From patchwork Tue Feb 21 13:55:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Kuai X-Patchwork-Id: 60087 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp12277wrd; Tue, 21 Feb 2023 05:38:06 -0800 (PST) X-Google-Smtp-Source: AK7set+McBkpm8+s2i7774TPORFE5fhRfDgVNeJIhW+4L8GPdFlw4QbM2nqVDa9MNfk4jk3kZZWG X-Received: by 2002:a05:6a20:3c8f:b0:bc:b8d:9eab with SMTP id b15-20020a056a203c8f00b000bc0b8d9eabmr15468679pzj.24.1676986686584; Tue, 21 Feb 2023 05:38:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676986686; cv=none; d=google.com; s=arc-20160816; b=x3zMzgvKfer3n9SAgcn6TXMpPrlN6IkblIIL+znyyPXemDt41GqxtoWDORDi/QyXlB POVr1Lrzm5pOBuGwec/SlVXEwuQqxryeUKtnZpT5dnqN6ZslUGjfLPXRgls+3z713BWN juGVe+fBcm5S6vhHzPMrMTpty8EDZ4kzSIYKb2K7PM4IhR901lcU4R1pWAztd7NppLGF QqBx4882Q9J5QZQpPGLmfVZdatPN4+cNIDbie0yn8drlVjeMIl1zO+Usd7CmCq5bwLDk ipBZ9XRtJ/+lQVAJo3bfahMR8LOewC7zb806pSDvo7Cesid6w+1dEPLxwbb7dXxRRINH ZyMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=8o3BH+VBRNNwEuzpZKArq06cj5vz4QS1RAzrzLNK9zk=; b=MAJEhmbgKq8xIt7aEpBOMgtBmOF/8/rELjZ3dZDoU8zdNw2gL1KC3+ypDWMLA6FdQa wlfsRyJwfnlmavyiDrRezqcDBm+lAgi3L6k/yLM4cDbq84TX13HzFTH9JEL7Pk2nleQd bK0GQ9gB2uTnf1rhF/LSh/lzUxFi/2n0Bqayzv9+2pGPcjXUDSqQ4RiYnfKW0MDo9C9F +BOqn1ywRrFBxqgp/2PXtU/tNqKAHWEj20YagoBRD+ReR/FXOBesjFnH85V4Lf/amkQ1 880dbWKmWv3Z3xdF5Fp83Yyg5DC10NgndnL1Sy+Ln1ZNvo8b/3LK2SWL2jKGF+y4EKPD OXKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h184-20020a6383c1000000b004fba07a634dsi3991740pge.66.2023.02.21.05.37.23; Tue, 21 Feb 2023 05:38:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234052AbjBUNbw (ORCPT + 99 others); Tue, 21 Feb 2023 08:31:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233863AbjBUNbm (ORCPT ); Tue, 21 Feb 2023 08:31:42 -0500 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F4E129146; Tue, 21 Feb 2023 05:31:40 -0800 (PST) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4PLgDQ2VZ6z4f3nTR; Tue, 21 Feb 2023 21:31:34 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.127.227]) by APP3 (Coremail) with SMTP id _Ch0CgBnFCK2x_RjDVvKDg--.7628S4; Tue, 21 Feb 2023 21:31:36 +0800 (CST) From: Yu Kuai To: song@kernel.org, xni@redhat.com Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, yukuai3@huawei.com, yukuai1@huaweicloud.com, yi.zhang@huawei.com, yangerkun@huawei.com Subject: [PATCH] md: fix null-ptr-deference in md_free_disk() Date: Tue, 21 Feb 2023 21:55:06 +0800 Message-Id: <20230221135506.296074-1-yukuai1@huaweicloud.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-CM-TRANSID: _Ch0CgBnFCK2x_RjDVvKDg--.7628S4 X-Coremail-Antispam: 1UD129KBjvJXoW7tw15AFykZw18Kr4kKw17ZFb_yoW8ZFW7pa yxWas8Kr48XrW5Kw47Xr109as5Xa1qyFy8Kryfur1fAa1Sk390q3WakF109F98GrWrAwn8 W3WFqa90qF1DCw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCF04k20xvY0x0EwIxG rwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4 vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IY x2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26c xKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x02 67AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU== X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1758447992262453139?= X-GMAIL-MSGID: =?utf-8?q?1758447992262453139?= From: Yu Kuai If md_run() failed after 'acitive_io' is initialized, then percpu_ref_exit() is called in error path, however, later md_free_disk() will call percpu_ref_exit() again, which lead to following null-ptr-deference: BUG: kernel NULL pointer dereference, address: 0000000000000038 Oops: 0000 [#1] PREEMPT SMP CPU: 41 PID: 585 Comm: kworker/41:1 Not tainted 6.2.0-rc8-next-20230220 #1452 Workqueue: md_misc mddev_delayed_delete RIP: 0010:free_percpu+0x110/0x630 Call Trace: __percpu_ref_exit+0x44/0x70 percpu_ref_exit+0x16/0x90 md_free_disk+0x2f/0x80 disk_release+0x101/0x180 device_release+0x84/0x110 kobject_put+0x12a/0x380 kobject_put+0x160/0x380 mddev_delayed_delete+0x19/0x30 process_one_work+0x269/0x680 worker_thread+0x266/0x640 kthread+0x151/0x1b0 ret_from_fork+0x1f/0x30 Since freeing mddev will exit 'active_io' unconditionally, fix the problem by removing exiting 'active_io' from error path, this way it will be delayed to free mddev. Fixes: 72adae23a72c ("md: Change active_io to percpu") Signed-off-by: Yu Kuai Tested-by: Yu Kuai --- drivers/md/md.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index 927a43db5dfb..77124679b3fd 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5851,7 +5851,7 @@ int md_run(struct mddev *mddev) if (!bioset_initialized(&mddev->bio_set)) { err = bioset_init(&mddev->bio_set, BIO_POOL_SIZE, 0, BIOSET_NEED_BVECS); if (err) - goto exit_active_io; + return err; } if (!bioset_initialized(&mddev->sync_set)) { err = bioset_init(&mddev->sync_set, BIO_POOL_SIZE, 0, BIOSET_NEED_BVECS); @@ -6039,8 +6039,6 @@ int md_run(struct mddev *mddev) bioset_exit(&mddev->sync_set); exit_bio_set: bioset_exit(&mddev->bio_set); -exit_active_io: - percpu_ref_exit(&mddev->active_io); return err; } EXPORT_SYMBOL_GPL(md_run);