On Fri, Nov 16, 2012 at 8:04 AM, Sebastian Riemer
<sebastian.riemer@xxxxxxxxxxxxxxxx> wrote:
> If hot adding a disk not as spare but at the same slot, the disk isn't added
> correctly in the pers and it is possible to cause a kernel panic/oops due to
> the invalid pointer to the old rdev in the pers. So hot remove the disk from
> the personality before removing it from the array.
>
> Tested with raid1.
>
> Signed-off-by: Sebastian Riemer <sebastian.riemer@xxxxxxxxxxxxxxxx>
> ---
> drivers/md/md.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 9ab768a..1fc545b 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5852,6 +5852,7 @@ static int hot_remove_disk(struct mddev * mddev, dev_t dev)
> {
> char b[BDEVNAME_SIZE];
> struct md_rdev *rdev;
> + int err;
>
> rdev = find_rdev(mddev, dev);
> if (!rdev)
> @@ -5860,6 +5861,12 @@ static int hot_remove_disk(struct mddev * mddev, dev_t dev)
> if (rdev->raid_disk >= 0)
> goto busy;
>
> + if (mddev->pers && mddev->pers->hot_remove_disk) {
> + err = mddev->pers->hot_remove_disk(mddev, rdev);
> + if (err)
> + return err;
> + sysfs_unlink_rdev(mddev, rdev);
> + }
Hmm, how are you getting ->raid_disk set to -1 without the personality
being notified? That seems to be the source of the bug. Otherwise it
would seem the state_store("remove") path is also susceptible.
--
Dan
--
To unsubscribe from this list: send the line "unsubscribe linux-raid" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
