If read_seqretry returned true and bbp was changed, it will write
invalid address which can cause some serious problem.
This bug was introduced by commit v3.0-rc7-130-g2699b67.
So fix is suitable for 3.0.y thru 3.6.y.
Reported-by: zhuwenfeng@xxxxxxxxxxx
Tested-by: zhuwenfeng@xxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jianpeng Ma <majianpeng@xxxxxxxxx>
---
drivers/md/md.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 9ab768a..d63aa78 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1805,15 +1805,15 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
md_error(mddev, rdev);
else {
struct badblocks *bb = &rdev->badblocks;
- u64 *bbp = (u64 *)page_address(rdev->bb_page);
u64 *p = bb->page;
sb->feature_map |= cpu_to_le32(MD_FEATURE_BAD_BLOCKS);
if (bb->changed) {
unsigned seq;
+ u64 *bbp;
retry:
+ bbp = (u64 *)page_address(rdev->bb_page);
seq = read_seqbegin(&bb->lock);
-
memset(bbp, 0xff, PAGE_SIZE);
for (i = 0 ; i < bb->count ; i++) {
--
1.7.9.5
?韬{.n?????%??檩??w?{.n???{炳盯w???塄}?财??j:+v??�?�???2??璀??摺?囤??z夸z罐?+?????w棹�f
