Mikulas Patocka
97ce99984b
md: fix a crash in mempool_free ...
commit 341097ee53573e06ab9fc675d96a052385b851fa upstream.
There's a crash in mempool_free when running the lvm test
shell/lvchange-rebuild-raid.sh.
The reason for the crash is this:
* super_written calls atomic_dec_and_test(&mddev->pending_writes) and
wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)
and bio_put(bio).
* so, the process that waited on sb_wait and that is woken up is racing
with bio_put(bio).
* if the process wins the race, it calls bioset_exit before bio_put(bio)
is executed.
* bio_put(bio) attempts to free a bio into a destroyed bio set - causing
a crash in mempool_free.
We fix this bug by moving bio_put before atomic_dec_and_test.
We also move rdev_dec_pending before atomic_dec_and_test as suggested by
Neil Brown.
The function md_end_flush has a similar bug - we must call bio_put before
we decrement the number of in-progress bios.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 11557f0067 P4D 11557f0067 PUD 0
Oops: 0002 [#1 ] PREEMPT SMP
CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Workqueue: kdelayd flush_expired_bios [dm_delay]
RIP: 0010:mempool_free+0x47/0x80
Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00
RSP: 0018:ffff88910036bda8 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8
RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900
R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000
R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05
FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0
Call Trace:
<TASK>
clone_endio+0xf4/0x1c0 [dm_mod]
clone_endio+0xf4/0x1c0 [dm_mod]
__submit_bio+0x76/0x120
submit_bio_noacct_nocheck+0xb6/0x2a0
flush_expired_bios+0x28/0x2f [dm_delay]
process_one_work+0x1b4/0x300
worker_thread+0x45/0x3e0
? rescuer_thread+0x380/0x380
kthread+0xc2/0x100
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-04 11:29:01 +01:00
2022-10-11 17:42:55 -06:00
2022-07-28 17:46:14 -04:00
2021-10-27 16:53:47 -04:00
2021-10-27 16:53:47 -04:00
2021-10-18 06:17:02 -06:00
2022-11-18 10:23:55 -05:00
2022-05-09 15:40:10 -04:00
2022-07-07 11:49:37 -04:00
2022-02-22 10:35:53 -05:00
2022-10-18 17:17:47 -04:00
2022-07-07 11:49:37 -04:00
2021-04-19 13:20:31 -04:00
2022-10-18 17:17:48 -04:00
2022-07-07 11:49:34 -04:00
2022-11-16 15:58:11 -07:00
2022-05-05 17:31:35 -04:00
2021-10-18 14:43:22 -06:00
2022-08-06 11:09:55 -07:00
2022-06-21 13:35:01 -04:00
2021-10-18 14:43:22 -06:00
2022-07-14 12:14:31 -06:00
2022-07-07 11:49:34 -04:00
2021-08-20 15:59:47 -04:00
2022-11-18 13:59:45 -08:00
2022-07-07 11:49:32 -04:00
2021-06-28 16:30:13 -04:00
2022-07-14 12:14:31 -06:00
2022-11-18 10:23:55 -05:00
2022-08-02 14:21:25 -07:00
2022-05-27 15:49:30 -07:00
2021-08-10 13:34:23 -04:00
2022-11-16 15:58:11 -07:00
2022-07-14 12:14:31 -06:00
2022-05-09 15:39:23 -04:00
2022-05-09 15:39:23 -04:00
2022-05-09 15:39:23 -04:00
2021-08-10 13:34:23 -04:00
2021-08-10 13:34:23 -04:00
2021-08-10 13:34:23 -04:00
2021-08-10 13:34:23 -04:00
2022-07-14 12:14:31 -06:00
2022-10-18 17:17:47 -04:00
2022-10-18 17:16:00 -04:00
2022-08-06 11:09:55 -07:00
2021-08-10 13:34:23 -04:00
2022-07-07 11:49:39 -04:00
2022-10-18 17:16:00 -04:00
2022-02-21 15:35:39 -05:00
2022-05-16 13:37:59 -07:00
2021-10-18 14:43:22 -06:00
2022-01-06 09:48:55 -05:00
2022-10-18 17:16:00 -04:00
2022-05-16 13:35:56 -07:00
2022-07-15 18:09:14 -04:00
2022-02-22 13:55:50 -05:00
2022-07-15 18:09:14 -04:00
2021-08-10 13:34:23 -04:00
2022-07-28 17:46:14 -04:00
2021-04-14 14:28:29 -04:00
2022-09-07 16:37:27 -07:00
2022-10-18 17:17:47 -04:00
2021-05-25 16:14:05 -04:00
2022-09-07 16:37:27 -07:00
2022-08-11 19:46:48 -07:00
2022-08-02 14:21:25 -07:00
2022-08-05 16:32:45 -07:00
2021-06-04 12:07:24 -04:00
2022-07-06 06:46:26 -06:00
2022-07-14 12:14:31 -06:00
2022-12-31 13:32:12 +01:00
2022-07-07 11:49:34 -04:00
2022-02-16 19:39:09 -07:00
2022-08-02 14:38:59 -07:00
2022-08-02 17:22:46 -06:00
2022-12-31 13:33:01 +01:00
2022-08-23 14:54:54 -05:00
2022-02-04 07:43:18 -07:00
2022-05-22 23:07:21 -07:00
2022-05-22 23:07:21 -07:00
2023-01-04 11:29:01 +01:00
2022-08-02 17:22:46 -06:00
2022-12-31 13:33:01 +01:00
2022-03-08 15:16:54 -08:00
2022-12-31 13:33:02 +01:00
2022-03-08 15:16:54 -08:00
2022-10-11 17:42:58 -06:00
2022-08-02 17:14:31 -06:00
2022-08-02 17:14:31 -06:00
2022-09-22 00:05:06 -07:00
2022-09-22 00:05:04 -07:00
2022-12-31 13:33:01 +01:00
2022-09-22 00:05:05 -07:00
97ce99984b