Blame SOURCES/0034-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch

b33395
From 548e9b916f86c06e2cdb50d8f49633f9bec66c7e Mon Sep 17 00:00:00 2001
b33395
From: Logan Gunthorpe <logang@deltatee.com>
b33395
Date: Wed, 22 Jun 2022 14:25:09 -0600
b33395
Subject: [PATCH 34/52] mdadm/Grow: Fix use after close bug by closing after
b33395
 fork
b33395
b33395
The test 07reshape-grow fails most of the time. But it succeeds around
b33395
1 in 5 times. When it does succeed, it causes the tests to die because
b33395
mdadm has segfaulted.
b33395
b33395
The segfault was caused by mdadm attempting to repoen a file
b33395
descriptor that was already closed. The backtrace of the segfault
b33395
was:
b33395
b33395
  #0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
b33395
  #1  0x000056146e31d44b in devnm2devid (devnm=0x0) at util.c:956
b33395
  #2  0x000056146e31dab4 in open_dev_flags (devnm=0x0, flags=0)
b33395
                         at util.c:1072
b33395
  #3  0x000056146e31db22 in open_dev (devnm=0x0) at util.c:1079
b33395
  #4  0x000056146e3202e8 in reopen_mddev (mdfd=4) at util.c:2244
b33395
  #5  0x000056146e329f36 in start_array (mdfd=4,
b33395
              mddev=0x7ffc55342450 "/dev/md0", content=0x7ffc55342860,
b33395
              st=0x56146fc78660, ident=0x7ffc55342f70, best=0x56146fc6f5d0,
b33395
              bestcnt=10, chosen_drive=0, devices=0x56146fc706b0, okcnt=5,
b33395
	      sparecnt=0,  rebuilding_cnt=0, journalcnt=0, c=0x7ffc55342e90,
b33395
	      clean=1,  avail=0x56146fc78720 "\001\001\001\001\001",
b33395
	      start_partial_ok=0, err_ok=0, was_forced=0)
b33395
	                  at Assemble.c:1206
b33395
  #6  0x000056146e32c36e in Assemble (st=0x56146fc78660,
b33395
               mddev=0x7ffc55342450 "/dev/md0", ident=0x7ffc55342f70,
b33395
	       devlist=0x56146fc6e2d0, c=0x7ffc55342e90)
b33395
	                 at Assemble.c:1914
b33395
  #7  0x000056146e312ac9 in main (argc=11, argv=0x7ffc55343238)
b33395
                         at mdadm.c:1510
b33395
b33395
The file descriptor was closed early in Grow_continue(). The noted commit
b33395
moved the close() call to close the fd above the fork which caused the
b33395
parent process to return with a closed fd.
b33395
b33395
This meant reshape_array() and Grow_continue() would return in the parent
b33395
with the fd forked. The fd would eventually be passed to reopen_mddev()
b33395
which returned an unhandled NULL from fd2devnm() which would then be
b33395
dereferenced in devnm2devid.
b33395
b33395
Fix this by moving the close() call below the fork. This appears to
b33395
fix the 07revert-grow test. While we're at it, switch to using
b33395
close_fd() to invalidate the file descriptor.
b33395
b33395
Fixes: 77b72fa82813 ("mdadm/Grow: prevent md's fd from being occupied during delayed time")
b33395
Cc: Alex Wu <alexwu@synology.com>
b33395
Cc: BingJing Chang <bingjingc@synology.com>
b33395
Cc: Danny Shih <dannyshih@synology.com>
b33395
Cc: ChangSyun Peng <allenpeng@synology.com>
b33395
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
b33395
Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
b33395
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
b33395
---
b33395
 Grow.c | 4 +++-
b33395
 1 file changed, 3 insertions(+), 1 deletion(-)
b33395
b33395
diff --git a/Grow.c b/Grow.c
b33395
index 8c520d42..97f22c75 100644
b33395
--- a/Grow.c
b33395
+++ b/Grow.c
b33395
@@ -3514,7 +3514,6 @@ started:
b33395
 			return 0;
b33395
 		}
b33395
 
b33395
-	close(fd);
b33395
 	/* Now we just need to kick off the reshape and watch, while
b33395
 	 * handling backups of the data...
b33395
 	 * This is all done by a forked background process.
b33395
@@ -3535,6 +3534,9 @@ started:
b33395
 		break;
b33395
 	}
b33395
 
b33395
+	/* Close unused file descriptor in the forked process */
b33395
+	close_fd(&fd;;
b33395
+
b33395
 	/* If another array on the same devices is busy, the
b33395
 	 * reshape will wait for them.  This would mean that
b33395
 	 * the first section that we suspend will stay suspended
b33395
-- 
b33395
2.31.1
b33395