Commits
Guoqing Jiang committed eb81b328267
raid10: check bio in r10buf_pool_free to void NULL pointer dereference For recovery case, r10buf_pool_alloc only allocates 2 bios, so we can't access more than 2 bios in r10buf_pool_free. Otherwise, we can see NULL pointer dereference as follows: [ 98.347009] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [ 98.355783] IP: r10buf_pool_free+0x38/0xe0 [raid10] [...] [ 98.543734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 98.550161] CR2: 0000000000000050 CR3: 000000089500a001 CR4: 00000000001606f0 [ 98.558145] Call Trace: [ 98.560881] <IRQ> [ 98.563136] put_buf+0x19/0x20 [raid10] [ 98.567426] end_sync_request+0x6b/0x70 [raid10] [ 98.572591] end_sync_write+0x9b/0x160 [raid10] [ 98.577662] blk_update_request+0x78/0x2c0 [ 98.582254] scsi_end_request+0x2c/0x1e0 [scsi_mod] [ 98.587719] scsi_io_completion+0x22f/0x610 [scsi_mod] [ 98.593472] blk_done_softirq+0x8e/0xc0 [ 98.597767] __do_softirq+0xde/0x2b3 [ 98.601770] irq_exit+0xae/0xb0 [ 98.605285] do_IRQ+0x81/0xd0 [ 98.608606] common_interrupt+0x7d/0x7d [ 98.612898] </IRQ> So we need to check the bio is valid or not before the bio is used in r10buf_pool_free. Another workable way is to free 2 bios for recovery case just like r10buf_pool_alloc. Fixes: f0250618361d ("md: raid10: don't use bio's vec table to manage resync pages") Reported-by: Alexis Castilla <pencerval@gmail.com> Tested-by: Alexis Castilla <pencerval@gmail.com> Signed-off-by: Guoqing Jiang <gqjiang@suse.com> Signed-off-by: Shaohua Li <shli@fb.com>