--- /dev/null
+From 40f567bbb3b0639d2ec7d1c6ad4b1b018f80cf19 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 27 May 2022 23:28:18 +0800
+Subject: md: bcache: check the return value of kzalloc() in detached_dev_do_request()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+commit 40f567bbb3b0639d2ec7d1c6ad4b1b018f80cf19 upstream.
+
+The function kzalloc() in detached_dev_do_request() can fail, so its
+return value should be checked.
+
+Fixes: bc082a55d25c ("bcache: fix inaccurate io state for detached bcache devices")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20220527152818.27545-4-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -1107,6 +1107,12 @@ static void detached_dev_do_request(stru
+ * which would call closure_get(&dc->disk.cl)
+ */
+ ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO);
++ if (!ddip) {
++ bio->bi_status = BLK_STS_RESOURCE;
++ bio->bi_end_io(bio);
++ return;
++ }
++
+ ddip->d = d;
+ /* Count on the bcache device */
+ ddip->orig_bdev = orig_bdev;
--- /dev/null
+From 0f2571ad7a30ff6b33cde142439f9378669f8b4f Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 12 May 2022 17:21:08 +0800
+Subject: md: Don't set mddev private to NULL in raid0 pers->free
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 0f2571ad7a30ff6b33cde142439f9378669f8b4f upstream.
+
+In normal stop process, it does like this:
+ do_md_stop
+ |
+ __md_stop (pers->free(); mddev->private=NULL)
+ |
+ md_free (free mddev)
+__md_stop sets mddev->private to NULL after pers->free. The raid device
+will be stopped and mddev memory is free. But in reshape, it doesn't
+free the mddev and mddev will still be used in new raid.
+
+In reshape, it first sets mddev->private to new_pers and then runs
+old_pers->free(). Now raid0 sets mddev->private to NULL in raid0_free.
+The new raid can't work anymore. It will panic when dereference
+mddev->private because of NULL pointer dereference.
+
+It can panic like this:
+[63010.814972] kernel BUG at drivers/md/raid10.c:928!
+[63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1
+[63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020
+[63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]
+[63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246
+[63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000
+[63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800
+[63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000
+[63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200
+[63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003
+[63010.906399] FS: 0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000
+[63010.914485] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0
+[63010.927363] Call Trace:
+[63010.929822] ? bio_reset+0xe/0x40
+[63010.933144] ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]
+[63010.938629] raid10_sync_request+0x756/0x1610 [raid10]
+[63010.943770] md_do_sync.cold+0x3e4/0x94c
+[63010.947698] md_thread+0xab/0x160
+[63010.951024] ? md_write_inc+0x50/0x50
+[63010.954688] kthread+0x149/0x170
+[63010.957923] ? set_kthread_struct+0x40/0x40
+[63010.962107] ret_from_fork+0x22/0x30
+
+Removing the code that sets mddev->private to NULL in raid0 can fix
+problem.
+
+Fixes: 0c031fd37f69 (md: Move alloc/free acct bioset in to personality)
+Reported-by: Fine Fan <ffan@redhat.com>
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid0.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -361,7 +361,6 @@ static void free_conf(struct mddev *mdde
+ kfree(conf->strip_zone);
+ kfree(conf->devlist);
+ kfree(conf);
+- mddev->private = NULL;
+ }
+
+ static void raid0_free(struct mddev *mddev, void *priv)
--- /dev/null
+From 42b805af102471f53e3c7867b8c2b502ea4eef7e Mon Sep 17 00:00:00 2001
+From: Xiao Ni <xni@redhat.com>
+Date: Thu, 12 May 2022 17:21:09 +0800
+Subject: md: fix double free of io_acct_set bioset
+
+From: Xiao Ni <xni@redhat.com>
+
+commit 42b805af102471f53e3c7867b8c2b502ea4eef7e upstream.
+
+Now io_acct_set is alloc and free in personality. Remove the codes that
+free io_acct_set in md_free and md_stop.
+
+Fixes: 0c031fd37f69 (md: Move alloc/free acct bioset in to personality)
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5600,8 +5600,6 @@ static void md_free(struct kobject *ko)
+
+ bioset_exit(&mddev->bio_set);
+ bioset_exit(&mddev->sync_set);
+- if (mddev->level != 1 && mddev->level != 10)
+- bioset_exit(&mddev->io_acct_set);
+ kfree(mddev);
+ }
+
+@@ -6288,8 +6286,6 @@ void md_stop(struct mddev *mddev)
+ __md_stop(mddev);
+ bioset_exit(&mddev->bio_set);
+ bioset_exit(&mddev->sync_set);
+- if (mddev->level != 1 && mddev->level != 10)
+- bioset_exit(&mddev->io_acct_set);
+ }
+
+ EXPORT_SYMBOL_GPL(md_stop);
fs-add-two-trivial-lookup-helpers.patch
exportfs-support-idmapped-mounts.patch
fs-ntfs3-fix-invalid-free-in-log_replay.patch
+md-don-t-set-mddev-private-to-null-in-raid0-pers-free.patch
+md-fix-double-free-of-io_acct_set-bioset.patch
+md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
