dm: table detect io beyond device

This patch fixes a panic on shrinking a DM device if there is
outstanding I/O to the part of the device that is being removed.
(Normally this doesn't happen - a filesystem would be resized first,
for example.)

The bug is that __clone_and_map() assumes dm_table_find_target()
always returns a valid pointer.  It may fail if a bio arrives from the
block layer but its target sector is no longer included in the DM
btree.

This patch appends an empty entry to table->targets[] which will
be returned by a lookup beyond the end of the device.

After calling dm_table_find_target(), __clone_and_map() and target_message()
check for this condition using
dm_target_is_valid().

Sample test script to trigger oops:

4 files changed, 32 insertions, 14 deletions

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 138200bf5e0b..be730fdd4830 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1250,21 +1250,17 @@ static int target_message(struct dm_ioctl *param, size_t param_size)
         if (!table)
                 goto out_argv;
 
-        if (tmsg->sector >= dm_table_get_size(table)) {
+        ti = dm_table_find_target(table, tmsg->sector);
+        if (!dm_target_is_valid(ti)) {
                 DMWARN("Target message sector outside device.");
                 r = -EINVAL;
-                goto out_table;
-        }
-
-        ti = dm_table_find_target(table, tmsg->sector);
-        if (ti->type->message)
+        } else if (ti->type->message)
                 r = ti->type->message(ti, argc, argv);
         else {
                 DMWARN("Target type does not support messages");
                 r = -EINVAL;
         }
 
- out_table:
         dm_table_put(table);
  out_argv:
         kfree(argv);
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index e298d8d11f24..f3f952e347ed 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -189,8 +189,10 @@ static int alloc_targets(struct dm_table *t, unsigned int num)
 
         /*
          * Allocate both the target array and offset array at once.
+         * Append an empty entry to catch sectors beyond the end of
+         * the device.
          */
-        n_highs = (sector_t *) dm_vcalloc(num, sizeof(struct dm_target) +
+        n_highs = (sector_t *) dm_vcalloc(num + 1, sizeof(struct dm_target) +
                                           sizeof(sector_t));
         if (!n_highs)
                 return -ENOMEM;
@@ -867,6 +869,9 @@ struct dm_target *dm_table_get_target(struct dm_table *t, unsigned int index)
 
 /*
  * Search the btree for the correct target.
+ *
+ * Caller should check returned pointer with dm_target_is_valid()
+ * to trap I/O beyond end of device.
  */
 struct dm_target *dm_table_find_target(struct dm_table *t, sector_t sector)
 {
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 07cbbb8eb3e0..cff2a714c107 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -672,13 +672,19 @@ static struct bio *clone_bio(struct bio *bio, sector_t sector,
         return clone;
 }
 
-static void __clone_and_map(struct clone_info *ci)
+static int __clone_and_map(struct clone_info *ci)
 {
         struct bio *clone, *bio = ci->bio;
-        struct dm_target *ti = dm_table_find_target(ci->map, ci->sector);
-        sector_t len = 0, max = max_io_len(ci->md, ci->sector, ti);
+        struct dm_target *ti;
+        sector_t len = 0, max;
         struct dm_target_io *tio;
 
+        ti = dm_table_find_target(ci->map, ci->sector);
+        if (!dm_target_is_valid(ti))
+                return -EIO;
+
+        max = max_io_len(ci->md, ci->sector, ti);
+
         /*
          * Allocate a target io object.
          */
@@ -736,6 +742,9 @@ static void __clone_and_map(struct clone_info *ci)
                 do {
                         if (offset) {
                                 ti = dm_table_find_target(ci->map, ci->sector);
+                                if (!dm_target_is_valid(ti))
+                                        return -EIO;
+
                                 max = max_io_len(ci->md, ci->sector, ti);
 
                                 tio = alloc_tio(ci->md);
@@ -759,6 +768,8 @@ static void __clone_and_map(struct clone_info *ci)
 
                 ci->idx++;
         }
+
+        return 0;
 }
 
 /*
@@ -767,6 +778,7 @@ static void __clone_and_map(struct clone_info *ci)
 static int __split_bio(struct mapped_device *md, struct bio *bio)
 {
         struct clone_info ci;
+        int error = 0;
 
         ci.map = dm_get_table(md);
         if (unlikely(!ci.map))
@@ -784,11 +796,11 @@ static int __split_bio(struct mapped_device *md, struct bio *bio)
         ci.idx = bio->bi_idx;
 
         start_io_acct(ci.io);
-        while (ci.sector_count)
-                __clone_and_map(&ci);
+        while (ci.sector_count && !error)
+                error = __clone_and_map(&ci);
 
         /* drop the extra reference count */
-        dec_pending(ci.io, 0);
+        dec_pending(ci.io, error);
         dm_table_put(ci.map);
 
         return 0;
diff --git a/drivers/md/dm.h b/drivers/md/dm.h
index 4b3faa45277e..177297a88ebd 100644
--- a/drivers/md/dm.h
+++ b/drivers/md/dm.h
@@ -112,6 +112,11 @@ int dm_table_resume_targets(struct dm_table *t);
 int dm_table_any_congested(struct dm_table *t, int bdi_bits);
 void dm_table_unplug_all(struct dm_table *t);
 
+/*
+ * To check the return value from dm_table_find_target().
+ */
+#define dm_target_is_valid(t) ((t)->table)
+
 /*-----------------------------------------------------------------
  * A registry of target types.
  *---------------------------------------------------------------*/