From e2bea3e2101782f9946d54014a0c6ed66815417b Mon Sep 17 00:00:00 2001 From: Jes Sorensen Date: Thu, 23 Feb 2012 11:19:49 +0100 Subject: [PATCH] Fix a double free and a segfault bug Fix double free on buggy old kernel sysfs read Fix segfault if trying to write superblock to non existing device Resolves: bz795707 (f17) bz795747 (f16) bz795748 (f15) Resolves: bz795461 (f17) bz795749 (f16) bz795750 (f15) Signed-off-by: Jes Sorensen --- ...age-if-failing-to-write-super-for-1..patch | 94 +++++++++++++++++++ ...e-upon-old-buggy-kernel-sysfs_read-f.patch | 31 ++++++ mdadm.spec | 12 ++- 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch create mode 100644 mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch diff --git a/mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch b/mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch new file mode 100644 index 0000000..b3aaa11 --- /dev/null +++ b/mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch @@ -0,0 +1,94 @@ +From 4011421332681ba733a2fc90de7ac94da8593418 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Thu, 23 Feb 2012 08:55:19 +1100 +Subject: [PATCH 2/2] Print error message if failing to write super for 1.x + metadata + +In addition remove attempt to print an error message if +write_init_super() fails, as this is handled in the various +write_init_super() functions. This avoids a segfault on error. + +Reported by Jim Meyering in +https://bugzilla.redhat.com/show_bug.cgi?id=795461 + +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +--- + Create.c | 3 --- + super1.c | 25 ++++++++++++++++--------- + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/Create.c b/Create.c +index 90ff3ed..e5c6b05 100644 +--- a/Create.c ++++ b/Create.c +@@ -924,9 +924,6 @@ int Create(struct supertype *st, char *mddev, + } + + if (st->ss->write_init_super(st)) { +- fprintf(stderr, +- Name ": Failed to write metadata to %s\n", +- dv->devname); + st->ss->free_super(st); + goto abort_locked; + } +diff --git a/super1.c b/super1.c +index a18952a..341ad53 100644 +--- a/super1.c ++++ b/super1.c +@@ -1106,13 +1106,16 @@ static int write_init_super1(struct supertype *st) + } + free(refst); + +- if (!get_dev_size(di->fd, NULL, &dsize)) +- return 1; ++ if (!get_dev_size(di->fd, NULL, &dsize)) { ++ rv = 1; ++ goto error_out; ++ } + dsize >>= 9; + + if (dsize < 24) { + close(di->fd); +- return 2; ++ rv = 2; ++ goto error_out; + } + + +@@ -1176,22 +1179,26 @@ static int write_init_super1(struct supertype *st) + sb->data_size = __cpu_to_le64(dsize - reserved); + break; + default: +- return -EINVAL; ++ fprintf(stderr, Name ": Failed to write invalid " ++ "metadata format 1.%i to %s\n", ++ st->minor_version, di->devname); ++ rv = -EINVAL; ++ goto out; + } + + + sb->sb_csum = calc_sb_1_csum(sb); + rv = store_super1(st, di->fd); +- if (rv) +- fprintf(stderr, +- Name ": failed to write superblock to %s\n", +- di->devname); +- + if (rv == 0 && (__le32_to_cpu(sb->feature_map) & 1)) + rv = st->ss->write_bitmap(st, di->fd); + close(di->fd); + di->fd = -1; + } ++error_out: ++ if (rv) ++ fprintf(stderr, Name ": Failed to write metadata to %s\n", ++ di->devname); ++out: + return rv; + } + #endif +-- +1.7.7.6 + diff --git a/mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch b/mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch new file mode 100644 index 0000000..4d4a52c --- /dev/null +++ b/mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch @@ -0,0 +1,31 @@ +From 9200d418d049aff77b3d0ad8f30f1a16adc56030 Mon Sep 17 00:00:00 2001 +From: Jim Meyering +Date: Tue, 21 Feb 2012 13:02:22 +0100 +Subject: [PATCH 1/2] avoid double-free upon "old buggy kernel" sysfs_read + failure + +* Incremental.c (Incremental): On sysfs_read failure, don't call +sysfs_free(sra) just before "goto out_unlock", since that very +same "sra" is freed the same way by the clean-up code below. + +Signed-off-by: Jim Meyering +Signed-off-by: NeilBrown +--- + Incremental.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +diff --git a/Incremental.c b/Incremental.c +index b457bf3..836a6f1 100644 +--- a/Incremental.c ++++ b/Incremental.c +@@ -325,7 +325,6 @@ int Incremental(char *devname, int verbose, int runstop, + fprintf(stderr, Name + ": You have an old buggy kernel which cannot support\n" + " --incremental reliably. Aborting.\n"); +- sysfs_free(sra); + rv = 2; + goto out_unlock; + } +-- +1.7.7.6 + diff --git a/mdadm.spec b/mdadm.spec index 3949489..9f9f966 100644 --- a/mdadm.spec +++ b/mdadm.spec @@ -1,7 +1,7 @@ Summary: The mdadm program controls Linux md devices (software RAID arrays) Name: mdadm Version: 3.2.3 -Release: 5%{?dist} +Release: 6%{?dist} Source: http://www.kernel.org/pub/linux/utils/raid/mdadm/mdadm-%{version}.tar.bz2 Source1: mdmonitor.init Source2: raid-check @@ -19,6 +19,8 @@ Patch5: mdadm-3.2.3-Add-offroot-argument-to-mdadm.patch Patch6: mdadm-3.2.3-Add-offroot-argument-to-mdmon.patch Patch7: mdadm-3.2.3-Spawn-mdmon-with-offroot-if-mdadm-was-launched-with-.patch Patch8: mdadm-3.2.3-super1-make-aread-awrite-always-use-an-aligned-buffe.patch +Patch9: mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch +Patch10: mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch Patch19: mdadm-3.2.3-udev.patch Patch20: mdadm-2.5.2-static.patch URL: http://www.kernel.org/pub/linux/utils/raid/mdadm/ @@ -61,6 +63,8 @@ is not used as the system init process. %patch6 -p1 -b .offroot-mdmon %patch7 -p1 -b .offroot-spawn %patch8 -p1 -b .bitmap +%patch9 -p1 -b .double +%patch10 -p1 -b .print %patch19 -p1 -b .udev %patch20 -p1 -b .static @@ -135,6 +139,12 @@ fi %{_initrddir}/* %changelog +* Thu Feb 23 2012 Jes Sorensen - 3.2.3-6 +- Fix double free on buggy old kernel sysfs read +- Fix segfault if trying to write superblock to non existing device +- Resolves: bz795707 (f17) bz795747 (f16) bz795748 (f15) +- Resolves: bz795461 (f17) bz795749 (f16) bz795750 (f15) + * Thu Feb 16 2012 Jes Sorensen - 3.2.3-5 - Fix issue with devices failing to be added to a raid using bitmaps, due to trying to write the bitmap with mis-aligned buffers using