On Mon, 2019-11-11 at 10:32 -0500, John Pittman wrote:
> Due to unneeded multiplication in the out_free_pages portion of
> r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
> possible to access a resync_pages offset that has not been
> initialized. This access translates into a crash of the system
> within resync_free_pages() while passing a bad pointer to
> put_page(). Remove the multiplication, preventing access to the
> uninitialized area.
>
> Fixes: f0250618361db ("md: raid10: don't use bio's vec table to
> manage resync pages")
> Signed-off-by: John Pittman <jpittman@xxxxxxxxxx>
> Suggested-by: David Jeffery <djeffery@xxxxxxxxxx>
> ---
> drivers/md/raid10.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 299c7b1c9718..8a62c920bb65 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -191,7 +191,7 @@ static void * r10buf_pool_alloc(gfp_t gfp_flags,
> void *data)
>
> out_free_pages:
> while (--j >= 0)
> - resync_free_pages(&rps[j * 2]);
> + resync_free_pages(&rps[j]);
>
> j = 0;
> out_free_bio:
This was reproduduced and tested multiple times by John in the Red Hat
Lab and tested by the customer. Thanks David and John.
Reviewed-by: Laurence Oberman <loberman@xxxxxxxxxx>
