iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7b1aae1aee
linux/drivers/md
History
Mikulas Patocka d17f744e88 md-raid10: fix KASAN warning 
There's a KASAN warning in raid10_remove_disk when running the lvm
test lvconvert-raid-reshape.sh. We fix this warning by verifying that the
value "number" is valid.

BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]
Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682

CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x34/0x44
 print_report.cold+0x45/0x57a
 ? __lock_text_start+0x18/0x18
 ? raid10_remove_disk+0x61/0x2a0 [raid10]
 kasan_report+0xa8/0xe0
 ? raid10_remove_disk+0x61/0x2a0 [raid10]
 raid10_remove_disk+0x61/0x2a0 [raid10]
Buffer I/O error on dev dm-76, logical block 15344, async page read
 ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0
 remove_and_add_spares+0x367/0x8a0 [md_mod]
 ? super_written+0x1c0/0x1c0 [md_mod]
 ? mutex_trylock+0xac/0x120
 ? _raw_spin_lock+0x72/0xc0
 ? _raw_spin_lock_bh+0xc0/0xc0
 md_check_recovery+0x848/0x960 [md_mod]
 raid10d+0xcf/0x3360 [raid10]
 ? sched_clock_cpu+0x185/0x1a0
 ? rb_erase+0x4d4/0x620
 ? var_wake_function+0xe0/0xe0
 ? psi_group_change+0x411/0x500
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? raid10_sync_request+0x36c0/0x36c0 [raid10]
 ? preempt_count_sub+0xf/0xc0
 ? _raw_spin_unlock_irqrestore+0x19/0x40
 ? del_timer_sync+0xa9/0x100
 ? try_to_del_timer_sync+0xc0/0xc0
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? __lock_text_start+0x18/0x18
 ? _raw_spin_unlock_irq+0x11/0x24
 ? __list_del_entry_valid+0x68/0xa0
 ? finish_wait+0xa3/0x100
 md_thread+0x161/0x260 [md_mod]
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 ? _raw_spin_lock_irqsave+0x78/0xc0
 ? prepare_to_wait_event+0x2c0/0x2c0
 ? unregister_md_personality+0xa0/0xa0 [md_mod]
 kthread+0x148/0x180
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 124495:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x80/0xa0
 setup_conf+0x140/0x5c0 [raid10]
 raid10_run+0x4cd/0x740 [raid10]
 md_run+0x6f9/0x1300 [md_mod]
 raid_ctr+0x2531/0x4ac0 [dm_raid]
 dm_table_add_target+0x2b0/0x620 [dm_mod]
 table_load+0x1c8/0x400 [dm_mod]
 ctl_ioctl+0x29e/0x560 [dm_mod]
 dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
 __do_compat_sys_ioctl+0xfa/0x160
 do_syscall_64+0x90/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x9e/0xc0
 kvfree_call_rcu+0x84/0x480
 timerfd_release+0x82/0x140
L __fput+0xfa/0x400
 task_work_run+0x80/0xc0
 exit_to_user_mode_prepare+0x155/0x160
 syscall_exit_to_user_mode+0x12/0x40
 do_syscall_64+0x42/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x9e/0xc0
 kvfree_call_rcu+0x84/0x480
 timerfd_release+0x82/0x140
 __fput+0xfa/0x400
 task_work_run+0x80/0xc0
 exit_to_user_mode_prepare+0x155/0x160
 syscall_exit_to_user_mode+0x12/0x40
 do_syscall_64+0x42/0xc0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff889108f3d200
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes to the right of
 256-byte region [ffff889108f3d200, ffff889108f3d300)

The buggy address belongs to the physical page:
page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c
head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=2)
raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-08-02 17:22:46 -06:00
..
bcache bcache: remove EXPERIMENTAL for Kconfig option 'Asynchronous device registration' 2022-08-02 17:22:41 -06:00
persistent-data dm space map common: add bounds check to sm_ll_lookup_bitmap() 2022-01-04 13:58:19 -05:00
dm-audit.c dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c
dm-bio-prison-v1.h
dm-bio-prison-v2.c
dm-bio-prison-v2.h
dm-bio-record.h block: move integrity handling out of <linux/blkdev.h> 2021-10-18 06:17:02 -06:00
dm-bufio.c dm/core: Combine request operation type and flags 2022-07-14 12:14:31 -06:00
dm-builtin.c
dm-cache-background-tracker.c
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm cache metadata: remove unnecessary variable in __dump_mapping 2022-05-09 15:40:10 -04:00
dm-cache-metadata.h dm cache: fix typo in 2 comment blocks 2022-07-07 11:49:37 -04:00
dm-cache-policy-internal.h
dm-cache-policy-smq.c dm cache policy smq: make static read-only array table const 2022-02-22 10:35:53 -05:00
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c dm cache: fix typo in 2 comment blocks 2022-07-07 11:49:37 -04:00
dm-clone-metadata.c
dm-clone-metadata.h
dm-clone-target.c block: remove QUEUE_FLAG_DISCARD 2022-04-17 19:49:59 -06:00
dm-core.h dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
dm-crypt.c dm crypt: make printing of the key constant-time 2022-05-09 12:34:03 -04:00
dm-delay.c dm: simplify basic targets 2022-05-05 17:31:35 -04:00
dm-dust.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-ebs-target.c dm/ebs: Change 'int rw' into 'enum req_op op' 2022-07-14 12:14:31 -06:00
dm-era-target.c dm era: commit metadata in postsuspend after worker stops 2022-06-21 13:35:01 -04:00
dm-exception-store.c
dm-exception-store.h dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-flakey.c dm/dm-flakey: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
dm-ima.c dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
dm-ima.h dm ima: add version info to dm related events in ima log 2021-08-20 15:59:47 -04:00
dm-init.c
dm-integrity.c dm/dm-integrity: Combine request operation and flags 2022-07-14 12:14:31 -06:00
dm-io-rewind.c dm: add two stage requeue mechanism 2022-07-07 11:49:32 -04:00
dm-io-tracker.h
dm-io.c dm/core: Combine request operation type and flags 2022-07-14 12:14:31 -06:00
dm-ioctl.c dm table: remove dm_table_get_num_targets() wrapper 2022-07-07 11:49:33 -04:00
dm-kcopyd.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-linear.c libnvdimm for 5.19 2022-05-27 15:49:30 -07:00
dm-log-userspace-base.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c libnvdimm for 5.19 2022-05-27 15:49:30 -07:00
dm-log.c dm mirror log: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
dm-mpath.c dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-ps-historical-service-time.c dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-ps-io-affinity.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-queue-length.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-round-robin.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-service-time.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-raid1.c dm/core: Reduce the size of struct dm_io_request 2022-07-14 12:14:31 -06:00
dm-raid.c md: unlock mddev before reap sync_thread in action_store 2022-08-02 17:14:40 -06:00
dm-region-hash.c
dm-rq.c dm: unexport dm_get_reserved_rq_based_ios 2022-06-29 12:46:05 -04:00
dm-rq.h
dm-snap-persistent.c dm-snap: Combine request operation type and flags 2022-07-14 12:14:31 -06:00
dm-snap-transient.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-snap.c dm snapshot: fix typo in snapshot_map() comment 2022-07-07 11:49:39 -04:00
dm-stats.c dm stats: add cond_resched when looping over entries 2022-05-09 12:11:07 -04:00
dm-stats.h dm stats: fix too short end duration_ns when using precise_timestamps 2022-02-21 15:35:39 -05:00
dm-stripe.c dax: add .recovery_write dax_operation 2022-05-16 13:37:59 -07:00
dm-switch.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-sysfs.c dm sysfs: use default_groups in kobj_type 2022-01-06 09:48:55 -05:00
dm-table.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-target.c dax: introduce DAX_RECOVERY_WRITE dax access mode 2022-05-16 13:35:56 -07:00
dm-thin-metadata.c dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-07-15 18:09:14 -04:00
dm-thin-metadata.h dm thin metadata: remove unused dm_thin_remove_block and __remove 2022-02-22 13:55:50 -05:00
dm-thin.c dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-07-15 18:09:14 -04:00
dm-uevent.c
dm-uevent.h
dm-unstripe.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-verity-fec.c
dm-verity-fec.h
dm-verity-target.c dm verity: fix checkpatch close brace error 2022-07-07 11:49:36 -04:00
dm-verity-verify-sig.c
dm-verity-verify-sig.h
dm-verity.h
dm-writecache.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-zero.c
dm-zone.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-zoned-metadata.c dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm-zoned-reclaim.c
dm-zoned-target.c dm-zoned: cleanup dmz_fixup_devices 2022-07-06 06:46:26 -06:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm.h dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
Kconfig blk-mq: make the blk-mq stacking code optional 2022-02-16 19:39:09 -07:00
Makefile dm: add dm_bio_rewind() API to DM core 2022-07-07 11:26:55 -04:00
md-autodetect.c md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
md-bitmap.c fs/buffer: Combine two submit_bh() and ll_rw_block() arguments 2022-07-14 12:14:32 -06:00
md-bitmap.h
md-cluster.c md: Fix spelling mistake in comments 2022-08-02 17:14:44 -06:00
md-cluster.h
md-faulty.c block: pass a block_device to bio_clone_fast 2022-02-04 07:43:18 -07:00
md-linear.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-linear.h
md-multipath.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-multipath.h
md.c md-raid: destroy the bitmap after destroying the thread 2022-08-02 17:22:46 -06:00
md.h md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
raid0.c md: Don't set mddev private to NULL in raid0 pers->free 2022-05-22 23:07:21 -07:00
raid0.h
raid1-10.c md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid1.c md/raid1: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
raid1.h md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid5-cache.c md/raid5-cache: Annotate pslot with __rcu notation 2022-08-02 17:14:32 -06:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5.c raid5: fix duplicate checks for rdev->saved_raid_disk 2022-08-02 17:22:46 -06:00
raid5.h md/raid5: Add __rcu annotation to struct disk_info 2022-04-25 14:00:36 -07:00
raid10.c md-raid10: fix KASAN warning 2022-08-02 17:22:46 -06:00
raid10.h md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00