Commit a3ebeed7 authored Jun 03, 2023 by Li Nan Committed by Jialin Zhang Jun 03, 2023

md/raid10: remove WANR_ON_ONCE in raid10_end_write_request

hulk inclusion
category: bugfix
bugzilla: 188605, https://gitee.com/openeuler/kernel/issues/I6GOYF


CVE: NA

--------------------------------

It might read mirror.redev first and then mirror->replacement because of
memory reordering in raid10_end_write_request(), WARN_ON occurs if we
remove disk at the same time.

  T1 remove			T2 io end
  raid10_remove_disk		raid10_end_write_request
   p->rdev = NULL
				 read rdev -> NULL
   smp_mb
   p->replacement = NULL
				 read replacement -> NULL

It is meaningless to compare rdev with mirror->rdev after we get it from
r10_bio in raid10_end_write_request(). Remove this WANR_ON_ONCE.

Fixes: 2ecf5e6ecbfd ("md/raid10: fix uaf if replacement replaces rdev")
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>

parent af959500

drivers/md/raid10.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -452,8 +452,6 @@ static void raid10_end_write_request(struct bio *bio)
		md_error(rdev->mddev, rdev);
		goto out;
		}
		} else {
		WARN_ON_ONCE(rdev != conf->mirrors[dev].rdev);
		}
		} else {
		rdev = r10_bio->devs[slot].rdev;