diff options
| author | DingXiang <dingxiang@huawei.com> | 2016-02-01 23:29:18 -0500 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2016-03-10 17:12:09 -0500 |
| commit | 4df2bf466a9c9c92f40d27c4aa9120f4e8227bfc (patch) | |
| tree | 57286e5e24d2922f0aa0dbc97a65458d513a91c1 /drivers/md | |
| parent | 9ed84698fdda63de93c68150c4f63673cc3d7b54 (diff) | |
dm snapshot: disallow the COW and origin devices from being identical
Otherwise loading a "snapshot" table using the same device for the
origin and COW devices, e.g.:
echo "0 20971520 snapshot 253:3 253:3 P 8" | dmsetup create snap
will trigger:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[ 1958.979934] IP: [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1958.989655] PGD 0
[ 1958.991903] Oops: 0000 [#1] SMP
...
[ 1959.059647] CPU: 9 PID: 3556 Comm: dmsetup Tainted: G IO 4.5.0-rc5.snitm+ #150
...
[ 1959.083517] task: ffff8800b9660c80 ti: ffff88032a954000 task.ti: ffff88032a954000
[ 1959.091865] RIP: 0010:[<ffffffffa040efba>] [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.104295] RSP: 0018:ffff88032a957b30 EFLAGS: 00010246
[ 1959.110219] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
[ 1959.118180] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff880329334a00
[ 1959.126141] RBP: ffff88032a957b50 R08: 0000000000000000 R09: 0000000000000001
[ 1959.134102] R10: 000000000000000a R11: f000000000000000 R12: ffff880330884d80
[ 1959.142061] R13: 0000000000000008 R14: ffffc90001c13088 R15: ffff880330884d80
[ 1959.150021] FS: 00007f8926ba3840(0000) GS:ffff880333440000(0000) knlGS:0000000000000000
[ 1959.159047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1959.165456] CR2: 0000000000000098 CR3: 000000032f48b000 CR4: 00000000000006e0
[ 1959.173415] Stack:
[ 1959.175656] ffffc90001c13040 ffff880329334a00 ffff880330884ed0 ffff88032a957bdc
[ 1959.183946] ffff88032a957bb8 ffffffffa040f225 ffff880329334a30 ffff880300000000
[ 1959.192233] ffffffffa04133e0 ffff880329334b30 0000000830884d58 00000000569c58cf
[ 1959.200521] Call Trace:
[ 1959.203248] [<ffffffffa040f225>] dm_exception_store_create+0x1d5/0x240 [dm_snapshot]
[ 1959.211986] [<ffffffffa040d310>] snapshot_ctr+0x140/0x630 [dm_snapshot]
[ 1959.219469] [<ffffffffa0005c44>] ? dm_split_args+0x64/0x150 [dm_mod]
[ 1959.226656] [<ffffffffa0005ea7>] dm_table_add_target+0x177/0x440 [dm_mod]
[ 1959.234328] [<ffffffffa0009203>] table_load+0x143/0x370 [dm_mod]
[ 1959.241129] [<ffffffffa00090c0>] ? retrieve_status+0x1b0/0x1b0 [dm_mod]
[ 1959.248607] [<ffffffffa0009e35>] ctl_ioctl+0x255/0x4d0 [dm_mod]
[ 1959.255307] [<ffffffff813304e2>] ? memzero_explicit+0x12/0x20
[ 1959.261816] [<ffffffffa000a0c3>] dm_ctl_ioctl+0x13/0x20 [dm_mod]
[ 1959.268615] [<ffffffff81215eb6>] do_vfs_ioctl+0xa6/0x5c0
[ 1959.274637] [<ffffffff81120d2f>] ? __audit_syscall_entry+0xaf/0x100
[ 1959.281726] [<ffffffff81003176>] ? do_audit_syscall_entry+0x66/0x70
[ 1959.288814] [<ffffffff81216449>] SyS_ioctl+0x79/0x90
[ 1959.294450] [<ffffffff8167e4ae>] entry_SYSCALL_64_fastpath+0x12/0x71
...
[ 1959.323277] RIP [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.333090] RSP <ffff88032a957b30>
[ 1959.336978] CR2: 0000000000000098
[ 1959.344121] ---[ end trace b049991ccad1169e ]---
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1195899
Cc: stable@vger.kernel.org
Signed-off-by: Ding Xiang <dingxiang@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to 'drivers/md')
| -rw-r--r-- | drivers/md/dm-snap.c | 9 | ||||
| -rw-r--r-- | drivers/md/dm-table.c | 36 |
2 files changed, 33 insertions, 12 deletions
diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c index 62479ac4baf7..70bb0e8b62ce 100644 --- a/drivers/md/dm-snap.c +++ b/drivers/md/dm-snap.c | |||
| @@ -1105,6 +1105,7 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) | |||
| 1105 | int i; | 1105 | int i; |
| 1106 | int r = -EINVAL; | 1106 | int r = -EINVAL; |
| 1107 | char *origin_path, *cow_path; | 1107 | char *origin_path, *cow_path; |
| 1108 | dev_t origin_dev, cow_dev; | ||
| 1108 | unsigned args_used, num_flush_bios = 1; | 1109 | unsigned args_used, num_flush_bios = 1; |
| 1109 | fmode_t origin_mode = FMODE_READ; | 1110 | fmode_t origin_mode = FMODE_READ; |
| 1110 | 1111 | ||
| @@ -1135,11 +1136,19 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv) | |||
| 1135 | ti->error = "Cannot get origin device"; | 1136 | ti->error = "Cannot get origin device"; |
| 1136 | goto bad_origin; | 1137 | goto bad_origin; |
| 1137 | } | 1138 | } |
| 1139 | origin_dev = s->origin->bdev->bd_dev; | ||
| 1138 | 1140 | ||
| 1139 | cow_path = argv[0]; | 1141 | cow_path = argv[0]; |
| 1140 | argv++; | 1142 | argv++; |
| 1141 | argc--; | 1143 | argc--; |
| 1142 | 1144 | ||
| 1145 | cow_dev = dm_get_dev_t(cow_path); | ||
| 1146 | if (cow_dev && cow_dev == origin_dev) { | ||
| 1147 | ti->error = "COW device cannot be the same as origin device"; | ||
| 1148 | r = -EINVAL; | ||
| 1149 | goto bad_cow; | ||
| 1150 | } | ||
| 1151 | |||
| 1143 | r = dm_get_device(ti, cow_path, dm_table_get_mode(ti->table), &s->cow); | 1152 | r = dm_get_device(ti, cow_path, dm_table_get_mode(ti->table), &s->cow); |
| 1144 | if (r) { | 1153 | if (r) { |
| 1145 | ti->error = "Cannot get COW device"; | 1154 | ti->error = "Cannot get COW device"; |
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 7210e5392cc4..f9e8f0bef332 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c | |||
| @@ -365,6 +365,26 @@ static int upgrade_mode(struct dm_dev_internal *dd, fmode_t new_mode, | |||
| 365 | } | 365 | } |
| 366 | 366 | ||
| 367 | /* | 367 | /* |
| 368 | * Convert the path to a device | ||
| 369 | */ | ||
| 370 | dev_t dm_get_dev_t(const char *path) | ||
| 371 | { | ||
| 372 | dev_t uninitialized_var(dev); | ||
| 373 | struct block_device *bdev; | ||
| 374 | |||
| 375 | bdev = lookup_bdev(path); | ||
| 376 | if (IS_ERR(bdev)) | ||
| 377 | dev = name_to_dev_t(path); | ||
| 378 | else { | ||
| 379 | dev = bdev->bd_dev; | ||
| 380 | bdput(bdev); | ||
| 381 | } | ||
| 382 | |||
| 383 | return dev; | ||
| 384 | } | ||
| 385 | EXPORT_SYMBOL_GPL(dm_get_dev_t); | ||
| 386 | |||
| 387 | /* | ||
| 368 | * Add a device to the list, or just increment the usage count if | 388 | * Add a device to the list, or just increment the usage count if |
| 369 | * it's already present. | 389 | * it's already present. |
| 370 | */ | 390 | */ |
| @@ -372,23 +392,15 @@ int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, | |||
| 372 | struct dm_dev **result) | 392 | struct dm_dev **result) |
| 373 | { | 393 | { |
| 374 | int r; | 394 | int r; |
| 375 | dev_t uninitialized_var(dev); | 395 | dev_t dev; |
| 376 | struct dm_dev_internal *dd; | 396 | struct dm_dev_internal *dd; |
| 377 | struct dm_table *t = ti->table; | 397 | struct dm_table *t = ti->table; |
| 378 | struct block_device *bdev; | ||
| 379 | 398 | ||
| 380 | BUG_ON(!t); | 399 | BUG_ON(!t); |
| 381 | 400 | ||
| 382 | /* convert the path to a device */ | 401 | dev = dm_get_dev_t(path); |
| 383 | bdev = lookup_bdev(path); | 402 | if (!dev) |
| 384 | if (IS_ERR(bdev)) { | 403 | return -ENODEV; |
| 385 | dev = name_to_dev_t(path); | ||
| 386 | if (!dev) | ||
| 387 | return -ENODEV; | ||
| 388 | } else { | ||
| 389 | dev = bdev->bd_dev; | ||
| 390 | bdput(bdev); | ||
| 391 | } | ||
| 392 | 404 | ||
| 393 | dd = find_device(&t->devices, dev); | 405 | dd = find_device(&t->devices, dev); |
| 394 | if (!dd) { | 406 | if (!dd) { |