Received: by 2002:a05:6a10:83d0:0:0:0:0 with SMTP id o16csp181488pxh; Thu, 7 Apr 2022 18:07:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBfkACk8s0eBLI2ORQhsEZn5nnW6SzmQDfSaNgUg3ZKx4iWaD4jSI/1Iy1mnArJwE07NqC X-Received: by 2002:a17:902:b40c:b0:156:b616:e257 with SMTP id x12-20020a170902b40c00b00156b616e257mr16464694plr.44.1649380050090; Thu, 07 Apr 2022 18:07:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649380050; cv=none; d=google.com; s=arc-20160816; b=fmJO6McsZBlSQJyVR81uDZ/tGXiBho7h4A/AX5m7og60z4OHf+yyj2bJ9bkevB+aMl lHNjkrb8ipLdusynE5zaruq57MimREIwQjYRG6FGNp3izG+5By7TTfScJoyBdXj2gIqU LeRrTzIvYKD8zDWgW/dn+RWrviozA4GvkyETg5q28JTtjY7WCxkhxsWiAyOhBTlLwJXb Z+P0OnCZx04vHrtYApkhs3Rh6xJ+kL4eXvfGCrSROzTRjIyJggjv1ZBrYawwKhuy5fzB fecAk5VtxgKxZ6ewNIFtskkYwt6wlB81aPDW+DJ0qCg3rnUsnv3/WGF/cLNXM7tNPNAX fAgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ukPRVhnTnnH6tH9zbhR75wmMn4fY8DOkEvZ0ViOq6r4=; b=ukuMbvyRPsHbEyVwSZ6TyKpxKZJ8OdurPSsb71PXeiKUH5sh6/XhocQtCSqjKa/TN6 3LcKn2NKsjLe8O/ML9s1/lQaUKGVHSZBujaGXo3MKZdG53cSc5eCTREnB0HpBYLJa+6I Yal/DUjmfEKTQta2d340ieOYbvYGHZNlgRUvVxgtk04CRzB6VUpktcpqf5/AD9ofKNFH tA4vSFTTlqV8xXSRTFVqfQagM3MxGBA8LfGCTNmQoVuBfJCJjPk2i9diKZsL5Nmva4T5 1/12GCtlJY0xM96XS1rbc3cNHenDQx3CrqWl208GNI2rDsb8EpUA/leQ9gcT7htpQRES DkNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pDZeBdKp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b9-20020a656689000000b003816043efbesi19670478pgw.435.2022.04.07.18.07.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Apr 2022 18:07:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=pDZeBdKp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6D0C7171ED3; Thu, 7 Apr 2022 17:38:20 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232955AbiDHAkP (ORCPT + 99 others); Thu, 7 Apr 2022 20:40:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232174AbiDHAkN (ORCPT ); Thu, 7 Apr 2022 20:40:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF3EF16F6FF; Thu, 7 Apr 2022 17:38:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A0CA2B829B3; Fri, 8 Apr 2022 00:38:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3463EC385A5; Fri, 8 Apr 2022 00:38:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649378289; bh=CVHEzTa06w9IXQftEgZii1PHojo5m4h3tRQOFvFM99s=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=pDZeBdKpytYf/RpT1wvDDi+93EZlNj/SQN1mhUKsjCetKqxsE6F3pgzwpBfPDQ4fZ FDAD/ljw+OPvXlLbCvfQe2svXgSycFXKpYYoJGp6rRxieZiVYeHpGCmUAoDCCYtbH8 W0I7eNZQyi5sGKmBCFfHHlnjslk1VjRGX4MgsJIG25DPlKKkCEzt6tC+wrqhv541qD KcvHrx1Imk/jfBC24wbY57AvDUSKiSYtmLuBDiwoz+VEmkkC3QUCfdFDn4R5qxpKdk RWivXlbHO75PU/0wbwV8D3L2WTTXoFKGTqcxs4lIMSLbDNu+PUM0Jb/NB8Dy4v6GLr 4OesR0MEr+z9g== Received: by mail-yb1-f169.google.com with SMTP id r5so2738659ybd.8; Thu, 07 Apr 2022 17:38:09 -0700 (PDT) X-Gm-Message-State: AOAM533OExlC8UVxblCgT71lQitsvmTOOnRLDx7GDxhtF9DtK4ztokLu 2QAymecNd5vFiuZulMpO3wN83pej61ButXrhYHI= X-Received: by 2002:a25:8b81:0:b0:629:17d5:68c1 with SMTP id j1-20020a258b81000000b0062917d568c1mr11288152ybl.449.1649378288275; Thu, 07 Apr 2022 17:38:08 -0700 (PDT) MIME-Version: 1.0 References: <20220328080559.25984-1-xiam0nd.tong@gmail.com> In-Reply-To: <20220328080559.25984-1-xiam0nd.tong@gmail.com> From: Song Liu Date: Thu, 7 Apr 2022 17:37:55 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] md: fix an incorrect NULL check in md_reload_sb To: Xiaomeng Tong Cc: rgoldwyn@suse.com, Guoqing Jiang , linux-raid , open list , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 28, 2022 at 1:06 AM Xiaomeng Tong wrote: > > The bug is here: > if (!rdev || rdev->desc_nr != nr) { > > The list iterator value 'rdev' will *always* be set and non-NULL > by rdev_for_each_rcu(), so it is incorrect to assume that the > iterator value will be NULL if the list is empty or no element > found (In fact, it will be a bogus pointer to an invalid struct > object containing the HEAD). Otherwise it will bypass the check > and lead to invalid memory access passing the check. > > To fix the bug, use a new variable 'iter' as the list iterator, > while using the original variable 'pdev' as a dedicated pointer to > point to the found element. > > Cc: stable@vger.kernel.org > Fixes: 70bcecdb1534 ("amd-cluster: Improve md_reload_sb to be less error prone") s/amd-cluster/md-cluster/ > Signed-off-by: Xiaomeng Tong > --- > > changes from v1: > - rephrase the subject (Guoqing Jiang) > > v1:https://lore.kernel.org/lkml/20220327080111.12028-1-xiam0nd.tong@gmail.com/ > > --- > drivers/md/md.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index 7476fc204172..f156678c08bc 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -9794,16 +9794,18 @@ static int read_rdev(struct mddev *mddev, struct md_rdev *rdev) > > void md_reload_sb(struct mddev *mddev, int nr) > { > - struct md_rdev *rdev; > + struct md_rdev *rdev = NULL, *iter; > int err; > > /* Find the rdev */ > - rdev_for_each_rcu(rdev, mddev) { > - if (rdev->desc_nr == nr) > + rdev_for_each_rcu(iter, mddev) { > + if (iter->desc_nr == nr) { > + rdev = iter; > break; > + } > } > > - if (!rdev || rdev->desc_nr != nr) { > + if (!rdev) { > pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr); > return; > } > -- > 2.17.1 >