Commit 454706f1 authored by Jens Axboe's avatar Jens Axboe
Browse files

Merge tag 'md-6.16-20250705' of... 

Merge tag 'md-6.16-20250705' of gitolite.kernel.org:pub/scm/linux/kernel/git/mdraid/linux into block-6.16

Pull MD fixes from Yu:

" - fix uaf due to stack memory used for bio mempool, from Jinchao
  - fix raid10/raid1 nowait IO error path, from Nigel and Qixing
  - fix kernel crash from reading bitmap sysfs entry, by Håkon"

* tag 'md-6.16-20250705' of gitolite.kernel.org:pub/scm/linux/kernel/git/mdraid/linux:
  md/md-bitmap: fix GPF in bitmap_get_stats()
  md/raid1,raid10: strip REQ_NOWAIT from member bios
  raid10: cleanup memleak at raid10_make_request
  md/raid1: Fix stack memory use after return in raid1_reshape
parents 75ef7b8d c17fb542

drivers/md/md-bitmap.c

+1 −2
Original line number Diff line number Diff line
@@ -2366,8 +2366,7 @@ static int bitmap_get_stats(void *data, struct md_bitmap_stats *stats) 


	if (!bitmap)

		return -ENOENT;

	if (!bitmap->mddev->bitmap_info.external &&

	    !bitmap->storage.sb_page)

	if (!bitmap->storage.sb_page)

		return -EINVAL;

	sb = kmap_local_page(bitmap->storage.sb_page);

	stats->sync_size = le64_to_cpu(sb->sync_size);

drivers/md/raid1.c

+3 −1
Original line number Diff line number Diff line
@@ -1399,7 +1399,7 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, 
	}

	read_bio = bio_alloc_clone(mirror->rdev->bdev, bio, gfp,

				   &mddev->bio_set);



	read_bio->bi_opf &= ~REQ_NOWAIT;

	r1_bio->bios[rdisk] = read_bio;



	read_bio->bi_iter.bi_sector = r1_bio->sector +
@@ -1649,6 +1649,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, 
				wait_for_serialization(rdev, r1_bio);

		}



		mbio->bi_opf &= ~REQ_NOWAIT;

		r1_bio->bios[i] = mbio;



		mbio->bi_iter.bi_sector	= (r1_bio->sector + rdev->data_offset);
@@ -3428,6 +3429,7 @@ static int raid1_reshape(struct mddev *mddev) 
	/* ok, everything is stopped */

	oldpool = conf->r1bio_pool;

	conf->r1bio_pool = newpool;

	init_waitqueue_head(&conf->r1bio_pool.wait);



	for (d = d2 = 0; d < conf->raid_disks; d++) {

		struct md_rdev *rdev = conf->mirrors[d].rdev;

drivers/md/raid10.c

+10 −2
Original line number Diff line number Diff line
@@ -1182,8 +1182,11 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, 
		}

	}



	if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors))

	if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) {

		raid_end_bio_io(r10_bio);

		return;

	}



	rdev = read_balance(conf, r10_bio, &max_sectors);

	if (!rdev) {

		if (err_rdev) {
@@ -1221,6 +1224,7 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, 
		r10_bio->master_bio = bio;

	}

	read_bio = bio_alloc_clone(rdev->bdev, bio, gfp, &mddev->bio_set);

	read_bio->bi_opf &= ~REQ_NOWAIT;



	r10_bio->devs[slot].bio = read_bio;

	r10_bio->devs[slot].rdev = rdev;
@@ -1256,6 +1260,7 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, 
			     conf->mirrors[devnum].rdev;



	mbio = bio_alloc_clone(rdev->bdev, bio, GFP_NOIO, &mddev->bio_set);

	mbio->bi_opf &= ~REQ_NOWAIT;

	if (replacement)

		r10_bio->devs[n_copy].repl_bio = mbio;

	else
@@ -1370,8 +1375,11 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, 
	}



	sectors = r10_bio->sectors;

	if (!regular_request_wait(mddev, conf, bio, sectors))

	if (!regular_request_wait(mddev, conf, bio, sectors)) {

		raid_end_bio_io(r10_bio);

		return;

	}



	if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) &&

	    (mddev->reshape_backwards

	     ? (bio->bi_iter.bi_sector < conf->reshape_safe &&