mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-29 04:09:39 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/md
History
Heming Zhao cf9392282a md/bitmap: don't set sb values if can't pass sanity check 
[ Upstream commit e68cb83a57 ]

If bitmap area contains invalid data, kernel will crash then mdadm
triggers "Segmentation fault".
This is cluster-md speical bug. In non-clustered env, mdadm will
handle broken metadata case. In clustered array, only kernel space
handles bitmap slot info. But even this bug only happened in clustered
env, current sanity check is wrong, the code should be changed.

How to trigger: (faulty injection)

dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda
dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb
mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb
mdadm -Ss
echo aaa > magic.txt
 == below modifying slot 2 bitmap data ==
dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic
dd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize
mdadm -A /dev/md0 /dev/sda /dev/sdb
 == kernel crashes. mdadm outputs "Segmentation fault" ==

Reason of kernel crash:

In md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't
block chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()
trigger "divide error".

Crash log:

kernel: md: md0 stopped.
kernel: md/raid1:md0: not clean -- starting background reconstruction
kernel: md/raid1:md0: active with 2 out of 2 mirrors
kernel: dlm: ... ...
kernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1
kernel: md0: invalid bitmap file superblock: bad magic
kernel: md_bitmap_copy_from_slot can't get bitmap from slot 2
kernel: md-cluster: Could not gather bitmaps from slot 2
kernel: divide error: 0000 [#1] SMP NOPTI
kernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default
kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
kernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246
kernel: ... ...
kernel: Call Trace:
kernel:  ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]
kernel:  md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]
kernel:  load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]
kernel:  md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]
kernel:  do_md_run+0x30/0x100 [md_mod 24ea..d3a]
kernel:  md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]
kernel:  ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]
kernel:  ? blkdev_ioctl+0xb1/0x2b0
kernel:  block_ioctl+0x3b/0x40
kernel:  __x64_sys_ioctl+0x7f/0xb0
kernel:  do_syscall_64+0x59/0x80
kernel:  ? exit_to_user_mode_prepare+0x1ab/0x230
kernel:  ? syscall_exit_to_user_mode+0x18/0x40
kernel:  ? do_syscall_64+0x69/0x80
kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae
kernel: RIP: 0033:0x7f4a15fa722b
kernel: ... ...
kernel: ---[ end trace 8afa7612f559c868 ]---
kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-06-09 10:25:22 +02:00
..
bcache bcache: fixup multiple threads crash 2022-04-08 13:57:28 +02:00
persistent-data dm space map common: add bounds check to sm_ll_lookup_bitmap() 2022-01-04 13:58:19 -05:00
dm-audit.c dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c
dm-bio-prison-v1.h
dm-bio-prison-v2.c
dm-bio-prison-v2.h
dm-bio-record.h block: move integrity handling out of <linux/blkdev.h> 2021-10-18 06:17:02 -06:00
dm-bufio.c - Add DM core support for emitting audit events through the audit 2021-11-09 11:02:04 -08:00
dm-builtin.c
dm-cache-background-tracker.c
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-cache-metadata.h
dm-cache-policy-internal.h
dm-cache-policy-smq.c
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-clone-metadata.c dm clone metadata: remove unused function 2021-04-19 13:20:31 -04:00
dm-clone-metadata.h
dm-clone-target.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-core.h dm: interlock pending dm_io and dm_wait_for_bios_completion 2022-04-08 13:57:23 +02:00
dm-crypt.c dm crypt: make printing of the key constant-time 2022-06-06 08:47:54 +02:00
dm-delay.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-dust.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-ebs-target.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-era-target.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-exception-store.c
dm-exception-store.h dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-flakey.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-ima.c mm: don't include <linux/blk-cgroup.h> in <linux/backing-dev.h> 2021-10-18 06:17:01 -06:00
dm-ima.h dm ima: add version info to dm related events in ima log 2021-08-20 15:59:47 -04:00
dm-init.c dm init: Set file local variable static 2020-08-04 15:51:28 -04:00
dm-integrity.c dm integrity: fix error code in dm_integrity_ctr() 2022-06-06 08:47:54 +02:00
dm-io-tracker.h dm writecache: make writeback pause configurable 2021-06-28 16:30:13 -04:00
dm-io.c block: Add bio_max_segs 2021-02-26 15:49:51 -07:00
dm-ioctl.c dm ioctl: prevent potential spectre v1 gadget 2022-04-13 19:27:16 +02:00
dm-kcopyd.c dm writecache: have ssd writeback wait if the kcopyd workqueue is busy 2021-06-15 15:42:03 -04:00
dm-linear.c dax: remove the copy_from_iter and copy_to_iter methods 2021-12-18 08:04:53 -08:00
dm-log-userspace-base.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c dax: remove the copy_from_iter and copy_to_iter methods 2021-12-18 08:04:53 -08:00
dm-log.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-mpath.c block: remove the ->rq_disk field in struct request 2021-11-29 06:41:29 -07:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-ps-historical-service-time.c dm mpath: only use ktime_get_ns() in historical selector 2022-04-20 09:36:18 +02:00
dm-ps-io-affinity.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-queue-length.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-round-robin.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-service-time.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-raid.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-raid1.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-region-hash.c
dm-rq.c dm: requeue IO if mapping table not yet available 2022-04-13 19:27:17 +02:00
dm-rq.h
dm-snap-persistent.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-snap-transient.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-snap.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-stats.c dm stats: add cond_resched when looping over entries 2022-06-06 08:47:54 +02:00
dm-stats.h dm: fix double accounting of flush with data 2022-04-08 13:57:23 +02:00
dm-stripe.c dax: remove the copy_from_iter and copy_to_iter methods 2021-12-18 08:04:53 -08:00
dm-switch.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-sysfs.c dm sysfs: use default_groups in kobj_type 2022-01-06 09:48:55 -05:00
dm-table.c dax: remove dax_capable 2021-12-04 08:58:51 -08:00
dm-target.c
dm-thin-metadata.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-thin-metadata.h
dm-thin.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-uevent.c
dm-uevent.h
dm-unstripe.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-verity-fec.c dm verity fec: fix misaligned RS roots IO 2021-04-14 14:28:29 -04:00
dm-verity-fec.h dm verity fec: fix misaligned RS roots IO 2021-04-14 14:28:29 -04:00
dm-verity-target.c dm verity: set DM_TARGET_IMMUTABLE feature flag 2022-06-06 08:47:54 +02:00
dm-verity-verify-sig.c dm verity: fix require_signatures module_param permissions 2021-05-25 16:14:05 -04:00
dm-verity-verify-sig.h dm verity: Fix compilation warning 2020-08-04 15:48:13 -04:00
dm-verity.h
dm-writecache.c dm: make the DAX support depend on CONFIG_FS_DAX 2021-12-04 08:58:50 -08:00
dm-zero.c dm: add support for REQ_NOWAIT to various targets 2020-12-04 18:04:35 -05:00
dm-zone.c dm zone: fix dm_revalidate_zones() memory allocation 2021-06-25 15:25:23 -04:00
dm-zoned-metadata.c dm zoned: check zone capacity 2021-06-04 12:07:28 -04:00
dm-zoned-reclaim.c dm kcopyd: avoid useless atomic operations 2021-06-04 12:07:24 -04:00
dm-zoned-target.c - Add DM core support for emitting audit events through the audit 2021-11-09 11:02:04 -08:00
dm-zoned.h
dm.c dm: requeue IO if mapping table not yet available 2022-04-13 19:27:17 +02:00
dm.h dax: remove dax_capable 2021-12-04 08:58:51 -08:00
Kconfig dm integrity: log audit events for dm-integrity target 2021-10-27 16:54:36 -04:00
Makefile dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
md-autodetect.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
md-bitmap.c md/bitmap: don't set sb values if can't pass sanity check 2022-06-09 10:25:22 +02:00
md-bitmap.h
md-cluster.c md: fix spelling of "its" 2022-01-06 08:37:03 -08:00
md-cluster.h
md-faulty.c md: mark some personalities as deprecated 2021-06-14 22:32:07 -07:00
md-linear.c md: mark some personalities as deprecated 2021-06-14 22:32:07 -07:00
md-linear.h
md-multipath.c md: mark some personalities as deprecated 2021-06-14 22:32:07 -07:00
md-multipath.h
md.c md: fix NULL pointer deref with nowait but no mddev->queue 2022-02-02 10:14:07 -08:00
md.h md: Move alloc/free acct bioset in to personality 2022-01-06 08:37:03 -08:00
raid0.c md: Move alloc/free acct bioset in to personality 2022-01-06 08:37:03 -08:00
raid0.h
raid1-10.c md: drop queue limitation for RAID1 and RAID10 2022-01-06 08:37:02 -08:00
raid1.c for-5.17/drivers-2022-01-11 2022-01-12 10:35:23 -08:00
raid1.h md/raid1: enable io accounting 2021-06-14 22:32:07 -07:00
raid5-cache.c block: rename BIO_MAX_PAGES to BIO_MAX_VECS 2021-03-11 07:47:48 -07:00
raid5-log.h
raid5-ppl.c raid5-ppl: use swap() to make code cleaner 2021-11-02 11:41:45 -07:00
raid5.c raid5: introduce MD_BROKEN 2022-06-06 08:47:54 +02:00
raid5.h md/raid5: play nice with PREEMPT_RT 2022-01-06 08:37:02 -08:00
raid10.c md: raid10 add nowait support 2022-01-06 08:37:02 -08:00
raid10.h md/raid10: enable io accounting 2021-06-14 22:32:07 -07:00