6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li islituo@gmail.com
[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ]
The variable mddev->private is first assigned to conf and then checked:
conf = mddev->private; if (!conf) ...
If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce():
raid5_quiesce(mddev, true); raid5_quiesce(mddev, false);
since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example:
conf->quiesce = 0; wake_up(&conf->wait_for_quiescent);
To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy().
Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt") Signed-off-by: Tuo Li islituo@gmail.com Reviewed-by: Xiao Ni xni@redhat.com Reviewed-by: Paul Menzel pmenzel@molgen.mpg.de Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com Signed-off-by: Yu Kuai yukuai@fnnas.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/md/raid5.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index 8e5ccca3b68b..7262b77a8e02 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -7181,12 +7181,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len) err = mddev_suspend_and_lock(mddev); if (err) return err; + conf = mddev->private; + if (!conf) { + mddev_unlock_and_resume(mddev); + return -ENODEV; + } raid5_quiesce(mddev, true);
- conf = mddev->private; - if (!conf) - err = -ENODEV; - else if (new != conf->worker_cnt_per_group) { + if (new != conf->worker_cnt_per_group) { old_groups = conf->worker_groups; if (old_groups) flush_workqueue(raid5_wq);