• Yu Kuai's avatar
    md: protect md_thread with rcu · 44693154
    Yu Kuai authored
    Currently, there are many places that md_thread can be accessed without
    protection, following are known scenarios that can cause
    null-ptr-dereference or uaf:
    
    1) sync_thread that is allocated and started from md_start_sync()
    2) mddev->thread can be accessed directly from timeout_store() and
       md_bitmap_daemon_work()
    3) md_unregister_thread() from action_store().
    
    Currently, a global spinlock 'pers_lock' is borrowed to protect
    'mddev->thread' in some places, this problem can be fixed likewise,
    however, use a global lock for all the cases is not good.
    
    Fix this problem by protecting all md_thread with rcu.
    Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
    Signed-off-by: default avatarSong Liu <song@kernel.org>
    Link: https://lore.kernel.org/r/20230523021017.3048783-6-yukuai1@huaweicloud.com
    44693154
raid1.h 6.31 KB