mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/md
History
Yu Kuai 3f28d49a32 raid1: fix use-after-free for original bio in raid1_write_request() 
commit fcf3f7e2fc upstream.

r1_bio->bios[] is used to record new bios that will be issued to
underlying disks, however, in raid1_write_request(), r1_bio->bios[]
will set to the original bio temporarily. Meanwhile, if blocked rdev
is set, free_r1bio() will be called causing that all r1_bio->bios[]
to be freed:

raid1_write_request()
 r1_bio = alloc_r1bio(mddev, bio); -> r1_bio->bios[] is NULL
 for (i = 0;  i < disks; i++) -> for each rdev in conf
  // first rdev is normal
  r1_bio->bios[0] = bio; -> set to original bio
  // second rdev is blocked
  if (test_bit(Blocked, &rdev->flags))
   break

 if (blocked_rdev)
  free_r1bio()
   put_all_bios()
    bio_put(r1_bio->bios[0]) -> original bio is freed

Test scripts:

mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean
fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \
    -iodepth=128 -name=test -direct=1
echo blocked > /sys/block/md0/md/rd2/state

Test result:

BUG bio-264 (Not tainted): Object already free
-----------------------------------------------------------------------------

Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869
 kmem_cache_alloc+0x324/0x480
 mempool_alloc_slab+0x24/0x50
 mempool_alloc+0x6e/0x220
 bio_alloc_bioset+0x1af/0x4d0
 blkdev_direct_IO+0x164/0x8a0
 blkdev_write_iter+0x309/0x440
 aio_write+0x139/0x2f0
 io_submit_one+0x5ca/0xb70
 __do_sys_io_submit+0x86/0x270
 __x64_sys_io_submit+0x22/0x30
 do_syscall_64+0xb1/0x210
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869
 kmem_cache_free+0x28c/0x550
 mempool_free_slab+0x1f/0x30
 mempool_free+0x40/0x100
 bio_free+0x59/0x80
 bio_put+0xf0/0x220
 free_r1bio+0x74/0xb0
 raid1_make_request+0xadf/0x1150
 md_handle_request+0xc7/0x3b0
 md_submit_bio+0x76/0x130
 __submit_bio+0xd8/0x1d0
 submit_bio_noacct_nocheck+0x1eb/0x5c0
 submit_bio_noacct+0x169/0xd40
 submit_bio+0xee/0x1d0
 blkdev_direct_IO+0x322/0x8a0
 blkdev_write_iter+0x309/0x440
 aio_write+0x139/0x2f0

Since that bios for underlying disks are not allocated yet, fix this
problem by using mempool_free() directly to free the r1_bio.

Fixes: 992db13a4a ("md/raid1: free the r1bio before waiting for blocked rdev")
Cc: stable@vger.kernel.org # v6.6+
Reported-by: Coly Li <colyli@suse.de>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Tested-by: Coly Li <colyli@suse.de>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20240308093726.1047420-1-yukuai1@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-04-17 11:19:25 +02:00
..
bcache bcache: avoid NULL checking to c->root in run_cache_set() 2023-12-20 17:01:56 +01:00
persistent-data dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client 2023-06-16 18:24:13 -04:00
Kconfig dm audit: fix Kconfig so DM_AUDIT depends on BLK_DEV_DM 2024-01-20 11:51:45 +01:00
Makefile hardening updates for v5.20-rc1 2022-08-02 14:38:59 -07:00
dm-audit.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c dm: improve hash_locks sizing and hash function 2023-03-30 15:57:51 -04:00
dm-bio-prison-v1.h dm bio prison v1: add dm_cell_key_has_valid_range 2023-03-30 15:57:51 -04:00
dm-bio-prison-v2.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-bio-prison-v2.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-bio-record.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-bufio.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-builtin.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-cache-background-tracker.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-background-tracker.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-block-types.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-cache-metadata.c Revert "mm: shrinkers: convert shrinker_rwsem to mutex" 2023-06-19 13:19:33 -07:00
dm-cache-metadata.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy-internal.h dm: add missing empty lines 2023-02-14 14:23:06 -05:00
dm-cache-policy-smq.c dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-07-25 11:55:50 -04:00
dm-cache-policy.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-cache-policy.h dm: address indent/space issues 2023-02-14 14:23:06 -05:00
dm-cache-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-clone-metadata.c
dm-clone-metadata.h
dm-clone-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-core.h dm: limit the number of targets and parameter size area 2024-02-23 09:25:27 +01:00
dm-crypt.c dm-verity, dm-crypt: align "struct bvec_iter" correctly 2024-03-26 18:19:12 -04:00
dm-delay.c dm-delay: fix a race between delay_presuspend and delay_bio 2023-12-03 07:33:09 +01:00
dm-dust.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-ebs-target.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-era-target.c block: replace fmode_t with a block-specific type for block open flags 2023-06-12 08:04:05 -06:00
dm-exception-store.c dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-exception-store.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-flakey.c dm flakey: introduce random_read_corrupt and random_write_corrupt options 2023-06-16 18:24:13 -04:00
dm-ima.c dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-ima.h dm: avoid inline filenames 2023-02-14 14:23:07 -05:00
dm-init.c dm: open code dm_get_dev_t in dm_init_init 2023-06-05 10:57:40 -06:00
dm-integrity.c dm integrity: fix out-of-range warning 2024-04-10 16:35:45 +02:00
dm-io-rewind.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-io-tracker.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-io.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-ioctl.c dm: limit the number of targets and parameter size area 2024-02-23 09:25:27 +01:00
dm-kcopyd.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-linear.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-log-userspace-base.c dm: avoid void function return statements 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-log-userspace-transfer.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-log-writes.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-log.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-mpath.c dm: push error reporting down to dm_register_target() 2023-04-11 12:01:01 -04:00
dm-mpath.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-path-selector.c dm: adjust EXPORT_SYMBOL() to follow functions immediately 2023-02-14 14:23:07 -05:00
dm-path-selector.h dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-historical-service-time.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-ps-io-affinity.c dm: address space issues relative to switch/while/for/... 2023-02-14 14:23:06 -05:00
dm-ps-queue-length.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-ps-round-robin.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-ps-service-time.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-raid.c dm-raid: fix lockdep waring in "pers->hot_add_disk" 2024-04-03 15:28:26 +02:00
dm-raid1.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-region-hash.c dm: correct block comments format. 2023-02-14 14:23:06 -05:00
dm-rq.c dm: avoid using symbolic permissions 2023-02-14 14:23:07 -05:00
dm-rq.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-snap-persistent.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-snap-transient.c dm: avoid split of quoted strings where possible 2023-02-14 14:23:07 -05:00
dm-snap.c dm snapshot: fix lockup in dm_exception_table_exit 2024-04-03 15:28:37 +02:00
dm-stats.c dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stats.h dm stats: check for and propagate alloc_percpu failure 2023-03-16 13:37:06 -04:00
dm-stripe.c dm: remove unnecessary (void*) conversions 2023-04-11 12:01:01 -04:00
dm-switch.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-sysfs.c dm sysfs: make kobj_type structure constant 2023-02-14 14:23:08 -05:00
dm-table.c dm: limit the number of targets and parameter size area 2024-02-23 09:25:27 +01:00
dm-target.c dm: push error reporting down to dm_register_target() 2023-04-11 12:01:01 -04:00
dm-thin-metadata.c - Update DM crypt to allocate compound pages if possible. 2023-06-30 12:16:00 -07:00
dm-thin-metadata.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-thin.c - Update DM crypt to allocate compound pages if possible. 2023-06-30 12:16:00 -07:00
dm-uevent.c dm: avoid spaces before function arguments or in favour of tabs 2023-02-14 14:23:06 -05:00
dm-uevent.h dm: fix undue/missing spaces 2023-02-14 14:23:06 -05:00
dm-unstripe.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-verity-fec.c dm-verity: align struct dm_verity_fec_io properly 2023-12-08 08:52:16 +01:00
dm-verity-fec.h dm: change "unsigned" to "unsigned int" 2023-02-14 14:23:06 -05:00
dm-verity-loadpin.c dm: verity-loadpin: Add NULL pointer check for 'bdev' parameter 2023-06-28 10:43:04 -07:00
dm-verity-target.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-verity-verify-sig.c dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity-verify-sig.h dm: add missing SPDX-License-Indentifiers 2023-02-14 14:23:06 -05:00
dm-verity.h dm-verity, dm-crypt: align "struct bvec_iter" correctly 2024-03-26 18:19:12 -04:00
dm-writecache.c dm io: Support IO priority 2024-03-26 18:20:13 -04:00
dm-zero.c dm: add helper macro for simple DM target module init and exit 2023-04-11 12:09:08 -04:00
dm-zone.c dm zone: Use the bitmap API to allocate bitmaps 2023-06-16 18:24:13 -04:00
dm-zoned-metadata.c dm: dm-zoned: use __bio_add_page for adding single metadata page 2023-05-31 09:50:02 -06:00
dm-zoned-reclaim.c dm kcopyd: avoid useless atomic operations 2021-06-04 12:07:24 -04:00
dm-zoned-target.c dm zoned: free dmz->ddev array in dmz_put_zoned_devices 2023-09-20 13:48:06 -04:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c dm: call the resume method on internal suspend 2024-03-26 18:19:41 -04:00
dm.h dm: remove stale/redundant dm_internal_{suspend,resume} prototypes in dm.h 2023-06-16 18:24:14 -04:00
md-autodetect.c init: improve the name_to_dev_t interface 2023-06-05 10:56:46 -06:00
md-bitmap.c md/md-bitmap: fix incorrect usage for sb_index 2024-04-03 15:28:21 +02:00
md-bitmap.h md-bitmap: don't use ->index for pages backing the bitmap file 2023-07-27 00:13:29 -07:00
md-cluster.c md: Hold mddev->reconfig_mutex when trying to get mddev->sync_thread 2023-08-15 09:40:26 -07:00
md-cluster.h
md-faulty.c md/md-faulty: enable io accounting 2023-07-27 00:13:30 -07:00
md-linear.c md/md-linear: enable io accounting 2023-07-27 00:13:30 -07:00
md-linear.h
md-multipath.c md/md-multipath: enable io accounting 2023-07-27 00:13:29 -07:00
md-multipath.h
md.c md: Don't clear MD_CLOSING when the raid is about to stop 2024-03-26 18:19:17 -04:00
md.h md: fix warning for holder mismatch from export_rdev() 2023-09-08 13:16:40 -07:00
raid0.c md: raid0: account for split bio in iostat accounting 2023-08-17 21:11:31 -07:00
raid0.h md/raid0: add discard support for the 'original' layout 2023-06-30 15:43:50 -07:00
raid1-10.c md/raid1-10: fix casting from randomized structure in raid1_submit_write() 2023-06-23 09:33:16 -07:00
raid1.c raid1: fix use-after-free for original bio in raid1_write_request() 2024-04-17 11:19:25 +02:00
raid1.h md/raid1: switch to use md_account_bio() for io accounting 2023-07-27 00:13:29 -07:00
raid5-cache.c md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid() 2023-08-15 09:40:27 -07:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md: raid5: use __bio_add_page to add single page to new bio 2023-05-31 09:50:02 -06:00
raid5.c md/raid5: fix atomicity violation in raid5_cache_count 2024-04-03 15:28:22 +02:00
raid5.h hardening updates for v6.5-rc1 2023-06-27 21:24:18 -07:00
raid10.c md: Hold mddev->reconfig_mutex when trying to get mddev->sync_thread 2023-08-15 09:40:26 -07:00
raid10.h md/raid10: switch to use md_account_bio() for io accounting 2023-07-27 00:13:29 -07:00