Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp441556iog;
        Mon, 13 Jun 2022 06:05:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy8Q81ivPJxZQCoxpPFLpPWTJM2GF4jkEE2GOIABpGWOhXg4v3d8P3JvBoUVBT1eZ9Hbrx6
X-Received: by 2002:a17:907:1694:b0:716:14a4:fba with SMTP id hc20-20020a170907169400b0071614a40fbamr6103915ejc.290.1655125383432;
        Mon, 13 Jun 2022 06:03:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655125383; cv=none;
        d=google.com; s=arc-20160816;
        b=AdUI9K51LJo1ShWDP0E2QRruayOHO6t9+cscvzBBwLQFsbMbmxQmK5P95vc4Vxb05F
         DThUCex8AvRWZYf3dHmYirHMICUClF7Q0bI49lj1/VgnbYHPn+ZgMXRaBMEhOj9c6jUK
         xFO7V/c7dC4nH5/VYDKP+FJaq2vmdAqFHxPMpaTC/lrtHWOe/Ah2bE48hjmAjnMi6AdZ
         dajOAxsJ1JNcNes2OKgEtb/Er06O7PvvBLsDKW9uA2UEMVmoNHSZ9/dKEqQxbOi4qA83
         2WUT6AnyncsxAtQu1MOslnbkScM1Raq+jg1c8rRxCKuWs3hZ+byYMF9Lkdmw3LsF1iAA
         6EPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zI6JquqqXmUIpuyGTXm3YyRSDhNzglOrJvk7YSHl5wA=;
        b=xMcYRGihbInWDrYtGtMmAlP0jReHpdTl0IAe3jS/Hq7HvRQkrpFDGhjbGu4ovJtyaJ
         tz5UYKezWXIfc1NadT8bs+QXb6MNPYugW2I9KHW7EWs7n2YrNKnpvi6raMCd7p0BHiOm
         H9iP7epanMUlS1LbjzHQSiWBJocy3a1pfUyWqExn1+lRFFhwHn5zCrLabKX5ev6SkPq1
         9Uwj4QGz+uhTB11xQhbI2lhluaSE+iRYOg1gEX2O8z3sYi1Mp7Nif4ekR3AHaqOWt0bf
         8apLry7wlZ1YNHvDLGlsyoO7SLbsh1XppzysObtOPcdoemiUeWkljCEQSZpKJ7Sg0n+z
         9crQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uhu1WkFv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c12-20020a50f60c000000b0042bccec3bacsi8346062edn.94.2022.06.13.06.02.36;
        Mon, 13 Jun 2022 06:03:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uhu1WkFv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241505AbiFMKXS (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 13 Jun 2022 06:23:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49672 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243202AbiFMKWH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jun 2022 06:22:07 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 162342228A;
        Mon, 13 Jun 2022 03:17:51 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 8BAEB60765;
        Mon, 13 Jun 2022 10:17:50 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9BDB8C34114;
        Mon, 13 Jun 2022 10:17:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1655115470;
        bh=tPVdObRCf4jD02zkVDH9d2P8GA52Yveimx0Zooul6Vg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=uhu1WkFvpob2Ok3Q45kRmYh4p7jHqSCUvWHQ/GtjIfl4l4XriXGKdVBVM/YynH0mF
         wIH7dXCfTnZAz603+rhiglWXGYcr7lbbx3UQ0c1ZzgRGT2diWqY4gVSxiVpZ/CN7AV
         eBA0c5I2vtU9H/gyhWUk/0w/UaTrhoiodVi/ez2o=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Guoqing Jiang <guoqing.jiang@linux.dev>,
        Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        Goldwyn Rodrigues <rgoldwyn@suse.com>,
        Song Liu <song@kernel.org>
Subject: [PATCH 4.9 088/167] md: fix an incorrect NULL check in does_sb_need_changing
Date:   Mon, 13 Jun 2022 12:09:22 +0200
Message-Id: <20220613094901.545593883@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220613094840.720778945@linuxfoundation.org>
References: <20220613094840.720778945@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit fc8738343eefc4ea8afb6122826dea48eacde514 upstream.

The bug is here:
	if (!rdev)

The list iterator value 'rdev' will *always* be set and non-NULL
by rdev_for_each(), so it is incorrect to assume that the iterator
value will be NULL if the list is empty or no element found.
Otherwise it will bypass the NULL check and lead to invalid memory
access passing the check.

To fix the bug, use a new variable 'iter' as the list iterator,
while using the original variable 'rdev' as a dedicated pointer to
point to the found element.

Cc: stable@vger.kernel.org
Fixes: 2aa82191ac36 ("md-cluster: Perform a lazy update")
Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/md.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2254,14 +2254,16 @@ static void sync_sbs(struct mddev *mddev
 
 static bool does_sb_need_changing(struct mddev *mddev)
 {
-	struct md_rdev *rdev;
+	struct md_rdev *rdev = NULL, *iter;
 	struct mdp_superblock_1 *sb;
 	int role;
 
 	/* Find a good rdev */
-	rdev_for_each(rdev, mddev)
-		if ((rdev->raid_disk >= 0) && !test_bit(Faulty, &rdev->flags))
+	rdev_for_each(iter, mddev)
+		if ((iter->raid_disk >= 0) && !test_bit(Faulty, &iter->flags)) {
+			rdev = iter;
 			break;
+		}
 
 	/* No good device found. */
 	if (!rdev)