Fix a double free and a segfault bug

Fix double free on buggy old kernel sysfs read Fix segfault if trying to write superblock to non existing device Resolves: bz795707 (f17) bz795747 (f16) bz795748 (f15) Resolves: bz795461 (f17) bz795749 (f16) bz795750 (f15) Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
2012-02-23 11:19:49 +01:00 · 2012-02-23 11:19:49 +01:00 · e2bea3e210
commit e2bea3e210
parent 15adacde4b
3 changed files with 136 additions and 1 deletions
--- a/mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch
+++ b/mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch
@ -0,0 +1,94 @@
+From 4011421332681ba733a2fc90de7ac94da8593418 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Thu, 23 Feb 2012 08:55:19 +1100
+Subject: [PATCH 2/2] Print error message if failing to write super for 1.x
+ metadata
+
+In addition remove attempt to print an error message if
+write_init_super() fails, as this is handled in the various
+write_init_super() functions. This avoids a segfault on error.
+
+Reported by Jim Meyering in
+https://bugzilla.redhat.com/show_bug.cgi?id=795461
+
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+---
+ Create.c |    3 ---
+ super1.c |   25 ++++++++++++++++---------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/Create.c b/Create.c
+index 90ff3ed..e5c6b05 100644
+--- a/Create.c
+++ b/Create.c
+@@ -924,9 +924,6 @@ int Create(struct supertype *st, char *mddev,
+ 			}
+ 
+ 			if (st->ss->write_init_super(st)) {
+-				fprintf(stderr,
+-					Name ": Failed to write metadata to %s\n",
+-					dv->devname);
+ 				st->ss->free_super(st);
+ 				goto abort_locked;
+ 			}
+diff --git a/super1.c b/super1.c
+index a18952a..341ad53 100644
+--- a/super1.c
+++ b/super1.c
+@@ -1106,13 +1106,16 @@ static int write_init_super1(struct supertype *st)
+ 		}
+ 		free(refst);
+ 
+-		if (!get_dev_size(di->fd, NULL, &dsize))
+-			return 1;
+		if (!get_dev_size(di->fd, NULL, &dsize)) {
+			rv = 1;
+			goto error_out;
+		}
+ 		dsize >>= 9;
+ 
+ 		if (dsize < 24) {
+ 			close(di->fd);
+-			return 2;
+			rv = 2;
+			goto error_out;
+ 		}
+ 
+ 
+@@ -1176,22 +1179,26 @@ static int write_init_super1(struct supertype *st)
+ 			sb->data_size = __cpu_to_le64(dsize - reserved);
+ 			break;
+ 		default:
+-			return -EINVAL;
+			fprintf(stderr,	Name ": Failed to write invalid "
+				"metadata format 1.%i to %s\n",
+				st->minor_version, di->devname);
+			rv = -EINVAL;
+			goto out;
+ 		}
+ 
+ 
+ 		sb->sb_csum = calc_sb_1_csum(sb);
+ 		rv = store_super1(st, di->fd);
+-		if (rv)
+-			fprintf(stderr,
+-				Name ": failed to write superblock to %s\n",
+-				di->devname);
+-
+ 		if (rv == 0 && (__le32_to_cpu(sb->feature_map) & 1))
+ 			rv = st->ss->write_bitmap(st, di->fd);
+ 		close(di->fd);
+ 		di->fd = -1;
+ 	}
+error_out:
+	if (rv)
+		fprintf(stderr,	Name ": Failed to write metadata to %s\n",
+			di->devname);
+out:
+ 	return rv;
+ }
+ #endif
+-- 
+1.7.7.6
+
--- a/mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch
+++ b/mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch
@ -0,0 +1,31 @@
+From 9200d418d049aff77b3d0ad8f30f1a16adc56030 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <jim@meyering.net>
+Date: Tue, 21 Feb 2012 13:02:22 +0100
+Subject: [PATCH 1/2] avoid double-free upon "old buggy kernel" sysfs_read
+ failure
+
+* Incremental.c (Incremental): On sysfs_read failure, don't call
+sysfs_free(sra) just before "goto out_unlock", since that very
+same "sra" is freed the same way by the clean-up code below.
+
+Signed-off-by: Jim Meyering <meyering@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+---
+ Incremental.c |    1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+diff --git a/Incremental.c b/Incremental.c
+index b457bf3..836a6f1 100644
+--- a/Incremental.c
+++ b/Incremental.c
+@@ -325,7 +325,6 @@ int Incremental(char *devname, int verbose, int runstop,
+ 			fprintf(stderr, Name
+ 		      ": You have an old buggy kernel which cannot support\n"
+ 				"      --incremental reliably.  Aborting.\n");
+-			sysfs_free(sra);
+ 			rv = 2;
+ 			goto out_unlock;
+ 		}
+-- 
+1.7.7.6
+
--- a/mdadm.spec
+++ b/mdadm.spec
@ -1,7 +1,7 @@
 Summary:     The mdadm program controls Linux md devices (software RAID arrays)
 Name:        mdadm
 Version:     3.2.3
-Release:     5%{?dist}
+Release:     6%{?dist}
 Source:      http://www.kernel.org/pub/linux/utils/raid/mdadm/mdadm-%{version}.tar.bz2
 Source1:     mdmonitor.init
 Source2:     raid-check
@ -19,6 +19,8 @@ Patch5:	     mdadm-3.2.3-Add-offroot-argument-to-mdadm.patch
 Patch6:	     mdadm-3.2.3-Add-offroot-argument-to-mdmon.patch
 Patch7:	     mdadm-3.2.3-Spawn-mdmon-with-offroot-if-mdadm-was-launched-with-.patch
 Patch8:	     mdadm-3.2.3-super1-make-aread-awrite-always-use-an-aligned-buffe.patch
+Patch9:	     mdadm-3.2.3-avoid-double-free-upon-old-buggy-kernel-sysfs_read-f.patch
+Patch10:     mdadm-3.2.3-Print-error-message-if-failing-to-write-super-for-1..patch
 Patch19:     mdadm-3.2.3-udev.patch
 Patch20:     mdadm-2.5.2-static.patch
 URL:         http://www.kernel.org/pub/linux/utils/raid/mdadm/
@ -61,6 +63,8 @@ is not used as the system init process.
 %patch6 -p1 -b .offroot-mdmon
 %patch7 -p1 -b .offroot-spawn
 %patch8 -p1 -b .bitmap
+%patch9 -p1 -b .double
+%patch10 -p1 -b .print
 %patch19 -p1 -b .udev
 %patch20 -p1 -b .static

@ -135,6 +139,12 @@ fi
 %{_initrddir}/*

 %changelog
+* Thu Feb 23 2012 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.3-6
+- Fix double free on buggy old kernel sysfs read
+- Fix segfault if trying to write superblock to non existing device
+- Resolves: bz795707 (f17) bz795747 (f16) bz795748 (f15)
+- Resolves: bz795461 (f17) bz795749 (f16) bz795750 (f15)
+
 * Thu Feb 16 2012 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.3-5
 - Fix issue with devices failing to be added to a raid using bitmaps,
  due to trying to write the bitmap with mis-aligned buffers using