From nobody Sun Feb 8 02:08:39 2026 Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D88483ECBD6 for ; Tue, 20 Jan 2026 10:24:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768904701; cv=none; b=hjiGERaXk2eGpyVwyzzGanS4zc9DB+oi+UWoNIFgr+hzw4873Ga3/In2KT6FN4TcbtheuBxACWeJv5Xa7LyKR3OLF/aszzhcUmIw3RIsDI2N6sE6f/1OfDovQ1d7qcXAiEe2YwCahjeJHhynoU1AE7Faw86dlAbpASRzMv1lxzs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768904701; c=relaxed/simple; bh=Y/J5hmeY8P6xt+jICQZvf1Nb0NO15zApZvNqeWkA7GU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FNSh4LJfKMjPtsiXyTF/QU36K5qNVE7JtNhYWwDnspQycEYsyoGYr41KjzmGEYo5rR1WUeYo03OBzuOxzwkaM4y/+5i58fTZFt9Vz8Ew98BBGxGEdZQctNwRMQOQJTbNsU42PFbOYs11s0ZxTsFTXx38NwofZQxaVj5kADsX2Kc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ionos.com; spf=pass smtp.mailfrom=ionos.com; dkim=pass (2048-bit key) header.d=ionos.com header.i=@ionos.com header.b=dlVNhdu/; arc=none smtp.client-ip=209.85.218.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ionos.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ionos.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ionos.com header.i=@ionos.com header.b="dlVNhdu/" Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-b873a14bb99so95952166b.1 for ; Tue, 20 Jan 2026 02:24:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ionos.com; s=google; t=1768904697; x=1769509497; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=4QIb/Z+1VcMgY5q/jZtPEfXlsRsDdbkIp3UqDsbrZUc=; b=dlVNhdu/KMjR6xMGQl9qiMFHjx26MWDeA4wFATIMWm8FBRJbreW5QUD7H0Uoavp1hA db5ucaFmcCClpTtzlAKXJMZY/BlDaRRaF3voWjAzsIck3QVAEct351jMff+eIVSb9l7C UeAj5d+tJWXdiRre3bUQU+LcLyToeGyTCXyZmWenm3/umPPAv+IWhqZQzi3s/ZoPOiM1 BhGutPrAF6w2rT/Saqhaaw/ESfrWxBTSWfx3lTsGUK6pcmzujiOm/LbyTTwC0j/H4OLM 8jNQsSmNTQta/lWF5GFU/SGdmJbE5BIw5YH4rgDtmH0oSbuKkWoSx0yRsBIyxakb1uax ieKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768904697; x=1769509497; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4QIb/Z+1VcMgY5q/jZtPEfXlsRsDdbkIp3UqDsbrZUc=; b=r4zbK6QEO8Fl+bbxm5bEpR/zMDqp1OYHgcZ3CV3A0Bv6YBLw8r2AOC97VAbZLz5k2L NMtNvqs3cftfkssZXmDUGKOz/814wUh94ugW+ZnHjlooJvt+H3jtzDSgh+tyzYAYlQd7 4JD0AN70zZRHzpcYMNGdI5T2BdJ2KPaG0HH/lMCuaK5ddkVdG+nkqyxRxfupJiCVNXkj b/G4nOv2ezk3xQt+Rcph+RX/QDSRzs6a8J/x9JsvSKskrd+MUpvO19m9SJMPwOID6nta kcaLrggdcwhO1/XjqADPX9l5GsJOO/abGsCWysglyMDCPUgMiGfU0CS5yT/m5Z6+K4n9 tLCA== X-Forwarded-Encrypted: i=1; AJvYcCUkhnm6daxtRzMmBWGQZ1x+rSMvOYn+tF3Xixch4DXCRgL6gycOse67SKamaLETeMkEEKWcJmASljKRvAg=@vger.kernel.org X-Gm-Message-State: AOJu0YwyB4GdxN3nBAJDirhHzFLyv0jkrlVktvDZHFJQkvL9hu9iU1Cf PxOjdZtQDMIIguwymgyoSK9v0ip4vSeR1ad9FREaiupuEn9g4SBOAgZ5XBRehSs3Ues= X-Gm-Gg: AZuq6aLR4TZFd1Eak//MHHE8ETeU8q7wYhZOy6WrVX66CzKRFS9+LcnTHoEINxoVlju fsHvZdAIPnGYy9fy6Qrt24MhQYLaymR3oR7jY2MANqJBl+ldX/kE8rnjHlzpfbpA9rDo9mY0weM ScuyIUSaLOtyoCKNhZq2SRZX0Zd9FiKjH8B2Stc2EpAd42RsX8KC8o3Raq2rNmdXjF9De7HanLC 31NhSLBBRo8DzGtPn9q+vIGpC228azsIRTH67Dy8SlJ6Y8uv/EuMtwolVACrHodkUm1Fx6wF4LQ 8LbMsZm3iBIgFSxtBy/4s3tK/YmEkVyG+D0gL2fr5cjo7sdrpS+OPUQzexuCYVuBcogmXazyJCK 7x37uIj+ANObtEGUonENKBVR0a6IFzGZyUFgBh6Yl3ZKVgnyTRYoaErhwDPH1Yb9NDr9B2lgF5/ qaDURb1Ndzzs/id0cON/22ZRtMAI8t3+MqQek= X-Received: by 2002:a17:907:9706:b0:b73:59b0:34c6 with SMTP id a640c23a62f3a-b879302ebb7mr771796866b.4.1768904697155; Tue, 20 Jan 2026 02:24:57 -0800 (PST) Received: from lb02065.fkb.profitbricks.net ([2001:9e8:147d:3700:2c77:8dc8:498a:7917]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b87959c9a08sm1355766466b.37.2026.01.20.02.24.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 02:24:56 -0800 (PST) From: Jack Wang To: song@kernel.org, yukuai@fnnas.com, linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Subject: [PATCH] md/bitmap: fix GPF in write_page caused by resize race Date: Tue, 20 Jan 2026 11:24:56 +0100 Message-ID: <20260120102456.25169-1-jinpu.wang@ionos.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update. Closes: https://lore.kernel.org/linux-raid/CAMGffE=3DMbfp=3D7xD_hYxXk1PAaCZ= NSEAVeQGKGy7YF9f2S4=3DNEA@mail.gmail.com/T/#u Cc: stable@vger.kernel.org Signed-off-by: Jack Wang --- drivers/md/md-bitmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c index 84b7e2af6dba..7bb56d0491a2 100644 --- a/drivers/md/md-bitmap.c +++ b/drivers/md/md-bitmap.c @@ -2453,6 +2453,7 @@ static int __bitmap_resize(struct bitmap *bitmap, sec= tor_t blocks, memcpy(page_address(store.sb_page), page_address(bitmap->storage.sb_page), sizeof(bitmap_super_t)); + mutex_lock(&bitmap->mddev->bitmap_info.mutex); spin_lock_irq(&bitmap->counts.lock); md_bitmap_file_unmap(&bitmap->storage); bitmap->storage =3D store; @@ -2560,7 +2561,7 @@ static int __bitmap_resize(struct bitmap *bitmap, sec= tor_t blocks, set_page_attr(bitmap, i, BITMAP_PAGE_DIRTY); } spin_unlock_irq(&bitmap->counts.lock); - + mutex_unlock(&bitmap->mddev->bitmap_info.mutex); if (!init) { __bitmap_unplug(bitmap); bitmap->mddev->pers->quiesce(bitmap->mddev, 0); --=20 2.43.0