From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:36184 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751512AbbGaAUs (ORCPT ); Thu, 30 Jul 2015 20:20:48 -0400 Subject: Patch "md: clear mddev->private when it has been freed." has been added to the 4.1-stable tree To: neilb@suse.de, gregkh@linuxfoundation.org, nate@neworld.us, neilb@suse.com Cc: , From: Date: Thu, 30 Jul 2015 17:20:47 -0700 Message-ID: <143830204716367@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled md: clear mddev->private when it has been freed. to the 4.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: md-clear-mddev-private-when-it-has-been-freed.patch and it can be found in the queue-4.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From bd6919228d7e1867ae9e24ab27e3e4a366c87d21 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Thu, 25 Jun 2015 17:01:40 +1000 Subject: md: clear mddev->private when it has been freed. From: NeilBrown commit bd6919228d7e1867ae9e24ab27e3e4a366c87d21 upstream. If ->private is set when ->run is called, it is assumed to be a 'config' prepared as part of 'reshape'. So it is important when we free that config, that we also clear ->private. This is not often a problem as the mddev will normally be discarded shortly after the config us freed. However if an 'assemble' races with a final close, the assemble can use the old mddev which has a stale ->private. This leads to any of various sorts of crashes. So clear ->private after calling ->free(). Reported-by: Nate Clark Fixes: afa0f557cb15 ("md: rename ->stop to ->free") Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman --- drivers/md/md.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5159,6 +5159,7 @@ int md_run(struct mddev *mddev) mddev_detach(mddev); if (mddev->private) pers->free(mddev, mddev->private); + mddev->private = NULL; module_put(pers->owner); bitmap_destroy(mddev); return err; @@ -5294,6 +5295,7 @@ static void md_clean(struct mddev *mddev mddev->changed = 0; mddev->degraded = 0; mddev->safemode = 0; + mddev->private = NULL; mddev->merge_check_needed = 0; mddev->bitmap_info.offset = 0; mddev->bitmap_info.default_offset = 0; @@ -5366,6 +5368,7 @@ static void __md_stop(struct mddev *mdde mddev->pers = NULL; spin_unlock(&mddev->lock); pers->free(mddev, mddev->private); + mddev->private = NULL; if (pers->sync_request && mddev->to_remove == NULL) mddev->to_remove = &md_redundancy_group; module_put(pers->owner); Patches currently in stable-queue which might be from neilb@suse.de are queue-4.1/md-clear-mddev-private-when-it-has-been-freed.patch queue-4.1/md-fix-a-build-warning.patch queue-4.1/md-unlock-mddev_lock-on-an-error-path.patch