1. Patchew
  2. linux
  3. View series

[PATCH v3 0/2] md/raid10: fix r10bio width mismatches across reshape

Chen Cheng posted 2 patches 2 weeks ago
There is a newer version of this series
drivers/md/raid10.c | 65 ++++++++++++++++++++++++++++++++++-----------
drivers/md/raid10.h |  4 ++-
2 files changed, 53 insertions(+), 16 deletions(-)
[PATCH v3 0/2] md/raid10: fix r10bio width mismatches across reshape
Posted by Chen Cheng 2 weeks ago 
From: Chen Cheng <chencheng@fnnas.com>

Hi,

This series fixes slab out-of-bounds accesses in raid10 when reshape changes
the number of raid disks while regular I/O is still reusing r10bio objects
allocated under the previous geometry.

The bug is reproducible with a simple 4-disk to 5-disk reshape under write
load, for example:

  mdadm -C /dev/md777 -l10 -n4 /dev/sda /dev/sdb /dev/sdc /dev/sdd
  mkfs.ext4 /dev/md777
  mount /dev/md777 /mnt/test
  fsstress -d /mnt/test -n 24000 -p 8 -l 24 &
  mdadm /dev/md777 --add /dev/sde
  mdadm --grow /dev/md777 --raid-devices=5 \
    --backup-file=/tmp/md-reshape-backup

Without these changes, an r10bio allocated under the old geometry can later be
reused, initialized, or freed after conf->geo.raid_disks has switched to the
new geometry. This creates width mismatches between the object and the current
devs[] walk/initialization width, which can trigger KASAN reports such as
slab-out-of-bounds in __make_request(), put_all_bios(), or find_bio_disk().

This series addresses the problem in two steps:

  1. make the regular r10bio pool fixed-size across reshape transitions, and
     move the pool rebuild into the freeze window before the live geometry
     switch;

  2. track the number of valid devs[] entries in each reused r10bio and use
     that recorded width when walking devs[] after reshape.


Changes in v3:
   - Replace freeze_array()/unfreeze_array() in raid10_start_reshape() with
     mddev_suspend_and_lock_nointr()/mddev_unlock_and_resume(). freeze_array()
     returns when nr_pending == nr_queued, which still allows retry-list items
     to hold pool objects; mddev_suspend() provides the correct upper-layer
     quiesce interface. (Suggested by Yu Kuai)


Changes in v2:
  - add this cover letter
  - convert r10bio_pool to a fixed-size kmalloc mempool
  - rebuild r10bio_pool inside the freeze window before switching live reshape
    geometry
  - switch raid10_quiesce() to freeze_array()/unfreeze_array()


Testing:
  - reproduced the original KASAN slab-out-of-bounds on 4-disk -> 5-disk
    raid10 reshape with fsstress
  - verified that this series fixes that reproducer
  - exercised the 5-disk -> 4-disk reshape direction as well

Thanks,
Chen Cheng

Chen Cheng (2):
  md/raid10: make r10bio_pool use fixed-size objects
  md/raid10: bound reused r10bio devs[] walks by used_nr_devs

 drivers/md/raid10.c | 65 ++++++++++++++++++++++++++++++++++-----------
 drivers/md/raid10.h |  4 ++-
 2 files changed, 53 insertions(+), 16 deletions(-)

-- 
2.54.0
Re: [PATCH v3 0/2] md/raid10: fix r10bio width mismatches across reshape
Posted by Yu Kuai 1 week, 1 day ago 
Hi,

在 2026/5/25 9:55, Chen Cheng 写道:
> From: Chen Cheng <chencheng@fnnas.com>
>
> Hi,
>
> This series fixes slab out-of-bounds accesses in raid10 when reshape changes
> the number of raid disks while regular I/O is still reusing r10bio objects
> allocated under the previous geometry.
>
> The bug is reproducible with a simple 4-disk to 5-disk reshape under write
> load, for example:
>
>    mdadm -C /dev/md777 -l10 -n4 /dev/sda /dev/sdb /dev/sdc /dev/sdd
>    mkfs.ext4 /dev/md777
>    mount /dev/md777 /mnt/test
>    fsstress -d /mnt/test -n 24000 -p 8 -l 24 &
>    mdadm /dev/md777 --add /dev/sde
>    mdadm --grow /dev/md777 --raid-devices=5 \
>      --backup-file=/tmp/md-reshape-backup
>
> Without these changes, an r10bio allocated under the old geometry can later be
> reused, initialized, or freed after conf->geo.raid_disks has switched to the
> new geometry. This creates width mismatches between the object and the current
> devs[] walk/initialization width, which can trigger KASAN reports such as
> slab-out-of-bounds in __make_request(), put_all_bios(), or find_bio_disk().
>
> This series addresses the problem in two steps:
>
>    1. make the regular r10bio pool fixed-size across reshape transitions, and
>       move the pool rebuild into the freeze window before the live geometry
>       switch;
>
>    2. track the number of valid devs[] entries in each reused r10bio and use
>       that recorded width when walking devs[] after reshape.
>
>
> Changes in v3:
>     - Replace freeze_array()/unfreeze_array() in raid10_start_reshape() with
>       mddev_suspend_and_lock_nointr()/mddev_unlock_and_resume(). freeze_array()
>       returns when nr_pending == nr_queued, which still allows retry-list items
>       to hold pool objects; mddev_suspend() provides the correct upper-layer
>       quiesce interface. (Suggested by Yu Kuai)
>
>
> Changes in v2:
>    - add this cover letter
>    - convert r10bio_pool to a fixed-size kmalloc mempool
>    - rebuild r10bio_pool inside the freeze window before switching live reshape
>      geometry
>    - switch raid10_quiesce() to freeze_array()/unfreeze_array()
>
>
> Testing:
>    - reproduced the original KASAN slab-out-of-bounds on 4-disk -> 5-disk
>      raid10 reshape with fsstress
>    - verified that this series fixes that reproducer
>    - exercised the 5-disk -> 4-disk reshape direction as well
>
> Thanks,
> Chen Cheng
>
> Chen Cheng (2):
>    md/raid10: make r10bio_pool use fixed-size objects
>    md/raid10: bound reused r10bio devs[] walks by used_nr_devs
>
>   drivers/md/raid10.c | 65 ++++++++++++++++++++++++++++++++++-----------
>   drivers/md/raid10.h |  4 ++-
>   2 files changed, 53 insertions(+), 16 deletions(-)

This patch does not apply cleanly on md-7.2, please rebase first.

>
-- 
Thansk,
Kuai

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.