• D
    dm raid: fix NULL pointer dereference for raid1 without bitmap · 7a0c5c5b
    Dmitry Bilunov 提交于
    Commit 4257e085 ("dm raid: support to change bitmap region size")
    introduced a bitmap resize call during preresume phase. User can create
    a DM device with "raid" target configured as raid1 with no metadata
    devices to hold superblock/bitmap info. It can be achieved using the
    following sequence:
    
      truncate -s 32M /dev/shm/raid-test
      LOOP=$(losetup --show -f /dev/shm/raid-test)
      dmsetup create raid-test-linear0 --table "0 1024 linear $LOOP 0"
      dmsetup create raid-test-linear1 --table "0 1024 linear $LOOP 1024"
      dmsetup create raid-test --table "0 1024 raid raid1 1 2048 2 - /dev/mapper/raid-test-linear0 - /dev/mapper/raid-test-linear1"
    
    This results in the following crash:
    
    [ 4029.110216] device-mapper: raid: Ignoring chunk size parameter for RAID 1
    [ 4029.110217] device-mapper: raid: Choosing default region size of 4MiB
    [ 4029.111349] md/raid1:mdX: active with 2 out of 2 mirrors
    [ 4029.114770] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [ 4029.114802] IP: bitmap_resize+0x25/0x7c0 [md_mod]
    [ 4029.114816] PGD 0
    …
    [ 4029.115059] Hardware name: Aquarius Pro P30 S85 BUY-866/B85M-E, BIOS 2304 05/25/2015
    [ 4029.115079] task: ffff88015cc29a80 task.stack: ffffc90001a5c000
    [ 4029.115097] RIP: 0010:bitmap_resize+0x25/0x7c0 [md_mod]
    [ 4029.115112] RSP: 0018:ffffc90001a5fb68 EFLAGS: 00010246
    [ 4029.115127] RAX: 0000000000000005 RBX: 0000000000000000 RCX: 0000000000000000
    [ 4029.115146] RDX: 0000000000000000 RSI: 0000000000000400 RDI: 0000000000000000
    [ 4029.115166] RBP: ffffc90001a5fc28 R08: 0000000800000000 R09: 00000008ffffffff
    [ 4029.115185] R10: ffffea0005661600 R11: ffff88015cc29a80 R12: ffff88021231f058
    [ 4029.115204] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    [ 4029.115223] FS:  00007fe73a6b4740(0000) GS:ffff88021ea80000(0000) knlGS:0000000000000000
    [ 4029.115245] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 4029.115261] CR2: 0000000000000030 CR3: 0000000159a74000 CR4: 00000000001426e0
    [ 4029.115281] Call Trace:
    [ 4029.115291]  ? raid_iterate_devices+0x63/0x80 [dm_raid]
    [ 4029.115309]  ? dm_table_all_devices_attribute.isra.23+0x41/0x70 [dm_mod]
    [ 4029.115329]  ? dm_table_set_restrictions+0x225/0x2d0 [dm_mod]
    [ 4029.115346]  raid_preresume+0x81/0x2e0 [dm_raid]
    [ 4029.115361]  dm_table_resume_targets+0x47/0xe0 [dm_mod]
    [ 4029.115378]  dm_resume+0xa8/0xd0 [dm_mod]
    [ 4029.115391]  dev_suspend+0x123/0x250 [dm_mod]
    [ 4029.115405]  ? table_load+0x350/0x350 [dm_mod]
    [ 4029.115419]  ctl_ioctl+0x1c2/0x490 [dm_mod]
    [ 4029.115433]  dm_ctl_ioctl+0xe/0x20 [dm_mod]
    [ 4029.115447]  do_vfs_ioctl+0x8d/0x5a0
    [ 4029.115459]  ? ____fput+0x9/0x10
    [ 4029.115470]  ? task_work_run+0x79/0xa0
    [ 4029.115481]  SyS_ioctl+0x3c/0x70
    [ 4029.115493]  entry_SYSCALL_64_fastpath+0x13/0x94
    
    The raid_preresume() function incorrectly assumes that the raid_set has
    a bitmap enabled if RT_FLAG_RS_BITMAP_LOADED is set.  But
    RT_FLAG_RS_BITMAP_LOADED is getting set in __load_dirty_region_bitmap()
    even if there is no bitmap present (and bitmap_load() happily returns 0
    even if a bitmap isn't present).  So the only way forward in the
    near-term is to check if the bitmap is present by seeing if
    mddev->bitmap is not NULL after bitmap_load() has been called.
    
    By doing so the above NULL pointer is avoided.
    
    Fixes: 4257e085 ("dm raid: support to change bitmap region size")
    Cc: stable@vger.kernel.org # v4.8+
    Signed-off-by: NDmitry Bilunov <kmeaw@yandex-team.ru>
    Signed-off-by: NAndrey Smetanin <asmetanin@yandex-team.ru>
    Acked-by: NHeinz Mauelshagen <heinzm@redhat.com>
    Signed-off-by: NMike Snitzer <snitzer@redhat.com>
    7a0c5c5b
dm-raid.c 109.3 KB