superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/md
History
Yu Kuai b372816ad6 md: fix regression for null-ptr-deference in __md_stop() 
commit 433279beba upstream.

Commit 3e45352259 ("md: Free resources in __md_stop") tried to fix
null-ptr-deference for 'active_io' by moving percpu_ref_exit() to
__md_stop(), however, the commit also moving 'writes_pending' to
__md_stop(), and this will cause mdadm tests broken:

BUG: kernel NULL pointer dereference, address: 0000000000000038
Oops: 0000 [#1] PREEMPT SMP
CPU: 15 PID: 17830 Comm: mdadm Not tainted 6.3.0-rc3-next-20230324-00009-g520d37
RIP: 0010:free_percpu+0x465/0x670
Call Trace:
 <TASK>
 __percpu_ref_exit+0x48/0x70
 percpu_ref_exit+0x1a/0x90
 __md_stop+0xe9/0x170
 do_md_stop+0x1e1/0x7b0
 md_ioctl+0x90c/0x1aa0
 blkdev_ioctl+0x19b/0x400
 vfs_ioctl+0x20/0x50
 __x64_sys_ioctl+0xba/0xe0
 do_syscall_64+0x6c/0xe0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

And the problem can be reporduced 100% by following test:

mdadm -CR /dev/md0 -l1 -n1 /dev/sda --force
echo inactive > /sys/block/md0/md/array_state
echo read-auto  > /sys/block/md0/md/array_state
echo inactive > /sys/block/md0/md/array_state

Root cause:

// start raid
raid1_run
 mddev_init_writes_pending
  percpu_ref_init

// inactive raid
array_state_store
 do_md_stop
  __md_stop
   percpu_ref_exit

// start raid again
array_state_store
 do_md_run
  raid1_run
   mddev_init_writes_pending
    if (mddev->writes_pending.percpu_count_ptr)
    // won't reinit

// inactive raid again
...
percpu_ref_exit
-> null-ptr-deference

Before the commit, 'writes_pending' is exited when mddev is freed, and
it's safe to restart raid because mddev_init_writes_pending() already make
sure that 'writes_pending' will only be initialized once.

Fix the prblem by moving 'writes_pending' back, it's a litter hard to find
the relationship between alloc memory and free memory, however, code
changes is much less and we lived with this for a long time already.

Fixes: 3e45352259 ("md: Free resources in __md_stop")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Xiao Ni <xni@redhat.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230328094400.1448955-1-yukuai1@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-09-13 09:43:05 +02:00
..
bcache bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent 2023-07-19 16:22:10 +02:00
persistent-data dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
Kconfig md: select BLOCK_LEGACY_AUTOLOAD 2023-03-22 13:33:58 +01:00
Makefile hardening updates for v5.20-rc1 2022-08-02 14:38:59 -07:00
dm-audit.c
dm-audit.h
dm-bio-prison-v1.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-bio-prison-v1.h
dm-bio-prison-v2.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-bio-prison-v2.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-bio-record.h
dm-bufio.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-builtin.c
dm-cache-background-tracker.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-background-tracker.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-block-types.h
dm-cache-metadata.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-metadata.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-policy-internal.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-policy-smq.c dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-08-03 10:24:17 +02:00
dm-cache-policy.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-policy.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-cache-target.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-clone-metadata.c
dm-clone-metadata.h
dm-clone-target.c dm clone: call kmem_cache_destroy() in dm_clone_init() error path 2023-05-11 23:03:41 +09:00
dm-core.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-crypt.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-delay.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-dust.c
dm-ebs-target.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-era-target.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-exception-store.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-exception-store.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-flakey.c dm flakey: fix a crash with invalid table line 2023-05-11 23:03:41 +09:00
dm-ima.c dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
dm-ima.h
dm-init.c dm init: add dm-mod.waitfor to wait for asynchronously probed block devices 2023-07-23 13:49:38 +02:00
dm-integrity.c dm integrity: reduce vmalloc space footprint on 32-bit architectures 2023-07-23 13:49:35 +02:00
dm-io-rewind.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-io-tracker.h
dm-io.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-ioctl.c dm ioctl: Avoid double-fetch of version 2023-07-19 16:22:07 +02:00
dm-kcopyd.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-linear.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-log-userspace-base.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-log-userspace-transfer.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-log-userspace-transfer.h
dm-log-writes.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-log.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-mpath.c dm: fix undue/missing spaces 2023-07-19 16:22:07 +02:00
dm-mpath.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-path-selector.c
dm-path-selector.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-ps-historical-service-time.c dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-ps-io-affinity.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-ps-queue-length.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-ps-round-robin.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-ps-service-time.c dm: fix undue/missing spaces 2023-07-19 16:22:07 +02:00
dm-raid.c dm raid: protect md_stop() with 'reconfig_mutex' 2023-08-03 10:24:05 +02:00
dm-raid1.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-region-hash.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-rq.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-rq.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-snap-persistent.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-snap-transient.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-snap.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-stats.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-stats.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-stripe.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-switch.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-sysfs.c
dm-table.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-target.c dax: introduce DAX_RECOVERY_WRITE dax access mode 2022-05-16 13:35:56 -07:00
dm-thin-metadata.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-thin-metadata.h
dm-thin.c dm thin: fix issue_discard to pass GFP_NOIO to __blkdev_issue_discard 2023-06-21 16:00:55 +02:00
dm-uevent.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-uevent.h dm: fix undue/missing spaces 2023-07-19 16:22:07 +02:00
dm-unstripe.c
dm-verity-fec.c dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-verity-fec.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-verity-loadpin.c dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter 2023-07-23 13:49:43 +02:00
dm-verity-target.c dm verity: fix error handling for check_at_most_once on FEC 2023-05-11 23:03:41 +09:00
dm-verity-verify-sig.c
dm-verity-verify-sig.h
dm-verity.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
dm-writecache.c dm: fix undue/missing spaces 2023-07-19 16:22:07 +02:00
dm-zero.c
dm-zone.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-zoned-metadata.c dm: avoid split of quoted strings where possible 2023-07-19 16:22:07 +02:00
dm-zoned-reclaim.c
dm-zoned-target.c dm-zoned: cleanup dmz_fixup_devices 2022-07-06 06:46:26 -06:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c dm: don't lock fs when the map is NULL during suspend or resume 2023-06-21 16:01:02 +02:00
dm.h dm: change "unsigned" to "unsigned int" 2023-04-13 16:55:17 +02:00
md-autodetect.c md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
md-bitmap.c md/md-bitmap: hold 'reconfig_mutex' in backlog_store() 2023-09-13 09:42:41 +02:00
md-bitmap.h md/raid1-10: submit write io directly if bitmap is not enabled 2023-07-19 16:20:58 +02:00
md-cluster.c fs: dlm: remove DLM_LSFL_FS from uapi 2022-08-23 14:54:54 -05:00
md-cluster.h
md-faulty.c
md-linear.c md: add error_handlers for raid0 and linear 2023-09-13 09:42:44 +02:00
md-linear.h
md-multipath.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-multipath.h
md.c md: fix regression for null-ptr-deference in __md_stop() 2023-09-13 09:43:05 +02:00
md.h md: add error_handlers for raid0 and linear 2023-09-13 09:42:44 +02:00
raid0.c md: raid0: account for split bio in iostat accounting 2023-09-13 09:42:44 +02:00
raid0.h md/raid0: add discard support for the 'original' layout 2023-07-23 13:49:37 +02:00
raid1-10.c md/raid1-10: fix casting from randomized structure in raid1_submit_write() 2023-07-19 16:21:45 +02:00
raid1.c md/raid1-10: factor out a helper to submit normal write 2023-07-19 16:20:58 +02:00
raid1.h
raid5-cache.c md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid() 2023-09-13 09:42:44 +02:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5.c md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk() 2023-06-09 10:34:20 +02:00
raid5.h md/raid5: Cleanup prototype of raid5_get_active_stripe() 2022-09-22 00:05:04 -07:00
raid10.c md/raid10: use dereference_rdev_and_rrdev() to get devices 2023-09-13 09:42:41 +02:00
raid10.h md/raid10: convert resync_lock to use seqlock 2022-09-22 00:05:05 -07:00