PAX size overflow on raid10 resync in kernel 4.4
Posted: Wed Oct 05, 2016 12:39 pm
On a system running 4.4.20 with grsecurity, I am getting the following PAX assertion when a raid10 array is resynced during boot.
I am able to work around it by adding an __intentional_overflow(-1) annotation to sync_request() in drivers/md/raid10.c, but I don't know if this is the correct fix or merely papering over a bug.
- Code: Select all
PAX: size overflow detected in function sync_request .../drivers/md/raid10.c:3181 cicus.674_1200 max, count: 135, decl: sectors; num: 0; context: r10bio;
CPU: 2 PID: 922 Comm: md127_resync Not tainted 4.4.20-grsec #1
Hardware name: Intel S2600WTTR, BIOS SE5C610.86B.01.01.0016.033120161139 03/31/2016
0000000000000000 ffffc9001237b960 ffffffff813ece08 00000000000000d2
ffffffffa0b23c68 0000000000000c6d ffffc9001237b990 ffffffff81212d56
000000010f800000
000000010f800000 000000010f800000 ffff8810264589c0
Call Trace:
[<ffffffff813ece08>] dump_stack+0x9a/0xe2
[<ffffffffa0b23c68>] ? __param_str_max_queued_requests+0x68/0x56f0 [raid10]
[<ffffffff81212d56>] report_size_overflow+0x66/0x80
[<ffffffffa0b1c2da>] sync_request+0x1d1a/0x3150 [raid10]
[<ffffffff810263b3>] ? sched_clock+0x13/0x20
[<ffffffff810b7f8c>] ? local_clock+0x1c/0x20
[<ffffffff810d3b5d>] ? trace_hardirqs_off+0xd/0x10
[<ffffffff810263b3>] ? sched_clock+0x13/0x20
[<ffffffff810263b3>] ? sched_clock+0x13/0x20
[<ffffffff810b7f8c>] ? local_clock+0x1c/0x20
[<ffffffff81784d12>] ? _raw_spin_unlock+0x22/0x30
[<ffffffff8109b047>] ? __queue_work+0x187/0x530
[<ffffffff810d77ad>] ? trace_hardirqs_on_caller+0x13d/0x1d0
[<ffffffff8159c383>] md_do_sync+0xa93/0x1230
[<ffffffff810cbb20>] ? wake_up_atomic_t+0x30/0x30
[<ffffffff81596f28>] md_thread+0x128/0x130
[<ffffffff81596e00>] ? find_pers+0x70/0x70
[<ffffffff81596e00>] ? find_pers+0x70/0x70
[<ffffffff810a3e7c>] kthread+0xfc/0x120
[<ffffffff810a3d80>] ? kthread_create_on_node+0x240/0x240
[<ffffffff81785dee>] ret_from_fork+0x3e/0x70
[<ffffffff810a3d80>] ? kthread_create_on_node+0x240/0x240
I am able to work around it by adding an __intentional_overflow(-1) annotation to sync_request() in drivers/md/raid10.c, but I don't know if this is the correct fix or merely papering over a bug.
- Code: Select all
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 2be20c1..3610ecc 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2805,7 +2805,7 @@ static int init_resync(struct r10conf *conf)
*
*/
-static sector_t sync_request(struct mddev *mddev, sector_t sector_nr,
+static sector_t __intentional_overflow(-1) sync_request(struct mddev *mddev, sector_t sector_nr,
int *skipped)
{
struct r10conf *conf = mddev->private;