• NeilBrown's avatar
    md/raid1: fix use-after-free bug in RAID1 data-check code. · 33c050f8
    NeilBrown authored
    commit 2d4f4f33 upstream.
    
    This bug has been present ever since data-check was introduce
    in 2.6.16.  However it would only fire if a data-check were
    done on a degraded array, which was only possible if the array
    has 3 or more devices.  This is certainly possible, but is quite
    uncommon.
    
    Since hot-replace was added in 3.3 it can happen more often as
    the same condition can arise if not all possible replacements are
    present.
    
    The problem is that as soon as we submit the last read request, the
    'r1_bio' structure could be freed at any time, so we really should
    stop looking at it.  If the last device is being read from we will
    stop looking at it.  However if the last device is not due to be read
    from, we will still check the bio pointer in the r1_bio, but the
    r1_bio might already be free.
    
    So use the read_targets counter to make sure we stop looking for bios
    to submit as soon as we have submitted them all.
    
    This fix is suitable for any -stable kernel since 2.6.16.
    Reported-by: default avatarArnold Schulz <arnysch@gmx.net>
    Signed-off-by: default avatarNeilBrown <neilb@suse.de>
    [bwh: Backported to 3.2: no doubling of conf->raid_disks; we don't have
     hot-replace support]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    33c050f8
raid1.c 74.6 KB