Re: [PATCH 1/2] dm era: fix NULL pointer dereference in metadata_open()
From: Ming Hung Tsai
Date: Wed Jun 24 2026 - 10:10:33 EST
On Wed, Jun 17, 2026 at 2:12 PM <ghuicao@xxxxxxx> wrote:
>
> From: Cao Guanghui <caoguanghui@xxxxxxxxxx>
>
> metadata_open() returns NULL when kzalloc_obj() fails, but the
> caller era_ctr() only checks IS_ERR(md). Since IS_ERR(NULL)
> returns false, the NULL pointer is treated as a valid result
> and later assigned to era->md, leading to a NULL pointer
> dereference when the metadata is accessed.
>
> Fix this by returning ERR_PTR(-ENOMEM) on allocation failure,
> consistent with dm-cache-metadata.c, dm-thin-metadata.c, and
> dm-clone-metadata.c which all use ERR_PTR(-ENOMEM) for the
> same pattern.
>
> Fixes: eec40579d848 ("dm: add era target")
> Signed-off-by: Cao Guanghui <caoguanghui@xxxxxxxxxx>
Thanks for the patch!
Reviewed-by: Ming-Hung Tsai <mtsai@xxxxxxxxxx>
> ---
> drivers/md/dm-era-target.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c
> index 05285c04ff2c..08ce96e8cf4f 100644
> --- a/drivers/md/dm-era-target.c
> +++ b/drivers/md/dm-era-target.c
> @@ -810,8 +810,10 @@ static struct era_metadata *metadata_open(struct block_device *bdev,
> int r;
> struct era_metadata *md = kzalloc_obj(*md);
>
> - if (!md)
> - return NULL;
> + if (!md) {
> + DMERR("could not allocate metadata struct");
> + return ERR_PTR(-ENOMEM);
> + }
>
> md->bdev = bdev;
> md->block_size = block_size;
> --
> 2.25.1
>
>