From: Li Nan linan122@huawei.com
hulk inclusion category: bugfix bugzilla: 188605, https://gitee.com/openeuler/kernel/issues/I6GOYF CVE: NA
--------------------------------
It might read mirror.redev first and then mirror->replacement because of memory reordering in raid10_end_write_request(), WARN_ON occurs if we remove disk at the same time.
T1 remove T2 io end raid10_remove_disk raid10_end_write_request p->rdev = NULL read rdev -> NULL smp_mb p->replacement = NULL read replacement -> NULL
It is meaningless to compare rdev with mirror->rdev after we get it from r10_bio in raid10_end_write_request(). Remove this WANR_ON_ONCE.
Fixes: 2ecf5e6ecbfd ("md/raid10: fix uaf if replacement replaces rdev") Signed-off-by: Li Nan linan122@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com --- drivers/md/raid10.c | 2 -- 1 file changed, 2 deletions(-)
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 878e7b07fc48..92cb493a140a 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -452,8 +452,6 @@ static void raid10_end_write_request(struct bio *bio) md_error(rdev->mddev, rdev); goto out; } - } else { - WARN_ON_ONCE(rdev != conf->mirrors[dev].rdev); } } else { rdev = r10_bio->devs[slot].rdev;