On Mon, Nov 11, 2019 at 10:32:43AM -0500, John Pittman wrote:
> Due to unneeded multiplication in the out_free_pages portion of
> r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
> possible to access a resync_pages offset that has not been
> initialized. This access translates into a crash of the system
> within resync_free_pages() while passing a bad pointer to
> put_page(). Remove the multiplication, preventing access to the
> uninitialized area.
>
> Fixes: f0250618361db ("md: raid10: don't use bio's vec table to manage resync pages")
> Signed-off-by: John Pittman <jpittman@xxxxxxxxxx>
> Suggested-by: David Jeffery <djeffery@xxxxxxxxxx>
> ---
> drivers/md/raid10.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 299c7b1c9718..8a62c920bb65 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -191,7 +191,7 @@ static void * r10buf_pool_alloc(gfp_t gfp_flags, void *data)
>
> out_free_pages:
> while (--j >= 0)
> - resync_free_pages(&rps[j * 2]);
> + resync_free_pages(&rps[j]);
>
> j = 0;
> out_free_bio:
> --
> 2.17.2
>
Reviewed-by: Ming Lei <ming.lei@xxxxxxxxxx>
--
Ming
