On Mon, Nov 11, 2019 at 8:46 AM Laurence Oberman <loberman@xxxxxxxxxx> wrote:
>
> On Mon, 2019-11-11 at 10:32 -0500, John Pittman wrote:
> > Due to unneeded multiplication in the out_free_pages portion of
> > r10buf_pool_alloc(), when using a 3-copy raid10 layout, it is
> > possible to access a resync_pages offset that has not been
> > initialized. This access translates into a crash of the system
> > within resync_free_pages() while passing a bad pointer to
> > put_page(). Remove the multiplication, preventing access to the
> > uninitialized area.
> >
> > Fixes: f0250618361db ("md: raid10: don't use bio's vec table to
> > manage resync pages")
> > Signed-off-by: John Pittman <jpittman@xxxxxxxxxx>
> > Suggested-by: David Jeffery <djeffery@xxxxxxxxxx>
> > ---
> > drivers/md/raid10.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> > index 299c7b1c9718..8a62c920bb65 100644
> > --- a/drivers/md/raid10.c
> > +++ b/drivers/md/raid10.c
> > @@ -191,7 +191,7 @@ static void * r10buf_pool_alloc(gfp_t gfp_flags,
> > void *data)
> >
> > out_free_pages:
> > while (--j >= 0)
> > - resync_free_pages(&rps[j * 2]);
> > + resync_free_pages(&rps[j]);
> >
> > j = 0;
> > out_free_bio:
>
> This was reproduduced and tested multiple times by John in the Red Hat
> Lab and tested by the customer. Thanks David and John.
> Reviewed-by: Laurence Oberman <loberman@xxxxxxxxxx>
Applied to md-next. Thanks for the fix!
Song
