Hello folks,
We saw a particularly hard to reproduce bug in raid1_end_write_request that
we think the attached patch would catch. Now I'm wondering if anybody has seen
anything similar to this before us and is interested in getting a discussion going.
Best regards
--
Chris Eineke <chris.eineke@xxxxxxxxxxxxx>
Wind River
From: Chris Eineke <chris.eineke@xxxxxxxxxxxxx>
We might assume that every passed in bio is equal to one in the array, but what
if something goes awry? `mirror' ends up being equal to the integer in
conf->raid_disks and subsequent uses as the index into the conf->mirror and
r1_bio->bios arrays will result in access to unallocated memory.
Signed-off-by: Chris Eineke <chris.eineke@xxxxxxxxxxxxx>
---
drivers/md/raid1.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -317,10 +317,16 @@ static int raid1_end_write_request(struc
for (mirror = 0; mirror < conf->raid_disks; mirror++)
if (r1_bio->bios[mirror] == bio)
break;
+ /*
+ * It's unlikely that we are passed a non-matching bio, but if it does
+ * happen we at least want to know _that_ it happened.
+ */
+ BUG_ON(unlikely(mirror == conf->raid_disks));
+
if (error == -EOPNOTSUPP && test_bit(R1BIO_Barrier, &r1_bio->state)) {
set_bit(BarriersNotsupp, &conf->mirrors[mirror].rdev->flags);
set_bit(R1BIO_BarrierRetry, &r1_bio->state);
r1_bio->mddev->barriers_work = 0;
/* Don't rdev_dec_pending in this branch - keep it for the retry */
