md: raid10: fix use-after-free of bio
In case of read errors raid10d tries to print a nice error message,
unfortunately using data from an already put bio.
Signed-off-by: Maik Hampel <[EMAIL PROTECTED]>
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index f730a14..ea1b3e3 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1557,7 +1557,6 @@ static void raid10d(mddev_t *mddev)
bio = r10_bio->devs[r10_bio->read_slot].bio;
r10_bio->devs[r10_bio->read_slot].bio =
mddev->ro ? IO_BLOCKED : NULL;
- bio_put(bio);
mirror = read_balance(conf, r10_bio);
if (mirror == -1) {
printk(KERN_ALERT "raid10: %s: unrecoverable
I/O"
@@ -1567,6 +1566,7 @@ static void raid10d(mddev_t *mddev)
raid_end_bio_io(r10_bio);
} else {
const int do_sync =
bio_sync(r10_bio->master_bio);
+ bio_put(bio);
rdev = conf->mirrors[mirror].rdev;
if (printk_ratelimit())
printk(KERN_ERR "raid10: %s:
redirecting sector %llu to"
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: md: raid10: fix use-after-free of bio
Am Samstag, den 28.07.2007, 23:55 -0700 schrieb Andrew Morton:
> On Fri, 27 Jul 2007 16:46:23 +0200 Maik Hampel <[EMAIL PROTECTED]> wrote:
>
> > In case of read errors raid10d tries to print a nice error message,
> > unfortunately using data from an already put bio.
> >
> > Signed-off-by: Maik Hampel <[EMAIL PROTECTED]>
> >
> > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> > index f730a14..ea1b3e3 100644
> > --- a/drivers/md/raid10.c
> > +++ b/drivers/md/raid10.c
> > @@ -1557,7 +1557,6 @@ static void raid10d(mddev_t *mddev)
> > bio = r10_bio->devs[r10_bio->read_slot].bio;
> > r10_bio->devs[r10_bio->read_slot].bio =
> > mddev->ro ? IO_BLOCKED : NULL;
> > - bio_put(bio);
> > mirror = read_balance(conf, r10_bio);
> > if (mirror == -1) {
> > printk(KERN_ALERT "raid10: %s: unrecoverable
> > I/O"
> > @@ -1567,6 +1566,7 @@ static void raid10d(mddev_t *mddev)
> > raid_end_bio_io(r10_bio);
> > } else {
> > const int do_sync =
> > bio_sync(r10_bio->master_bio);
> > + bio_put(bio);
> > rdev = conf->mirrors[mirror].rdev;
> > if (printk_ratelimit())
> > printk(KERN_ERR "raid10: %s:
> > redirecting sector %llu to"
> >
> >
>
> Surely we just leaked that bio if (mirror == -1)?
>
> better:
>
> --- a/drivers/md/raid10.c~md-raid10-fix-use-after-free-of-bio
> +++ a/drivers/md/raid10.c
> @@ -1534,7 +1534,6 @@ static void raid10d(mddev_t *mddev)
> bio = r10_bio->devs[r10_bio->read_slot].bio;
> r10_bio->devs[r10_bio->read_slot].bio =
> mddev->ro ? IO_BLOCKED : NULL;
> - bio_put(bio);
> mirror = read_balance(conf, r10_bio);
> if (mirror == -1) {
> printk(KERN_ALERT "raid10: %s: unrecoverable
> I/O"
> @@ -1542,8 +1541,10 @@ static void raid10d(mddev_t *mddev)
> bdevname(bio->bi_bdev,b),
> (unsigned long long)r10_bio->sector);
> raid_end_bio_io(r10_bio);
> + bio_put(bio);
raid_end_bio_io() calls put_all_bios(), which does a bio_put() to
corresponding r10_bio->devs[i]. So this looks like redundant code for
me.
> } else {
> const int do_sync =
> bio_sync(r10_bio->master_bio);
> + bio_put(bio);
> rdev = conf->mirrors[mirror].rdev;
> if (printk_ratelimit())
> printk(KERN_ERR "raid10: %s:
> redirecting sector %llu to"
Regards,
Maik Hampel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] [SCSI] arcmsr: Fix error handling
Fixed error handling in queuecommand(), now all READ_ and WRITE_ commands
are aborted in case of RAID is gone. Before only READ_6 and WRITE_6 commands
were aborted.
Signed-off-by: Maik Hampel <[EMAIL PROTECTED]>
---
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
index 0ddfc21..7a001ad 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -1133,17 +1133,27 @@ static int arcmsr_queue_command(struct scsi_cmnd *cmd,
uint8_t block_cmd;
block_cmd = cmd->cmnd[0] & 0x0f;
- if (block_cmd == 0x08 || block_cmd == 0x0a) {
- printk(KERN_NOTICE
- "arcmsr%d: block 'read/write'"
- "command with gone raid volume"
- " Cmd = %2x, TargetId = %d, Lun = %d \n"
- , acb->host->host_no
- , cmd->cmnd[0]
- , target, lun);
- cmd->result = (DID_NO_CONNECT << 16);
- cmd->scsi_done(cmd);
- return 0;
+ switch (block_cmd) {
+ case READ_6:
+ case READ_10:
+ case READ_12:
+ case READ_16:
+ case WRITE_6:
+ case WRITE_10:
+ case WRITE_12:
+ case WRITE_16:
+ printk(KERN_NOTICE
+ "arcmsr%d: block 'read/write'"
+ "command with gone raid volume"
+ " Cmd = %2x, TargetId = %d, Lun = %d \n"
+ , acb->host->host_no
+ , cmd->cmnd[0]
+ , target, lun);
+ cmd->result = (DID_NO_CONNECT << 16);
+ cmd->scsi_done(cmd);
+ return 0;
+ default:
+ break;
}
}
if (atomic_read(&acb->ccboutstandingcount) >=
--
1.4.4.4
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] myri10ge: SET_NETDEV_DEV()
SET_NETDEV_DEV() in myri10ge to create the "/sys/class/net//device" symlink. Signed-off-by: Maik Hampel <[EMAIL PROTECTED]> diff -Naur a/drivers/net/myri10ge/myri10ge.c b/drivers/net/myri10ge/myri10ge.c --- a/drivers/net/myri10ge/myri10ge.c 2007-06-28 16:04:41.0 +0200 +++ b/drivers/net/myri10ge/myri10ge.c 2007-06-28 16:31:24.0 +0200 @@ -2854,6 +2854,8 @@ return -ENOMEM; } + SET_NETDEV_DEV(netdev, &pdev->dev); + mgp = netdev_priv(netdev); memset(mgp, 0, sizeof(*mgp)); mgp->dev = netdev; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
