| From 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 Mon Sep 17 00:00:00 2001 |
| From: Xiaomeng Tong <xiam0nd.tong@gmail.com> |
| Date: Fri, 8 Apr 2022 16:47:15 +0800 |
| Subject: md: fix an incorrect NULL check in md_reload_sb |
| |
| From: Xiaomeng Tong <xiam0nd.tong@gmail.com> |
| |
| commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream. |
| |
| The bug is here: |
| if (!rdev || rdev->desc_nr != nr) { |
| |
| The list iterator value 'rdev' will *always* be set and non-NULL |
| by rdev_for_each_rcu(), so it is incorrect to assume that the |
| iterator value will be NULL if the list is empty or no element |
| found (In fact, it will be a bogus pointer to an invalid struct |
| object containing the HEAD). Otherwise it will bypass the check |
| and lead to invalid memory access passing the check. |
| |
| To fix the bug, use a new variable 'iter' as the list iterator, |
| while using the original variable 'pdev' as a dedicated pointer to |
| point to the found element. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone") |
| Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> |
| Signed-off-by: Song Liu <song@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/md/md.c | 10 ++++++---- |
| 1 file changed, 6 insertions(+), 4 deletions(-) |
| |
| --- a/drivers/md/md.c |
| +++ b/drivers/md/md.c |
| @@ -8882,16 +8882,18 @@ static int read_rdev(struct mddev *mddev |
| |
| void md_reload_sb(struct mddev *mddev, int nr) |
| { |
| - struct md_rdev *rdev; |
| + struct md_rdev *rdev = NULL, *iter; |
| int err; |
| |
| /* Find the rdev */ |
| - rdev_for_each_rcu(rdev, mddev) { |
| - if (rdev->desc_nr == nr) |
| + rdev_for_each_rcu(iter, mddev) { |
| + if (iter->desc_nr == nr) { |
| + rdev = iter; |
| break; |
| + } |
| } |
| |
| - if (!rdev || rdev->desc_nr != nr) { |
| + if (!rdev) { |
| pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr); |
| return; |
| } |