From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Xiao Ni , Shaohua Li , Sasha Levin Subject: [PATCH AUTOSEL 4.9 11/23] RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 Date: Mon, 24 Sep 2018 14:49:29 +0000 Message-ID: <20180924144919.164617-11-alexander.levin@microsoft.com> References: <20180924144919.164617-1-alexander.levin@microsoft.com> In-Reply-To: <20180924144919.164617-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: From: Xiao Ni [ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ] In raid10 reshape_request it gets max_sectors in read_balance. If the under= layer disks have bad blocks, the max_sectors is less than last. It will call goto read_= more many times. It calls raise_barrier(conf, sectors_done !=3D 0) every time. In thi= s condition sectors_done is not 0. So the value passed to the argument force of raise_b= arrier is true. In raise_barrier it checks conf->barrier when force is true. If force is tr= ue and conf->barrier is 0, it panic. In this case reshape_request submits bio to u= nder layer disks. And in the callback function of the bio it calls lower_barrier. If t= he bio finishes before calling raise_barrier again, it can trigger the BUG_ON. Add one pair of raise_barrier/lower_barrier to fix this bug. Signed-off-by: Xiao Ni Suggested-by: Neil Brown Signed-off-by: Shaohua Li Signed-off-by: Sasha Levin --- drivers/md/raid10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 6da66c3acd46..b3046063402c 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -4381,11 +4381,12 @@ static sector_t reshape_request(struct mddev *mddev= , sector_t sector_nr, allow_barrier(conf); } =20 + raise_barrier(conf, 0); read_more: /* Now schedule reads for blocks from sector_nr to last */ r10_bio =3D mempool_alloc(conf->r10buf_pool, GFP_NOIO); r10_bio->state =3D 0; - raise_barrier(conf, sectors_done !=3D 0); + raise_barrier(conf, 1); atomic_set(&r10_bio->remaining, 0); r10_bio->mddev =3D mddev; r10_bio->sector =3D sector_nr; @@ -4492,6 +4493,8 @@ static sector_t reshape_request(struct mddev *mddev, = sector_t sector_nr, if (sector_nr <=3D last) goto read_more; =20 + lower_barrier(conf); + /* Now that we have done the whole section we can * update reshape_progress */ --=20 2.17.1