Blame SOURCES/0034-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch

fdf7c0
From 548e9b916f86c06e2cdb50d8f49633f9bec66c7e Mon Sep 17 00:00:00 2001
fdf7c0
From: Logan Gunthorpe <logang@deltatee.com>
fdf7c0
Date: Wed, 22 Jun 2022 14:25:09 -0600
fdf7c0
Subject: [PATCH 34/52] mdadm/Grow: Fix use after close bug by closing after
fdf7c0
 fork
fdf7c0
fdf7c0
The test 07reshape-grow fails most of the time. But it succeeds around
fdf7c0
1 in 5 times. When it does succeed, it causes the tests to die because
fdf7c0
mdadm has segfaulted.
fdf7c0
fdf7c0
The segfault was caused by mdadm attempting to repoen a file
fdf7c0
descriptor that was already closed. The backtrace of the segfault
fdf7c0
was:
fdf7c0
fdf7c0
  #0  __strncmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
fdf7c0
  #1  0x000056146e31d44b in devnm2devid (devnm=0x0) at util.c:956
fdf7c0
  #2  0x000056146e31dab4 in open_dev_flags (devnm=0x0, flags=0)
fdf7c0
                         at util.c:1072
fdf7c0
  #3  0x000056146e31db22 in open_dev (devnm=0x0) at util.c:1079
fdf7c0
  #4  0x000056146e3202e8 in reopen_mddev (mdfd=4) at util.c:2244
fdf7c0
  #5  0x000056146e329f36 in start_array (mdfd=4,
fdf7c0
              mddev=0x7ffc55342450 "/dev/md0", content=0x7ffc55342860,
fdf7c0
              st=0x56146fc78660, ident=0x7ffc55342f70, best=0x56146fc6f5d0,
fdf7c0
              bestcnt=10, chosen_drive=0, devices=0x56146fc706b0, okcnt=5,
fdf7c0
	      sparecnt=0,  rebuilding_cnt=0, journalcnt=0, c=0x7ffc55342e90,
fdf7c0
	      clean=1,  avail=0x56146fc78720 "\001\001\001\001\001",
fdf7c0
	      start_partial_ok=0, err_ok=0, was_forced=0)
fdf7c0
	                  at Assemble.c:1206
fdf7c0
  #6  0x000056146e32c36e in Assemble (st=0x56146fc78660,
fdf7c0
               mddev=0x7ffc55342450 "/dev/md0", ident=0x7ffc55342f70,
fdf7c0
	       devlist=0x56146fc6e2d0, c=0x7ffc55342e90)
fdf7c0
	                 at Assemble.c:1914
fdf7c0
  #7  0x000056146e312ac9 in main (argc=11, argv=0x7ffc55343238)
fdf7c0
                         at mdadm.c:1510
fdf7c0
fdf7c0
The file descriptor was closed early in Grow_continue(). The noted commit
fdf7c0
moved the close() call to close the fd above the fork which caused the
fdf7c0
parent process to return with a closed fd.
fdf7c0
fdf7c0
This meant reshape_array() and Grow_continue() would return in the parent
fdf7c0
with the fd forked. The fd would eventually be passed to reopen_mddev()
fdf7c0
which returned an unhandled NULL from fd2devnm() which would then be
fdf7c0
dereferenced in devnm2devid.
fdf7c0
fdf7c0
Fix this by moving the close() call below the fork. This appears to
fdf7c0
fix the 07revert-grow test. While we're at it, switch to using
fdf7c0
close_fd() to invalidate the file descriptor.
fdf7c0
fdf7c0
Fixes: 77b72fa82813 ("mdadm/Grow: prevent md's fd from being occupied during delayed time")
fdf7c0
Cc: Alex Wu <alexwu@synology.com>
fdf7c0
Cc: BingJing Chang <bingjingc@synology.com>
fdf7c0
Cc: Danny Shih <dannyshih@synology.com>
fdf7c0
Cc: ChangSyun Peng <allenpeng@synology.com>
fdf7c0
Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
fdf7c0
Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
fdf7c0
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
fdf7c0
---
fdf7c0
 Grow.c | 4 +++-
fdf7c0
 1 file changed, 3 insertions(+), 1 deletion(-)
fdf7c0
fdf7c0
diff --git a/Grow.c b/Grow.c
fdf7c0
index 8c520d42..97f22c75 100644
fdf7c0
--- a/Grow.c
fdf7c0
+++ b/Grow.c
fdf7c0
@@ -3514,7 +3514,6 @@ started:
fdf7c0
 			return 0;
fdf7c0
 		}
fdf7c0
 
fdf7c0
-	close(fd);
fdf7c0
 	/* Now we just need to kick off the reshape and watch, while
fdf7c0
 	 * handling backups of the data...
fdf7c0
 	 * This is all done by a forked background process.
fdf7c0
@@ -3535,6 +3534,9 @@ started:
fdf7c0
 		break;
fdf7c0
 	}
fdf7c0
 
fdf7c0
+	/* Close unused file descriptor in the forked process */
fdf7c0
+	close_fd(&fd;;
fdf7c0
+
fdf7c0
 	/* If another array on the same devices is busy, the
fdf7c0
 	 * reshape will wait for them.  This would mean that
fdf7c0
 	 * the first section that we suspend will stay suspended
fdf7c0
-- 
fdf7c0
2.31.1
fdf7c0