be triggered in del_gendisk() if add_disk has not complete. Clear request_queue and gendisk early if add_disk fail.
Signed-off-by: Li Lingfeng lilingfeng3@huawei.com --- drivers/md/dm.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c index e2df27c373f9..654aae1dd777 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -1853,13 +1853,11 @@ static struct mapped_device *alloc_dev(int minor) * established. If request-based table is loaded: blk-mq will * override accordingly. */ - md->queue = blk_alloc_queue(numa_node_id); - if (!md->queue) - goto bad; - - md->disk = alloc_disk_node(1, md->numa_node_id); + md->disk = blk_alloc_disk(md->numa_node_id); if (!md->disk) goto bad; + md->disk->minors = 1; + md->queue = md->disk->queue;
init_waitqueue_head(&md->wait); INIT_WORK(&md->work, dm_wq_work); @@ -1873,11 +1871,16 @@ static struct mapped_device *alloc_dev(int minor) md->disk->major = _major; md->disk->first_minor = minor; md->disk->fops = &dm_blk_dops; - md->disk->queue = md->queue; md->disk->private_data = md; sprintf(md->disk->disk_name, "dm-%d", minor);
- add_disk_no_queue_reg(md->disk); + r = add_disk_no_queue_reg_safe(md->disk); + if (r) { + blk_cleanup_disk(md->disk); + md->queue = NULL; + md->disk = NULL; + goto bad; + }
if (IS_ENABLED(CONFIG_DAX_DRIVER)) { md->dax_dev = alloc_dax(md, md->disk->disk_name,