review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Yu Kuai <yukuai3@huawei.com>
	Tue, 23 May 2023 02:10:17 +0000 (10:10 +0800)
committer	Song Liu <song@kernel.org>
	Tue, 13 Jun 2023 22:25:39 +0000 (15:25 -0700)
commit	4469315439827290923fce4f3f672599cabeb366
tree	83e7d30c4570cd28774226f0e9d36b110c823ff8	tree \| snapshot
parent	4eeb6535cd51100460ec8873bb68addef17b3e81	commit \| diff

md: protect md_thread with rcu

Currently, there are many places that md_thread can be accessed without
protection, following are known scenarios that can cause
null-ptr-dereference or uaf:

1) sync_thread that is allocated and started from md_start_sync()
2) mddev->thread can be accessed directly from timeout_store() and
md_bitmap_daemon_work()
3) md_unregister_thread() from action_store().

Currently, a global spinlock 'pers_lock' is borrowed to protect
'mddev->thread' in some places, this problem can be fixed likewise,
however, use a global lock for all the cases is not good.

Fix this problem by protecting all md_thread with rcu.

Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230523021017.3048783-6-yukuai1@huaweicloud.com

drivers/md/md-bitmap.c		diff \| blob \| history
drivers/md/md-cluster.c		diff \| blob \| history
drivers/md/md-multipath.c		diff \| blob \| history
drivers/md/md.c		diff \| blob \| history
drivers/md/md.h		diff \| blob \| history
drivers/md/raid1.c		diff \| blob \| history
drivers/md/raid1.h		diff \| blob \| history
drivers/md/raid10.c		diff \| blob \| history
drivers/md/raid10.h		diff \| blob \| history
drivers/md/raid5-cache.c		diff \| blob \| history
drivers/md/raid5.c		diff \| blob \| history
drivers/md/raid5.h		diff \| blob \| history