From nobody Sun Feb 8 17:04:22 2026 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6CD1135A53 for ; Sat, 17 Jan 2026 14:59:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768661954; cv=none; b=OWtKUem59+BkAVF56w7OtSCuoSceJQq0Nokd56Xoijg1vRCIt1CJdpEpjH252FFDXgJuxyXhUuiXHmxiT6r+7TgaUdx1xnSJfYiZ0toUCfZInURg0bdbtBan7f2eMEomDytyUJCO1ZgmGvSCvXX5ixiMfCRH5FzFQCnJ49lP+88= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768661954; c=relaxed/simple; bh=459p210J4aQCYigFalX9YNTCl0j0NX+/OLg7/eWEJa8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Fzn7tNGfDEqtWqKPdADNCO2AaDF9ijjRfchnN5WAWM+459z3rBbzRwj81yAC2TUXBqjffaDE7h9X5QpkU8aB/YtkgXwzxX6tKE9Rtg6QmRVkCt4qXkMBYwFCtV7aSRaq4pC1Igh+JuUEzVF35Bh0fwfuIy4vtZvIa9CHe/OLNcU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=H7JdkWrT; arc=none smtp.client-ip=209.85.210.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="H7JdkWrT" Received: by mail-ot1-f53.google.com with SMTP id 46e09a7af769-7cfd0f2ef93so1259092a34.1 for ; Sat, 17 Jan 2026 06:59:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768661951; x=1769266751; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cF4yfTjPc+MtM3VwJFaxbAtKNPAKsPIGtwcLomm3o6M=; b=H7JdkWrT2bpPfDTyy+VCrUB3T7x9FMBEVAE5Qs6ab9dYD+//Au+VMJd9X37sCy+3Xs ep+L605CtpsBuePuf6bp6kwyAEtc20+CltauHs4YCAf4ve/bKRcAXkjIvF8rLZtoF45r GAmERtaRC2b2aRVp+G75bCSEx0ZgWjT0eQbMmAtsajlGqD2NzBK2lDDd7IipYUOaEFyb lTNuOXuVeE9cL4nb0ETGfyZvyBGbc+cGKsi97eSiDu/hAJizzdu3WxXPIJWKZz1DZN3N PTjYzH+qBs9qpCUuwXTBFx58PcB/Q8mtILeq8YVfHZ/kOZGPEcPOxz5Uan5wbJzVFx7b 5jfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768661951; x=1769266751; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cF4yfTjPc+MtM3VwJFaxbAtKNPAKsPIGtwcLomm3o6M=; b=KTYoJnmqnXdg61eb14fED4ze+W//cgWIJEdNMzfuJIUuM0bsnVDyr2FER7OxhTfoZm 5ipWzYLvankgpA7QHWNCvpAe0zDF5ccfCrrlUgl0HpS1dqAA/FC/mkWa+X423gYp8Nh0 OzDFOq0pYkXI7I+RinaagJnU59FcGdAUQzcJaoWui1+KHN57itTjYRjVg5CWKxsPC6aa AEQLk1X09N0d84VYKI4ZxImtWiOPh1UBNuBW420GB4Ic/sEPyx8ZQG3wga0X27rxXsQN FwiiwDIeYQcKz8MM0FVDcnvemjDmF6crgxm5EiROse7/EPFNQ+Gpd0vxVp5v3jn3uOh3 XIbg== X-Forwarded-Encrypted: i=1; AJvYcCXuQ5Im4Am5Fxn7knX3kiD7jKQ/omXKvi6JRY+TJDVUkmCMjCvkjZzJvi/XMSxniPz6JDnCYDcZaGn8DxA=@vger.kernel.org X-Gm-Message-State: AOJu0YzAEv26JR+H8w/yHCsCa0W2+4q3AXSVCvs8vrmHfhfDVK3EwZla XbmIT5+g6uL3WshxINfPzvXigEfRGWJBWOJrGfKU9pC89IqVZyCUM0Kk X-Gm-Gg: AY/fxX4Yb0QLvrOyuPE1tLJ60Hg4Hh8RdGYvHVBE+yhy0PiC5A2MUi2W70YRZu0iopn QsJiEbdvW3yS7zriRcVJcTBjZleOtd7tezWSttOftxoIulsq0Jdc6ytsGRQfAMO6DforFavjwzH UrtF1/adTPcXgftjnk0lrjOTHEvDEf1DBNXFI3J5QvPrj19pYXGF80v415Z2VsgU2d6if5UM2m9 11dln3FTD1B3TjZJ+vpCh4vuiVwiGV6O//7mWAqM5G4Ut3NemmFqIz5aqYCRCz6dB5FFlC4xTFQ 9akBhUr8CZ0Vjl9E9yOrVT7tg1/7BJSoK8Rz7Qb6TxfnoIjNvmV7tz+T4Cxr49DlkcZbtTQPJjj +uhmnFldkzU4Zj2FJnzvuZeleQpvLyCBFHmjTwihgLAAtg75HWg3Z/gazqPe3LNJKDMoYGbOl5d Ydx5/Tp9vFaV9Wi2egLp/atqdj98VgvYdd X-Received: by 2002:a05:6830:f85:b0:7cf:d191:2a50 with SMTP id 46e09a7af769-7cfded8025cmr2506518a34.13.1768661946516; Sat, 17 Jan 2026 06:59:06 -0800 (PST) Received: from newman.cs.purdue.edu ([128.10.127.250]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7cfdf0d915dsm3483630a34.4.2026.01.17.06.59.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 17 Jan 2026 06:59:06 -0800 (PST) From: Jiasheng Jiang To: Song Liu , Yu Kuai , linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Jiasheng Jiang Subject: [PATCH] md-cluster: fix NULL pointer dereference in process_metadata_update Date: Sat, 17 Jan 2026 14:59:03 +0000 Message-Id: <20260117145903.28921-1-jiashengjiangcool@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it. Signed-off-by: Jiasheng Jiang --- drivers/md/md-cluster.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c index 11f1e91d387d..896279988dfd 100644 --- a/drivers/md/md-cluster.c +++ b/drivers/md/md-cluster.c @@ -549,8 +549,13 @@ static void process_metadata_update(struct mddev *mdde= v, struct cluster_msg *msg =20 dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_CR); =20 - /* daemaon thread must exist */ thread =3D rcu_dereference_protected(mddev->thread, true); + if (!thread) { + pr_warn("md-cluster: Received metadata update but MD thread is not ready= \n"); + dlm_unlock_sync(cinfo->no_new_dev_lockres); + return; + } + wait_event(thread->wqueue, (got_lock =3D mddev_trylock(mddev)) || test_bit(MD_CLUSTER_HOLDING_MUTEX_FOR_RECVD, &cinfo->state)); --=20 2.25.1