Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / 4e6b6ee253ce58aa156d7f1448d1038679b26783^1..4e6b6ee253ce58aa156d7f1448d1038679b26783 / .
commit4e6b6ee253ce58aa156d7f1448d1038679b26783[log] [tgz]
authorLinus Torvalds <torvalds@linux-foundation.org>Wed Aug 05 11:02:42 2015 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>Wed Aug 05 11:02:42 2015 +0200
tree21347b52110762d3f01fcc20be0c9fa28fd3d8f8
parent9e91edcd1b8b7f12c6484a0b17fb45774354e0b6 [diff]
parent49895bcc7e566ba455eb2996607d6fbd3447ce16 [diff]
Merge tag 'md/4.2-rc5-fixes' of git://neil.brown.name/md

Pull md fixes from Neil Brown:
 "Three more fixes for md in 4.2

  Mostly corner-case stuff.

  One of these patches is for a CVE: CVE-2015-5697

  I'm not convinced it is serious (data leak from CAP_SYS_ADMIN ioctl)
  but as people seem to want to back-port it, I've included a minimal
  version here.  The remainder of that patch from Benjamin is
  code-cleanup and will arrive in the 4.3 merge window"

* tag 'md/4.2-rc5-fixes' of git://neil.brown.name/md:
  md/raid5: don't let shrink_slab shrink too far.
  md: use kzalloc() when bitmap is disabled
  md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0c2a4e8..e25f00f 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c

@@ -5759,7 +5759,7 @@
 	char *ptr;
 	int err;
 
-	file = kmalloc(sizeof(*file), GFP_NOIO);
+	file = kzalloc(sizeof(*file), GFP_NOIO);
 	if (!file)
 		return -ENOMEM;
 

diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index 94f5b55..967a4ed 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c

@@ -1476,6 +1476,7 @@
 {
 	char b[BDEVNAME_SIZE];
 	struct r1conf *conf = mddev->private;
+	unsigned long flags;
 
 	/*
 	 * If it is not operational, then we have already marked it as dead
@@ -1495,14 +1496,13 @@
 		return;
 	}
 	set_bit(Blocked, &rdev->flags);
+	spin_lock_irqsave(&conf->device_lock, flags);
 	if (test_and_clear_bit(In_sync, &rdev->flags)) {
-		unsigned long flags;
-		spin_lock_irqsave(&conf->device_lock, flags);
 		mddev->degraded++;
 		set_bit(Faulty, &rdev->flags);
-		spin_unlock_irqrestore(&conf->device_lock, flags);
 	} else
 		set_bit(Faulty, &rdev->flags);
+	spin_unlock_irqrestore(&conf->device_lock, flags);
 	/*
 	 * if recovery is running, make sure it aborts.
 	 */
@@ -1568,7 +1568,10 @@
 	 * Find all failed disks within the RAID1 configuration
 	 * and mark them readable.
 	 * Called under mddev lock, so rcu protection not needed.
+	 * device_lock used to avoid races with raid1_end_read_request
+	 * which expects 'In_sync' flags and ->degraded to be consistent.
 	 */
+	spin_lock_irqsave(&conf->device_lock, flags);
 	for (i = 0; i < conf->raid_disks; i++) {
 		struct md_rdev *rdev = conf->mirrors[i].rdev;
 		struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
@@ -1599,7 +1602,6 @@
 			sysfs_notify_dirent_safe(rdev->sysfs_state);
 		}
 	}
-	spin_lock_irqsave(&conf->device_lock, flags);
 	mddev->degraded -= count;
 	spin_unlock_irqrestore(&conf->device_lock, flags);
 

diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 643d217..f757023 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c

@@ -2256,7 +2256,7 @@
 static int drop_one_stripe(struct r5conf *conf)
 {
 	struct stripe_head *sh;
-	int hash = (conf->max_nr_stripes - 1) % NR_STRIPE_HASH_LOCKS;
+	int hash = (conf->max_nr_stripes - 1) & STRIPE_HASH_LOCKS_MASK;
 
 	spin_lock_irq(conf->hash_locks + hash);
 	sh = get_free_stripe(conf, hash);
@@ -6388,7 +6388,8 @@
 
 	if (mutex_trylock(&conf->cache_size_mutex)) {
 		ret= 0;
-		while (ret < sc->nr_to_scan) {
+		while (ret < sc->nr_to_scan &&
+		       conf->max_nr_stripes > conf->min_nr_stripes) {
 			if (drop_one_stripe(conf) == 0) {
 				ret = SHRINK_STOP;
 				break;