Description
In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30
Product status
10c6021a609deb95f23f0cc2f89aa9d4bffb14c7 (git) before 2249983d971e6839b36284e6610390b2c217dfa1
9af149ca9d0dab6e59e813519d309eff62499864 (git) before ae356d5eb1331d678985799f893e436314834a87
8fc3d7b23d139e3cbc944c15d99b3cdbed797d2d (git) before 965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
2941155d9a5ae098b480d551f3a5f8605d4f9af5 (git) before 42fe37c90184cd1568838b84b488934c3671c963
43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 (git) before cac2106bb9a2180b288079b49ed626414fb5bc45
43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 (git) before 1cdff2937c618f81058422bbdc4974a3e7ec9379
43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 (git) before 7d96f3120a7fb7210d21b520c5b6f495da6ba436
ed7bcd9f617e4107ac0813c516e72e6b8f6029bd (git)
5.15.189 (semver) before 5.15.209
6.1.146 (semver) before 6.1.175
6.6.99 (semver) before 6.6.140
6.12.39 (semver) before 6.12.86
6.15.7 (semver) before 6.16
6.16
Any version before 6.16
5.15.209 (semver)
6.1.175 (semver)
6.6.140 (semver)
6.12.86 (semver)
6.18.27 (semver)
7.0.4 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/2249983d971e6839b36284e6610390b2c217dfa1
git.kernel.org/...c/ae356d5eb1331d678985799f893e436314834a87
git.kernel.org/...c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523
git.kernel.org/...c/42fe37c90184cd1568838b84b488934c3671c963
git.kernel.org/...c/cac2106bb9a2180b288079b49ed626414fb5bc45
git.kernel.org/...c/1cdff2937c618f81058422bbdc4974a3e7ec9379
git.kernel.org/...c/7d96f3120a7fb7210d21b520c5b6f495da6ba436