releases/4.9.318/md-fix-an-incorrect-null-check-in-md_reload_sb.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 Mon Sep 17 00:00:00 2001
 From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
 Date: Fri, 8 Apr 2022 16:47:15 +0800
 Subject: md: fix an incorrect NULL check in md_reload_sb

 From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

 commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream.

 The bug is here:
 	if (!rdev || rdev->desc_nr != nr) {

 The list iterator value 'rdev' will *always* be set and non-NULL
 by rdev_for_each_rcu(), so it is incorrect to assume that the
 iterator value will be NULL if the list is empty or no element
 found (In fact, it will be a bogus pointer to an invalid struct
 object containing the HEAD). Otherwise it will bypass the check
 and lead to invalid memory access passing the check.

 To fix the bug, use a new variable 'iter' as the list iterator,
 while using the original variable 'pdev' as a dedicated pointer to
 point to the found element.

 Cc: stable@vger.kernel.org
 Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone")
 Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
 Signed-off-by: Song Liu <song@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/md/md.c |   10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)

 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -8882,16 +8882,18 @@ static int read_rdev(struct mddev *mddev

  void md_reload_sb(struct mddev *mddev, int nr)
  {
 -	struct md_rdev *rdev;
 +	struct md_rdev *rdev = NULL, *iter;
  	int err;

  	/* Find the rdev */
 -	rdev_for_each_rcu(rdev, mddev) {
 -		if (rdev->desc_nr == nr)
 +	rdev_for_each_rcu(iter, mddev) {
 +		if (iter->desc_nr == nr) {
 +			rdev = iter;
  			break;
 +		}
  	}

 -	if (!rdev || rdev->desc_nr != nr) {
 +	if (!rdev) {
  		pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr);
  		return;
  	}
	From 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 Mon Sep 17 00:00:00 2001
	From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
	Date: Fri, 8 Apr 2022 16:47:15 +0800
	Subject: md: fix an incorrect NULL check in md_reload_sb

	From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

	commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream.

	The bug is here:
	if (!rdev \|\| rdev->desc_nr != nr) {

	The list iterator value 'rdev' will always be set and non-NULL
	by rdev_for_each_rcu(), so it is incorrect to assume that the
	iterator value will be NULL if the list is empty or no element
	found (In fact, it will be a bogus pointer to an invalid struct
	object containing the HEAD). Otherwise it will bypass the check
	and lead to invalid memory access passing the check.

	To fix the bug, use a new variable 'iter' as the list iterator,
	while using the original variable 'pdev' as a dedicated pointer to
	point to the found element.

	Cc: stable@vger.kernel.org
	Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone")
	Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
	Signed-off-by: Song Liu <song@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/md/md.c \| 10 ++++++----
	1 file changed, 6 insertions(+), 4 deletions(-)

	--- a/drivers/md/md.c
	+++ b/drivers/md/md.c
	@@ -8882,16 +8882,18 @@ static int read_rdev(struct mddev *mddev

	void md_reload_sb(struct mddev *mddev, int nr)
	{
	- struct md_rdev *rdev;
	+ struct md_rdev rdev = NULL, iter;
	int err;

	/* Find the rdev */
	- rdev_for_each_rcu(rdev, mddev) {
	- if (rdev->desc_nr == nr)
	+ rdev_for_each_rcu(iter, mddev) {
	+ if (iter->desc_nr == nr) {
	+ rdev = iter;
	break;
	+ }
	}

	- if (!rdev \|\| rdev->desc_nr != nr) {
	+ if (!rdev) {
	pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr);
	return;
	}