|
NeilBrown |
3bc259 |
From: Mikulas Patocka <mpatocka@redhat.com>
|
|
NeilBrown |
3bc259 |
Date: Sun, 24 Jul 2022 14:26:12 -0400
|
|
NeilBrown |
3bc259 |
Subject: [PATCH] md-raid: destroy the bitmap after destroying the thread
|
|
NeilBrown |
3bc259 |
Git-commit: e151db8ecfb019b7da31d076130a794574c89f6f
|
|
NeilBrown |
3bc259 |
Patch-mainline: v6.0
|
|
NeilBrown |
3bc259 |
References: git-fixes
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with
|
|
NeilBrown |
3bc259 |
kasan, we got failure in write_page.
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
The reason for the failure is that md_bitmap_destroy is called before
|
|
NeilBrown |
3bc259 |
destroying the thread and the thread may be waiting in the function
|
|
NeilBrown |
3bc259 |
write_page for the bio to complete. When the thread finishes waiting, it
|
|
NeilBrown |
3bc259 |
executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which
|
|
NeilBrown |
3bc259 |
triggers the kasan warning.
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Note that the commit 48df498daf62 that caused this bug claims that it is
|
|
NeilBrown |
3bc259 |
neede for md-cluster, you should check md-cluster and possibly find
|
|
NeilBrown |
3bc259 |
another bugfix for it.
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Bug: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod]
|
|
NeilBrown |
3bc259 |
Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Cpu: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1
|
|
NeilBrown |
3bc259 |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
|
|
NeilBrown |
3bc259 |
Call Trace:
|
|
NeilBrown |
3bc259 |
<TASK>
|
|
NeilBrown |
3bc259 |
dump_stack_lvl+0x34/0x44
|
|
NeilBrown |
3bc259 |
print_report.cold+0x45/0x57a
|
|
NeilBrown |
3bc259 |
? __lock_text_start+0x18/0x18
|
|
NeilBrown |
3bc259 |
? write_page+0x18d/0x680 [md_mod]
|
|
NeilBrown |
3bc259 |
kasan_report+0xa8/0xe0
|
|
NeilBrown |
3bc259 |
? write_page+0x18d/0x680 [md_mod]
|
|
NeilBrown |
3bc259 |
kasan_check_range+0x13f/0x180
|
|
NeilBrown |
3bc259 |
write_page+0x18d/0x680 [md_mod]
|
|
NeilBrown |
3bc259 |
? super_sync+0x4d5/0x560 [dm_raid]
|
|
NeilBrown |
3bc259 |
? md_bitmap_file_kick+0xa0/0xa0 [md_mod]
|
|
NeilBrown |
3bc259 |
? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid]
|
|
NeilBrown |
3bc259 |
? mutex_trylock+0x120/0x120
|
|
NeilBrown |
3bc259 |
? preempt_count_add+0x6b/0xc0
|
|
NeilBrown |
3bc259 |
? preempt_count_sub+0xf/0xc0
|
|
NeilBrown |
3bc259 |
md_update_sb+0x707/0xe40 [md_mod]
|
|
NeilBrown |
3bc259 |
md_reap_sync_thread+0x1b2/0x4a0 [md_mod]
|
|
NeilBrown |
3bc259 |
md_check_recovery+0x533/0x960 [md_mod]
|
|
NeilBrown |
3bc259 |
raid1d+0xc8/0x2a20 [raid1]
|
|
NeilBrown |
3bc259 |
? var_wake_function+0xe0/0xe0
|
|
NeilBrown |
3bc259 |
? psi_group_change+0x411/0x500
|
|
NeilBrown |
3bc259 |
? preempt_count_sub+0xf/0xc0
|
|
NeilBrown |
3bc259 |
? _raw_spin_lock_irqsave+0x78/0xc0
|
|
NeilBrown |
3bc259 |
? __lock_text_start+0x18/0x18
|
|
NeilBrown |
3bc259 |
? raid1_end_read_request+0x2a0/0x2a0 [raid1]
|
|
NeilBrown |
3bc259 |
? preempt_count_sub+0xf/0xc0
|
|
NeilBrown |
3bc259 |
? _raw_spin_unlock_irqrestore+0x19/0x40
|
|
NeilBrown |
3bc259 |
? del_timer_sync+0xa9/0x100
|
|
NeilBrown |
3bc259 |
? try_to_del_timer_sync+0xc0/0xc0
|
|
NeilBrown |
3bc259 |
? _raw_spin_lock_irqsave+0x78/0xc0
|
|
NeilBrown |
3bc259 |
? __lock_text_start+0x18/0x18
|
|
NeilBrown |
3bc259 |
? __list_del_entry_valid+0x68/0xa0
|
|
NeilBrown |
3bc259 |
? finish_wait+0xa3/0x100
|
|
NeilBrown |
3bc259 |
md_thread+0x161/0x260 [md_mod]
|
|
NeilBrown |
3bc259 |
? unregister_md_personality+0xa0/0xa0 [md_mod]
|
|
NeilBrown |
3bc259 |
? _raw_spin_lock_irqsave+0x78/0xc0
|
|
NeilBrown |
3bc259 |
? prepare_to_wait_event+0x2c0/0x2c0
|
|
NeilBrown |
3bc259 |
? unregister_md_personality+0xa0/0xa0 [md_mod]
|
|
NeilBrown |
3bc259 |
kthread+0x148/0x180
|
|
NeilBrown |
3bc259 |
? kthread_complete_and_exit+0x20/0x20
|
|
NeilBrown |
3bc259 |
ret_from_fork+0x1f/0x30
|
|
NeilBrown |
3bc259 |
</TASK>
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Allocated by task 5522:
|
|
NeilBrown |
3bc259 |
kasan_save_stack+0x1e/0x40
|
|
NeilBrown |
3bc259 |
__kasan_kmalloc+0x80/0xa0
|
|
NeilBrown |
3bc259 |
md_bitmap_create+0xa8/0xe80 [md_mod]
|
|
NeilBrown |
3bc259 |
md_run+0x777/0x1300 [md_mod]
|
|
NeilBrown |
3bc259 |
raid_ctr+0x249c/0x4a30 [dm_raid]
|
|
NeilBrown |
3bc259 |
dm_table_add_target+0x2b0/0x620 [dm_mod]
|
|
NeilBrown |
3bc259 |
table_load+0x1c8/0x400 [dm_mod]
|
|
NeilBrown |
3bc259 |
ctl_ioctl+0x29e/0x560 [dm_mod]
|
|
NeilBrown |
3bc259 |
dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
|
|
NeilBrown |
3bc259 |
__do_compat_sys_ioctl+0xfa/0x160
|
|
NeilBrown |
3bc259 |
do_syscall_64+0x90/0xc0
|
|
NeilBrown |
3bc259 |
entry_SYSCALL_64_after_hwframe+0x46/0xb0
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Freed by task 5680:
|
|
NeilBrown |
3bc259 |
kasan_save_stack+0x1e/0x40
|
|
NeilBrown |
3bc259 |
kasan_set_track+0x21/0x40
|
|
NeilBrown |
3bc259 |
kasan_set_free_info+0x20/0x40
|
|
NeilBrown |
3bc259 |
__kasan_slab_free+0xf7/0x140
|
|
NeilBrown |
3bc259 |
kfree+0x80/0x240
|
|
NeilBrown |
3bc259 |
md_bitmap_free+0x1c3/0x280 [md_mod]
|
|
NeilBrown |
3bc259 |
__md_stop+0x21/0x120 [md_mod]
|
|
NeilBrown |
3bc259 |
md_stop+0x9/0x40 [md_mod]
|
|
NeilBrown |
3bc259 |
raid_dtr+0x1b/0x40 [dm_raid]
|
|
NeilBrown |
3bc259 |
dm_table_destroy+0x98/0x1e0 [dm_mod]
|
|
NeilBrown |
3bc259 |
__dm_destroy+0x199/0x360 [dm_mod]
|
|
NeilBrown |
3bc259 |
dev_remove+0x10c/0x160 [dm_mod]
|
|
NeilBrown |
3bc259 |
ctl_ioctl+0x29e/0x560 [dm_mod]
|
|
NeilBrown |
3bc259 |
dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
|
|
NeilBrown |
3bc259 |
__do_compat_sys_ioctl+0xfa/0x160
|
|
NeilBrown |
3bc259 |
do_syscall_64+0x90/0xc0
|
|
NeilBrown |
3bc259 |
entry_SYSCALL_64_after_hwframe+0x46/0xb0
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
|
|
NeilBrown |
3bc259 |
Cc: stable@vger.kernel.org
|
|
NeilBrown |
3bc259 |
Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop")
|
|
NeilBrown |
3bc259 |
Signed-off-by: Song Liu <song@kernel.org>
|
|
NeilBrown |
3bc259 |
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
NeilBrown |
3bc259 |
Acked-by: NeilBrown <neilb@suse.com>
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
---
|
|
NeilBrown |
3bc259 |
drivers/md/md.c | 2 +-
|
|
NeilBrown |
3bc259 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
NeilBrown |
3bc259 |
|
|
NeilBrown |
3bc259 |
--- a/drivers/md/md.c
|
|
NeilBrown |
3bc259 |
+++ b/drivers/md/md.c
|
|
NeilBrown |
3bc259 |
@@ -6111,10 +6111,10 @@ static void mddev_detach(struct mddev *m
|
|
NeilBrown |
3bc259 |
static void __md_stop(struct mddev *mddev)
|
|
NeilBrown |
3bc259 |
{
|
|
NeilBrown |
3bc259 |
struct md_personality *pers = mddev->pers;
|
|
NeilBrown |
3bc259 |
- md_bitmap_destroy(mddev);
|
|
NeilBrown |
3bc259 |
mddev_detach(mddev);
|
|
NeilBrown |
3bc259 |
/* Ensure ->event_work is done */
|
|
NeilBrown |
3bc259 |
flush_workqueue(md_misc_wq);
|
|
NeilBrown |
3bc259 |
+ md_bitmap_destroy(mddev);
|
|
NeilBrown |
3bc259 |
spin_lock(&mddev->lock);
|
|
NeilBrown |
3bc259 |
mddev->pers = NULL;
|
|
NeilBrown |
3bc259 |
spin_unlock(&mddev->lock);
|