md: factor out a helper to wake up md_thread directly

md_wakeup_thread() can't wakeup md_thread->tsk if md_thread->run is
still in progress, and in some cases md_thread->tsk need to be woke up
directly, like md_set_readonly() and do_md_stop().

Commit 9dfbdafda3b3 ("md: unlock mddev before reap sync_thread in
action_store") introduce a new scenario where unregister sync_thread is
not protected by 'reconfig_mutex', this can cause null-ptr-deference in
theroy:

t1: md_set_readonly		t2: action_store
				md_unregister_thread
				// 'reconfig_mutex' is not held
// 'reconfig_mutex' is held by caller
if (mddev->sync_thread)
				 thread = *threadp
				 *threadp = NULL
 wake_up_process(mddev->sync_thread->tsk)
 // null-ptr-deference

Fix this problem by factoring out a helper to wake up md_thread directly,
so that 'sync_thread' won't be accessed multiple times from the reader
side. This helper also prepare to protect md_thread with rcu.

Noted that later patches is going to fix that unregister sync_thread is
not protected by 'reconfig_mutex' from action_store().

Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230523021017.3048783-2-yukuai1@huaweicloud.com

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 724c741..9d54de3 100644 (file)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -92,6 +92,7 @@ static int remove_and_add_spares(struct mddev *mddev,
                                 struct md_rdev *this);
 static void mddev_detach(struct mddev *mddev);
 static void export_rdev(struct md_rdev *rdev, struct mddev *mddev);
+static void md_wakeup_thread_directly(struct md_thread *thread);
 
 /*
  * Default number of read corrections we'll attempt on an rdev
@@ -6284,10 +6285,12 @@ static int md_set_readonly(struct mddev *mddev, struct block_device *bdev)
        }
        if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
                set_bit(MD_RECOVERY_INTR, &mddev->recovery);
-       if (mddev->sync_thread)
-               /* Thread might be blocked waiting for metadata update
-                * which will now never happen */
-               wake_up_process(mddev->sync_thread->tsk);
+
+       /*
+        * Thread might be blocked waiting for metadata update which will now
+        * never happen
+        */
+       md_wakeup_thread_directly(mddev->sync_thread);
 
        if (mddev->external && test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags))
                return -EBUSY;
@@ -6348,10 +6351,12 @@ static int do_md_stop(struct mddev *mddev, int mode,
        }
        if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
                set_bit(MD_RECOVERY_INTR, &mddev->recovery);
-       if (mddev->sync_thread)
-               /* Thread might be blocked waiting for metadata update
-                * which will now never happen */
-               wake_up_process(mddev->sync_thread->tsk);
+
+       /*
+        * Thread might be blocked waiting for metadata update which will now
+        * never happen
+        */
+       md_wakeup_thread_directly(mddev->sync_thread);
 
        mddev_unlock(mddev);
        wait_event(resync_wait, (mddev->sync_thread == NULL &&
@@ -7898,6 +7903,12 @@ static int md_thread(void *arg)
        return 0;
 }
 
+static void md_wakeup_thread_directly(struct md_thread *thread)
+{
+       if (thread)
+               wake_up_process(thread->tsk);
+}
+
 void md_wakeup_thread(struct md_thread *thread)
 {
        if (thread) {