Bug 795461

Summary: NULL-deref (segfault) upon create using nonexistent device
Product: [Fedora] Fedora Reporter: Jim Meyering <meyering>
Component: mdadmAssignee: Jes Sorensen <Jes.Sorensen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: agk, dledford, Jes.Sorensen, mbroz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mdadm-3.2.3-6.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 795749 795750 795751 (view as bug list) Environment:
Last Closed: 2012-03-12 01:43:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 795749, 795750, 795751    

Description Jim Meyering 2012-02-20 15:49:28 UTC 
Description of problem: creation fails with a segfault when one of the devices does not exist.

Version-Release number of selected component (if applicable): mdadm-3.2.3-5.fc17.x86_64

How reproducible: every time

Steps to Reproduce:
Run this:

  truncate -s10m a && losetup -f a &&
    echo y|mdadm -C /dev/md_d0 -l1 -n2 --auto=p7 /dev/loop0 /dev/loop1

Actual results:

mdadm: Note: this array has metadata at the start and
    may not be suitable as a boot device.  If you plan to
    store '/boot' on this device please ensure that
    your boot-loader understands md/v1.x metadata, or use
    --metadata=0.90
mdadm: largest drive (/dev/loop0) exceeds size (0K) by more than 1%
Continue creating array? mdadm: Defaulting to version 1.2 metadata
zsh: done                              echo y |
zsh: segmentation fault (core dumped)  mdadm -C /dev/md_d0 -l1 -n2 --auto=p7 /dev/loop0 /dev/loop1

Expected results:

  No segfault

Additional info:

This also affects F16.

From gdb, it's easy to see what goes wrong:

  Program received signal SIGSEGV, Segmentation fault.
  Create (st=0x86e070, mddev=0x7fffffffd3d0 "/dev/md_d0", chunk=0, level=1,
      layout=8, size=<optimized out>, raiddisks=2, sparedisks=0,
      name=0x7fffffffd301 "p\n\024", homehost=0x7fffffffdf20 "hx.meyering.net",
      uuid=0x0, subdevs=2, devlist=0x86e030, runstop=0, verbose=0, force=0,
      assume_clean=0, bitmap_file=0x880e10 "\001", bitmap_chunk=65534,
      write_behind=0, delay=5, autof=62) at Create.c:927


	for (pass=1; pass <=2 ; pass++) {
		struct mddev_dev *moved_disk = NULL; /* the disk that was moved out of the insert point */

		for (dnum=0, dv = devlist ; dv ;
		     dv=(dv->next)?(dv->next):moved_disk, dnum++) {
		     // Here, dv ends up NULL, because both dv->next
		     // and moved_disk are NULL.
		     ...
		}
		...
		if (pass == 1) {
			...
			if (st->ss->write_init_super(st)) {
== 927 ==>			fprintf(stderr,
					Name ": Failed to write metadata to %s\n",
					dv->devname);
			...
		}
	}
Comment 1 Fedora Update System 2012-02-23 11:05:41 UTC 
mdadm-3.2.3-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mdadm-3.2.3-6.fc17
Comment 2 Fedora Update System 2012-02-23 22:30:28 UTC 
Package mdadm-3.2.3-6.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mdadm-3.2.3-6.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2297/mdadm-3.2.3-6.fc17
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-03-12 01:43:04 UTC 
mdadm-3.2.3-6.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.