Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1168064imm; Wed, 1 Aug 2018 11:18:46 -0700 (PDT) X-Google-Smtp-Source: AAOMgpduNVDhs6kZB6stutPStozlKkeMGnHr7lNLYUPeQytpsKIzs6iNJMojZCVRALih3aNpRi0E X-Received: by 2002:a63:8dca:: with SMTP id z193-v6mr25740281pgd.228.1533147526549; Wed, 01 Aug 2018 11:18:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533147526; cv=none; d=google.com; s=arc-20160816; b=EX3l0ojNRe75RChVir7/2nfNkE+YSybIlJ8xrU9MVq9PEyblY7BD10ggCYCGwHPVps cvgsDCVZ4MSrXjs/i42DyY383MdReXZboJfxxP60sTiEhDSu8JQOnEv5Ngyb24KVRKZn 29gFTdyfxw4UL+lUYGqzEXyPo3amGCDTNFmaUHkNoBVK/Arik4nyQt3ihloF6awK1/wF 1Eb9a81BlLGPvz6UhgewzTZbKsoUf26EKSf1U/qBwbkqxUSj0/GE1QPpByauZDU37r/9 vPtzX2Mivv5/aKGJTTpxqvFV32s1i7YBmO5nwjhFgyjVocUvG73cmC4QlhX44tz3O0td eSzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=KCVcBd5NppVYG+wWBCWWYfW9uUZTBhd4+6beunrBBro=; b=AsmV4brv8FsXDODeRNlUqsjYqWBRnrpteixczoqtToZFtiozX3LrFiv+VLPY9QGuMb /oRoYmpTycYvD2wUE3e66bSBblHW9XY/sv+etKmIpqTWnh5Fk4BnUmhLzf1rZDd5AF4r iN+/c66YY9+K/2ZHVIVXLhJmsMxuAWziV5865ZGbi55m+jDRnMu9/IWr+sa2WDRKDNuP IRufn8YwADq5zSJCcCImScnBmg2Mq7YTLP/+PQT9uWlUr/8S97gjlikQ6h/cGuyZ63d1 AUljXclaaQUqRvZbsv4IAeYpbVUQF0n387BJnWSrUiTrpjF37fafWi4il96hV+/73LhH 3KpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j85-v6si18307336pfa.232.2018.08.01.11.18.32; Wed, 01 Aug 2018 11:18:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404896AbeHATEy (ORCPT + 99 others); Wed, 1 Aug 2018 15:04:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46880 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404873AbeHATEx (ORCPT ); Wed, 1 Aug 2018 15:04:53 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 01ACACCC; Wed, 1 Aug 2018 17:18:11 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yufen Yu , Shaohua Li , Sasha Levin Subject: [PATCH 4.14 128/246] md: fix NULL dereference of mddev->pers in remove_and_add_spares() Date: Wed, 1 Aug 2018 18:50:38 +0200 Message-Id: <20180801165017.857751373@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yufen Yu [ Upstream commit c42a0e2675721e1444f56e6132a07b7b1ec169ac ] We met NULL pointer BUG as follow: [ 151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 [ 151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0 [ 151.762039] Oops: 0000 [#1] SMP PTI [ 151.762406] Modules linked in: [ 151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238 [ 151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 [ 151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0 [ 151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246 [ 151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000 [ 151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000 [ 151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051 [ 151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600 [ 151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000 [ 151.769160] FS: 00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000 [ 151.769971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0 [ 151.771272] Call Trace: [ 151.771542] md_ioctl+0x1df2/0x1e10 [ 151.771906] ? __switch_to+0x129/0x440 [ 151.772295] ? __schedule+0x244/0x850 [ 151.772672] blkdev_ioctl+0x4bd/0x970 [ 151.773048] block_ioctl+0x39/0x40 [ 151.773402] do_vfs_ioctl+0xa4/0x610 [ 151.773770] ? dput.part.23+0x87/0x100 [ 151.774151] ksys_ioctl+0x70/0x80 [ 151.774493] __x64_sys_ioctl+0x16/0x20 [ 151.774877] do_syscall_64+0x5b/0x180 [ 151.775258] entry_SYSCALL_64_after_hwframe+0x44/0xa9 For raid6, when two disk of the array are offline, two spare disks can be added into the array. Before spare disks recovery completing, system reboot and mdadm thinks it is ok to restart the degraded array by md_ioctl(). Since disks in raid6 is not only_parity(), raid5_run() will abort, when there is no PPL feature or not setting 'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL. But, mddev->raid_disks has been set and it will not be cleared when raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to remove a disk by mdadm, which will cause NULL pointer dereference in remove_and_add_spares() finally. Signed-off-by: Yufen Yu Signed-off-by: Shaohua Li Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/md/md.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -6498,6 +6498,9 @@ static int hot_remove_disk(struct mddev char b[BDEVNAME_SIZE]; struct md_rdev *rdev; + if (!mddev->pers) + return -ENODEV; + rdev = find_rdev(mddev, dev); if (!rdev) return -ENXIO;