releases/4.14.60/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch

   1 From foo@baz Sat Jul 28 10:25:26 CEST 2018
   2 From: Yufen Yu <yuyufen@huawei.com>
   3 Date: Fri, 4 May 2018 18:08:10 +0800
   4 Subject: md: fix NULL dereference of mddev->pers in remove_and_add_spares()
   5
   6 From: Yufen Yu <yuyufen@huawei.com>
   7
   8 [ Upstream commit c42a0e2675721e1444f56e6132a07b7b1ec169ac ]
   9
  10 We met NULL pointer BUG as follow:
  11
  12 [  151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
  13 [  151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0
  14 [  151.762039] Oops: 0000 [#1] SMP PTI
  15 [  151.762406] Modules linked in:
  16 [  151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238
  17 [  151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014
  18 [  151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0
  19 [  151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246
  20 [  151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000
  21 [  151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000
  22 [  151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051
  23 [  151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600
  24 [  151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000
  25 [  151.769160] FS:  00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000
  26 [  151.769971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  27 [  151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0
  28 [  151.771272] Call Trace:
  29 [  151.771542]  md_ioctl+0x1df2/0x1e10
  30 [  151.771906]  ? __switch_to+0x129/0x440
  31 [  151.772295]  ? __schedule+0x244/0x850
  32 [  151.772672]  blkdev_ioctl+0x4bd/0x970
  33 [  151.773048]  block_ioctl+0x39/0x40
  34 [  151.773402]  do_vfs_ioctl+0xa4/0x610
  35 [  151.773770]  ? dput.part.23+0x87/0x100
  36 [  151.774151]  ksys_ioctl+0x70/0x80
  37 [  151.774493]  __x64_sys_ioctl+0x16/0x20
  38 [  151.774877]  do_syscall_64+0x5b/0x180
  39 [  151.775258]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  40
  41 For raid6, when two disk of the array are offline, two spare disks can
  42 be added into the array. Before spare disks recovery completing,
  43 system reboot and mdadm thinks it is ok to restart the degraded
  44 array by md_ioctl(). Since disks in raid6 is not only_parity(),
  45 raid5_run() will abort, when there is no PPL feature or not setting
  46 'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL.
  47
  48 But, mddev->raid_disks has been set and it will not be cleared when
  49 raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to
  50 remove a disk by mdadm, which will cause NULL pointer dereference
  51 in remove_and_add_spares() finally.
  52
  53 Signed-off-by: Yufen Yu <yuyufen@huawei.com>
  54 Signed-off-by: Shaohua Li <shli@fb.com>
  55 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
  56 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  57 ---
  58  drivers/md/md.c |    3 +++
  59  1 file changed, 3 insertions(+)
  60
  61 --- a/drivers/md/md.c
  62 +++ b/drivers/md/md.c
  63 @@ -6498,6 +6498,9 @@ static int hot_remove_disk(struct mddev
  64         char b[BDEVNAME_SIZE];
  65         struct md_rdev *rdev;
  66
  67 +       if (!mddev->pers)
  68 +               return -ENODEV;
  69 +
  70         rdev = find_rdev(mddev, dev);
  71         if (!rdev)
  72                 return -ENXIO;