lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <1a102c5e-bf53-4419-ae8b-9d49127281f2@fnnas.com>
Date: Sat, 27 Dec 2025 09:55:57 +0800
From: "Yu Kuai" <yukuai@...as.com>
To: "dannyshih" <dannyshih@...ology.com>, <song@...nel.org>, 
	<yukuai@...as.com>
Cc: <linux-raid@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] md: suspend array while updating raid_disks via sysfs

在 2025/12/26 18:18, dannyshih 写道:

> From: FengWei Shih<dannyshih@...ology.com>
>
> In raid1_reshape(), freeze_array() is called before modifying the r1bio
> memory pool (conf->r1bio_pool) and conf->raid_disks, and
> unfreeze_array() is called after the update is completed.
>
> However, freeze_array() only waits until nr_sync_pending and
> (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error
> occurs, nr_queued is increased and the corresponding r1bio is queued to
> either retry_list or bio_end_io_list. As a result, freeze_array() may
> unblock before these r1bios are released.
>
> This can lead to a situation where conf->raid_disks and the mempool have
> already been updated while queued r1bios, allocated with the old
> raid_disks value, are later released. Consequently, free_r1bio() may
> access memory out of bounds in put_all_bios() and release r1bios of the
> wrong size to the new mempool, potentially causing issues with the
> mempool as well.
>
> Since only normal I/O might increase nr_queued while an I/O error occurs,
> suspending the array avoids this issue.
>
> Note: Updating raid_disks via ioctl SET_ARRAY_INFO already suspends
> the array. Therefore, we suspend the array when updating raid_disks
> via sysfs to avoid this issue too.
>
> Signed-off-by: FengWei Shih<dannyshih@...ology.com>
> ---
> v2:
>    * Suspend array unconditionally when updating raid_disks
>    * Refine commit message to describe the issue more concretely
> ---
>   drivers/md/md.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

Applied to md-6.19

-- 
Thansk,
Kuai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ