md:Avoid write invalid address if read_seqretry returned true.

If read_seqretry returned true and bbp was changed, it will write
invalid address which can cause some serious problem.

This bug was introduced by commit v3.0-rc7-130-g2699b67.
So fix is suitable for 3.0.y thru 3.6.y.

Reported-by: zhuwenfeng@kedacom.com
Tested-by: zhuwenfeng@kedacom.com
Cc: stable@vger.kernel.org
Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>

diff --git a/drivers/md/md.c b/drivers/md/md.c
index b6403a797bd52ff63cee42fd9ba7c44549763b9f..98e148484762c29c7011d5abcb949077fbd14a0e 100644 (file)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -1805,15 +1805,15 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
                md_error(mddev, rdev);
        else {
                struct badblocks *bb = &rdev->badblocks;
-               u64 *bbp = (u64 *)page_address(rdev->bb_page);
                u64 *p = bb->page;
                sb->feature_map |= cpu_to_le32(MD_FEATURE_BAD_BLOCKS);
                if (bb->changed) {
                        unsigned seq;
+                       u64 *bbp;
 
 retry:
+                       bbp = (u64 *)page_address(rdev->bb_page);
                        seq = read_seqbegin(&bb->lock);
-
                        memset(bbp, 0xff, PAGE_SIZE);
 
                        for (i = 0 ; i < bb->count ; i++) {