android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c42a0e2675
android_kernel_samsung_sm8650/drivers/md
History
Yufen Yu c42a0e2675 md: fix NULL dereference of mddev->pers in remove_and_add_spares() 
We met NULL pointer BUG as follow:

[  151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0
[  151.762039] Oops: 0000 [#1] SMP PTI
[  151.762406] Modules linked in:
[  151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238
[  151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
[  151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0
[  151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246
[  151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000
[  151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000
[  151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051
[  151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600
[  151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000
[  151.769160] FS:  00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000
[  151.769971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0
[  151.771272] Call Trace:
[  151.771542]  md_ioctl+0x1df2/0x1e10
[  151.771906]  ? __switch_to+0x129/0x440
[  151.772295]  ? __schedule+0x244/0x850
[  151.772672]  blkdev_ioctl+0x4bd/0x970
[  151.773048]  block_ioctl+0x39/0x40
[  151.773402]  do_vfs_ioctl+0xa4/0x610
[  151.773770]  ? dput.part.23+0x87/0x100
[  151.774151]  ksys_ioctl+0x70/0x80
[  151.774493]  __x64_sys_ioctl+0x16/0x20
[  151.774877]  do_syscall_64+0x5b/0x180
[  151.775258]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

For raid6, when two disk of the array are offline, two spare disks can
be added into the array. Before spare disks recovery completing,
system reboot and mdadm thinks it is ok to restart the degraded
array by md_ioctl(). Since disks in raid6 is not only_parity(),
raid5_run() will abort, when there is no PPL feature or not setting
'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL.

But, mddev->raid_disks has been set and it will not be cleared when
raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to
remove a disk by mdadm, which will cause NULL pointer dereference
in remove_and_add_spares() finally.

Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
2018-05-17 09:55:59 -07:00
..
bcache for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
persistent-data dm bufio: move dm-bufio.h to include/linux/ 2018-04-03 15:04:23 -04:00
dm-bio-prison-v1.c dm bio prison: use rb_entry() rather than container_of() 2017-06-19 11:03:50 -04:00
dm-bio-prison-v1.h block: switch bios to blk_status_t 2017-06-09 09:27:32 -06:00
dm-bio-prison-v2.c dm bio prison: use rb_entry() rather than container_of() 2017-06-19 11:03:50 -04:00
dm-bio-prison-v2.h
dm-bio-record.h block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
dm-bufio.c dm bufio: don't embed a bio in the dm_buffer structure 2018-04-03 15:04:29 -04:00
dm-builtin.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-cache-background-tracker.c dm cache background tracker: limit amount of background work that may be issued at once 2017-11-10 15:45:03 -05:00
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm cache: convert dm_cache_metadata.ref_count from atomic_t to refcount_t 2017-10-24 15:09:51 -04:00
dm-cache-metadata.h
dm-cache-policy-internal.h
dm-cache-policy-smq.c dm cache policy smq: allocate cache blocks in order 2017-11-10 15:45:05 -05:00
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c dm: allow targets to return output from messages they are sent 2018-04-03 15:04:10 -04:00
dm-core.h dm: various cleanups to md->queue initialization code 2018-01-29 13:44:55 -05:00
dm-crypt.c dm crypt: limit the number of allocated pages 2018-04-03 15:04:11 -04:00
dm-delay.c dm: backfill missing calls to mutex_destroy() 2018-01-17 09:16:15 -05:00
dm-era-target.c dm: allow targets to return output from messages they are sent 2018-04-03 15:04:10 -04:00
dm-exception-store.c
dm-exception-store.h
dm-flakey.c dm: remove fmode_t argument from .prepare_ioctl hook 2018-04-04 12:12:39 -04:00
dm-integrity.c dm bufio: move dm-bufio.h to include/linux/ 2018-04-03 15:04:23 -04:00
dm-io.c dm io: remove BIOSET_NEED_RESCUER flag from bios bioset 2017-12-13 12:15:56 -05:00
dm-ioctl.c dm: allow targets to return output from messages they are sent 2018-04-03 15:04:10 -04:00
dm-kcopyd.c dm: backfill missing calls to mutex_destroy() 2018-01-17 09:16:15 -05:00
dm-linear.c libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
dm-log-userspace-base.c
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
dm-log.c
dm-mpath.c dm: remove fmode_t argument from .prepare_ioctl hook 2018-04-04 12:12:39 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-queue-length.c dm mpath selector: more evenly distribute ties 2018-01-29 13:44:58 -05:00
dm-raid1.c md: Convert timers to use timer_setup() 2017-11-14 20:11:57 -07:00
dm-raid.c dm raid: fix parse_raid_params() variable range issue 2018-04-04 12:12:37 -04:00
dm-region-hash.c
dm-round-robin.c
dm-rq.c for-linus-20180204 2018-02-04 11:16:35 -08:00
dm-rq.h dm rq: do not update rq partially in each ending bio 2017-08-28 10:23:28 -04:00
dm-service-time.c dm mpath selector: more evenly distribute ties 2018-01-29 13:44:58 -05:00
dm-snap-persistent.c dm bufio: move dm-bufio.h to include/linux/ 2018-04-03 15:04:23 -04:00
dm-snap-transient.c
dm-snap.c dm snapshot: use mutex instead of rw_semaphore 2018-01-17 09:16:14 -05:00
dm-stats.c dm: backfill missing calls to mutex_destroy() 2018-01-17 09:16:15 -05:00
dm-stats.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-stripe.c libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
dm-switch.c dm: remove fmode_t argument from .prepare_ioctl hook 2018-04-04 12:12:39 -04:00
dm-sysfs.c
dm-table.c - DM core passthrough ioctl fix to retain reference to DM table, and 2018-04-06 11:50:19 -07:00
dm-target.c dm: remove unused macro DM_MOD_NAME_SIZE 2018-04-03 15:04:15 -04:00
dm-thin-metadata.c dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 2018-01-17 09:07:54 -05:00
dm-thin-metadata.h
dm-thin.c dm: allow targets to return output from messages they are sent 2018-04-03 15:04:10 -04:00
dm-uevent.c
dm-uevent.h
dm-unstripe.c dm unstripe: remove unnecessary header includes 2018-04-03 15:04:15 -04:00
dm-verity-fec.c dm verity fec: fix GFP flags used with mempool_alloc() 2017-07-26 15:55:44 -04:00
dm-verity-fec.h
dm-verity-target.c dm: remove fmode_t argument from .prepare_ioctl hook 2018-04-04 12:12:39 -04:00
dm-verity.h dm verity: add 'check_at_most_once' option to only validate hashes once 2018-04-03 15:04:29 -04:00
dm-zero.c dm: don't return errnos from ->map 2017-06-09 09:27:32 -06:00
dm-zoned-metadata.c dm: backfill missing calls to mutex_destroy() 2018-01-17 09:16:15 -05:00
dm-zoned-reclaim.c dm zoned: use GFP_NOIO in I/O path 2017-07-26 15:55:43 -04:00
dm-zoned-target.c dm: remove fmode_t argument from .prepare_ioctl hook 2018-04-04 12:12:39 -04:00
dm-zoned.h dm zoned: drive-managed zoned block device target 2017-06-19 11:05:20 -04:00
dm.c libnvdimm for 4.17 2018-04-10 10:25:57 -07:00
dm.h dm: move dm_table_destroy() to same header as dm_table_create() 2018-01-17 09:16:06 -05:00
Kconfig dax, dm: allow device-mapper to operate without dax support 2018-04-03 05:41:19 -07:00
Makefile dm: add unstriped target 2018-01-17 09:16:00 -05:00
md-bitmap.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-11-14 16:07:26 -08:00
md-bitmap.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-11-14 16:07:26 -08:00
md-cluster.c md-cluster: update document for raid10 2017-11-01 21:32:25 -07:00
md-cluster.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
md-faulty.c md: rename some drivers/md/ files to have an "md-" prefix 2017-10-16 19:06:36 -07:00
md-linear.c block: Use blk_queue_flag_*() in drivers instead of queue_flag_*() 2018-03-08 14:13:48 -07:00
md-linear.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-11-14 16:07:26 -08:00
md-multipath.c md-multipath: Use seq_putc() in multipath_status() 2018-02-17 13:00:35 -08:00
md-multipath.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md 2017-11-14 16:07:26 -08:00
md.c md: fix NULL dereference of mddev->pers in remove_and_add_spares() 2018-05-17 09:55:59 -07:00
md.h md: fix md_write_start() deadlock w/o metadata devices 2018-02-18 10:11:59 -08:00
raid0.c block: Use blk_queue_flag_*() in drivers instead of queue_flag_*() 2018-03-08 14:13:48 -07:00
raid0.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid1-10.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raid1.c md: fix an error code format and remove unsed bio_sector 2018-05-01 09:47:49 -07:00
raid1.h md: document lifetime of internal rdev pointer. 2018-02-18 10:22:27 -08:00
raid5-cache.c raid5-ppl: PPL support for disks with write-back cache enabled 2018-01-15 14:29:42 -08:00
raid5-log.h raid5-ppl: fix handling flush requests 2018-02-21 09:40:40 -08:00
raid5-ppl.c raid5-ppl: fix handling flush requests 2018-02-21 09:40:40 -08:00
raid5.c raid5: copy write hint from origin bio to stripe 2018-05-17 09:55:58 -07:00
raid5.h raid5: copy write hint from origin bio to stripe 2018-05-17 09:55:58 -07:00
raid10.c raid10: check bio in r10buf_pool_free to void NULL pointer dereference 2018-05-01 09:47:50 -07:00
raid10.h md: document lifetime of internal rdev pointer. 2018-02-18 10:22:27 -08:00