On Tue, Feb 21, 2023 at 7:59 PM Xiao Ni <xni@xxxxxxxxxx> wrote:
>
> If md_run() fails after ->active_io is initialized, then percpu_ref_exit
> is called in error path. However, later md_free_disk will call
> percpu_ref_exit again which leads to a panic because of null pointer
> dereference. It can also trigger this bug when resources are initialized
> but are freed in error path, then will be freed again in md_free_disk.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000038
> Oops: 0000 [#1] PREEMPT SMP
> Workqueue: md_misc mddev_delayed_delete
> RIP: 0010:free_percpu+0x110/0x630
> Call Trace:
> <TASK>
> __percpu_ref_exit+0x44/0x70
> percpu_ref_exit+0x16/0x90
> md_free_disk+0x2f/0x80
> disk_release+0x101/0x180
> device_release+0x84/0x110
> kobject_put+0x12a/0x380
> kobject_put+0x160/0x380
> mddev_delayed_delete+0x19/0x30
> process_one_work+0x269/0x680
> worker_thread+0x266/0x640
> kthread+0x151/0x1b0
> ret_from_fork+0x1f/0x30
>
> For creating raid device, md raid calls do_md_run->md_run, dm raid calls
> md_run. We alloc those memory in md_run. For stopping raid device, md raid
> calls do_md_stop->__md_stop, dm raid calls md_stop->__md_stop. So we can
> free those memory resources in __md_stop.
>
> Fixes: 72adae23a72c ("md: Change active_io to percpu")
> Reported-and-tested-by: Yu Kuai <yukuai3@xxxxxxxxxx>
> Signed-off-by: Xiao Ni <xni@xxxxxxxxxx>
Applied to md-fixes. Thanks!
Song
