From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Arnold Schulz <arnysch@gmx.net>,
NeilBrown <neilb@suse.de>
Subject: [ 07/37] md/raid1: fix use-after-free bug in RAID1 data-check code.
Date: Tue, 17 Jul 2012 17:02:44 -0700 [thread overview]
Message-ID: <20120717232431.912928211@linuxfoundation.org> (raw)
In-Reply-To: <20120717232431.399005532@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
commit 2d4f4f3384d4ef4f7c571448e803a1ce721113d5 upstream.
This bug has been present ever since data-check was introduce
in 2.6.16. However it would only fire if a data-check were
done on a degraded array, which was only possible if the array
has 3 or more devices. This is certainly possible, but is quite
uncommon.
Since hot-replace was added in 3.3 it can happen more often as
the same condition can arise if not all possible replacements are
present.
The problem is that as soon as we submit the last read request, the
'r1_bio' structure could be freed at any time, so we really should
stop looking at it. If the last device is being read from we will
stop looking at it. However if the last device is not due to be read
from, we will still check the bio pointer in the r1_bio, but the
r1_bio might already be free.
So use the read_targets counter to make sure we stop looking for bios
to submit as soon as we have submitted them all.
This fix is suitable for any -stable kernel since 2.6.16.
Reported-by: Arnold Schulz <arnysch@gmx.net>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -2486,9 +2486,10 @@ static sector_t sync_request(struct mdde
*/
if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery)) {
atomic_set(&r1_bio->remaining, read_targets);
- for (i = 0; i < conf->raid_disks * 2; i++) {
+ for (i = 0; i < conf->raid_disks * 2 && read_targets; i++) {
bio = r1_bio->bios[i];
if (bio->bi_end_io == end_sync_read) {
+ read_targets--;
md_sync_acct(bio->bi_bdev, nr_sectors);
generic_make_request(bio);
}
next prev parent reply other threads:[~2012-07-18 0:04 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-17 23:24 [ 00/23] 3.0.38-stable review Greg KH
2012-07-18 0:02 ` [ 01/37] Remove easily user-triggerable BUG from generic_setlease Greg Kroah-Hartman
2012-07-18 0:02 ` [ 02/37] media: cx231xx: dont DMA to random addresses Greg Kroah-Hartman
2012-07-18 0:02 ` [ 03/37] hwmon: (it87) Preserve configuration register bits on init Greg Kroah-Hartman
2012-07-18 0:02 ` [ 04/37] block: fix infinite loop in __getblk_slow Greg Kroah-Hartman
2012-07-18 0:02 ` [ 05/37] media: dvb-core: Release semaphore on error path dvb_register_device() Greg Kroah-Hartman
2012-07-18 0:02 ` [ 06/37] mtd: nandsim: dont open code a do_div helper Greg Kroah-Hartman
2012-07-18 0:02 ` Greg Kroah-Hartman [this message]
2012-07-18 0:02 ` [ 08/37] ARM: SAMSUNG: fix race in s3c_adc_start for ADC Greg Kroah-Hartman
2012-07-18 0:02 ` [ 09/37] ACPICA: Fix possible fault in return package object repair code Greg Kroah-Hartman
2012-07-18 0:02 ` [ 10/37] cpufreq / ACPI: Fix not loading acpi-cpufreq driver regression Greg Kroah-Hartman
2012-07-18 0:02 ` [ 11/37] sched/nohz: Rewrite and fix load-avg computation -- again Greg Kroah-Hartman
2012-07-18 0:16 ` Jonathan Nieder
2012-07-20 17:04 ` Peter Zijlstra
2012-07-20 17:13 ` Jonathan Nieder
2012-07-20 17:25 ` Peter Zijlstra
2012-07-21 16:02 ` Doug Smythies
2012-07-18 0:02 ` [ 12/37] intel_ips: blacklist HP ProBook laptops Greg Kroah-Hartman
2012-07-18 0:02 ` [ 13/37] fifo: Do not restart open() if it already found a partner Greg Kroah-Hartman
2012-07-18 0:02 ` [ 14/37] rt2x00usb: fix indexes ordering on RX queue kick Greg Kroah-Hartman
2012-07-18 0:02 ` [ 15/37] e1000e: Correct link check logic for 82571 serdes Greg Kroah-Hartman
2012-07-18 0:02 ` [ 16/37] iwlegacy: always monitor for stuck queues Greg Kroah-Hartman
2012-07-18 0:02 ` [ 17/37] iwlegacy: dont mess up the SCD when removing a key Greg Kroah-Hartman
2012-07-18 0:02 ` [ 18/37] rpmsg: fix dependency on initialization order Greg Kroah-Hartman
2012-07-18 0:02 ` [ 19/37] mac80211: destroy assoc_data correctly if assoc fails Greg Kroah-Hartman
2012-07-18 0:02 ` [ 20/37] stmmac: Fix for nfs hang on multiple reboot Greg Kroah-Hartman
2012-07-18 0:02 ` [ 21/37] bonding: debugfs and network namespaces are incompatible Greg Kroah-Hartman
2012-07-18 0:02 ` [ 22/37] bonding: Manage /proc/net/bonding/ entries from the netdev events Greg Kroah-Hartman
2012-07-18 0:03 ` [ 23/37] Input: bcm5974 - Add support for 2012 MacBook Pro Retina Greg Kroah-Hartman
2012-07-18 0:03 ` [ 24/37] Input: xpad - handle all variations of Mad Catz Beat Pad Greg Kroah-Hartman
2012-07-18 0:03 ` [ 25/37] Input: xpad - add signature for Razer Onza Tournament Edition Greg Kroah-Hartman
2012-07-18 0:03 ` [ 26/37] Input: xpad - add Andamiro Pump It Up pad Greg Kroah-Hartman
2012-07-18 0:03 ` [ 27/37] HID: add support for 2012 MacBook Pro Retina Greg Kroah-Hartman
2012-07-18 0:03 ` [ 28/37] clk: Check parent for NULL in clk_change_rate Greg Kroah-Hartman
2012-07-18 0:03 ` [ 29/37] cfg80211: check iface combinations only when iface is running Greg Kroah-Hartman
2012-07-18 0:03 ` [ 30/37] hrtimer: Provide clock_was_set_delayed() Greg Kroah-Hartman
2012-07-18 0:03 ` [ 31/37] timekeeping: Fix leapsecond triggered load spike issue Greg Kroah-Hartman
2012-07-18 0:03 ` [ 32/37] timekeeping: Maintain ktime_t based offsets for hrtimers Greg Kroah-Hartman
2012-07-18 0:03 ` [ 33/37] hrtimers: Move lock held region in hrtimer_interrupt() Greg Kroah-Hartman
2012-07-18 0:03 ` [ 34/37] timekeeping: Provide hrtimer update function Greg Kroah-Hartman
2012-07-18 0:03 ` [ 35/37] hrtimer: Update hrtimer base offsets each hrtimer_interrupt Greg Kroah-Hartman
2012-07-18 0:03 ` [ 37/37] NFC: Export nfc.h to userland Greg Kroah-Hartman
2012-07-18 0:14 ` [ 01/37] Remove easily user-triggerable BUG from generic_setlease Greg KH
2012-07-18 13:36 ` Nick Bowler
2012-07-18 17:58 ` formail doing weird things (was: [ 01/37] Remove easily user-triggerable BUG from generic_setlease) Roland Eggner
2012-07-18 0:11 ` [ 01/23] hwmon: (it87) Preserve configuration register bits on init Greg Kroah-Hartman
2012-07-18 0:11 ` [ 02/23] block: fix infinite loop in __getblk_slow Greg Kroah-Hartman
2012-07-18 0:11 ` [ 03/23] media: dvb-core: Release semaphore on error path dvb_register_device() Greg Kroah-Hartman
2012-07-18 0:11 ` [ 04/23] mtd: nandsim: dont open code a do_div helper Greg Kroah-Hartman
2012-07-18 0:11 ` [ 05/23] ARM: SAMSUNG: fix race in s3c_adc_start for ADC Greg Kroah-Hartman
2012-07-18 0:11 ` [ 06/23] intel_ips: blacklist HP ProBook laptops Greg Kroah-Hartman
2012-07-18 0:12 ` [ 07/23] fifo: Do not restart open() if it already found a partner Greg Kroah-Hartman
2012-07-18 0:12 ` [ 08/23] rt2x00usb: fix indexes ordering on RX queue kick Greg Kroah-Hartman
2012-07-18 0:12 ` [ 09/23] e1000e: Correct link check logic for 82571 serdes Greg Kroah-Hartman
2012-07-18 0:12 ` [ 10/23] Input: xpad - add Andamiro Pump It Up pad Greg Kroah-Hartman
2012-07-18 0:12 ` [ 11/23] tcp: drop SYN+FIN messages Greg Kroah-Hartman
2012-07-18 0:12 ` [ 12/23] cfg80211: check iface combinations only when iface is running Greg Kroah-Hartman
2012-07-18 0:12 ` [ 13/23] ntp: Fix leap-second hrtimer livelock Greg Kroah-Hartman
2012-07-18 0:12 ` [ 14/23] ntp: Correct TAI offset during leap second Greg Kroah-Hartman
2012-07-18 0:12 ` [ 15/23] timekeeping: Fix CLOCK_MONOTONIC inconsistency during leapsecond Greg Kroah-Hartman
2012-07-18 0:12 ` [ 16/23] time: Move common updates to a function Greg Kroah-Hartman
2012-07-18 0:12 ` [ 17/23] hrtimer: Provide clock_was_set_delayed() Greg Kroah-Hartman
2012-07-18 0:12 ` [ 18/23] timekeeping: Fix leapsecond triggered load spike issue Greg Kroah-Hartman
2012-07-18 0:12 ` [ 19/23] timekeeping: Maintain ktime_t based offsets for hrtimers Greg Kroah-Hartman
2012-07-18 0:12 ` [ 20/23] hrtimers: Move lock held region in hrtimer_interrupt() Greg Kroah-Hartman
2012-07-18 0:12 ` [ 21/23] timekeeping: Provide hrtimer update function Greg Kroah-Hartman
2012-07-18 0:12 ` [ 22/23] hrtimer: Update hrtimer base offsets each hrtimer_interrupt Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120717232431.912928211@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arnysch@gmx.net \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).