Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CBEEC61DA4 for ; Sat, 11 Mar 2023 09:32:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230141AbjCKJcg (ORCPT ); Sat, 11 Mar 2023 04:32:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229754AbjCKJcc (ORCPT ); Sat, 11 Mar 2023 04:32:32 -0500 Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76B0293E04; Sat, 11 Mar 2023 01:32:31 -0800 (PST) Received: from mail02.huawei.com (unknown [172.30.67.169]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4PYd4B5l70z4f3jHr; Sat, 11 Mar 2023 17:32:26 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.127.227]) by APP3 (Coremail) with SMTP id _Ch0CgC3YiCqSgxkFn3mEg--.16173S4; Sat, 11 Mar 2023 17:32:28 +0800 (CST) From: Yu Kuai To: agk@redhat.com, snitzer@kernel.org, song@kernel.org Cc: linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, yukuai3@huawei.com, yukuai1@huaweicloud.com, yi.zhang@huawei.com, yangerkun@huawei.com Subject: [PATCH -next 0/5] md: fix uaf for sync_thread Date: Sat, 11 Mar 2023 17:31:43 +0800 Message-Id: <20230311093148.2595222-1-yukuai1@huaweicloud.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: _Ch0CgC3YiCqSgxkFn3mEg--.16173S4 X-Coremail-Antispam: 1UD129KBjvJXoW7uF4rtFWDGrWDtr1UXF1UZFb_yoW8Gr1xpa 4fJry3Zr40yr43Zr13XFyjka45Jw1Sgay7KryxCw4fXa45XrW5tr4jyFW8XF9rAFyfJFsr JF15GF4rWF1DtFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j 6r4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCF04k20xvY0x0EwIxG rwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4 vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IY x2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26c xKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x02 67AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU== X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yu Kuai Our test reports a uaf for 'mddev->sync_thread': T1 T2 md_start_sync md_register_thread raid1d md_check_recovery md_reap_sync_thread md_unregister_thread kfree md_wakeup_thread wake_up ->sync_thread was freed Currently, a global spinlock 'pers_lock' is borrowed to protect 'mddev->thread', this problem can be fixed likewise, however, there might be similar problem for other md_thread, and I really don't like the idea to borrow a global lock. This patchset do some refactor, and then use a disk level spinlock to protect md_thread in relevant apis. Yu Kuai (5): md: pass a md_thread pointer to md_register_thread() md: refactor md_wakeup_thread() md: use md_thread api to wake up sync_thread md: pass a mddev to md_unregister_thread() md: protect md_thread with a new disk level spin lock drivers/md/dm-raid.c | 6 +- drivers/md/md-bitmap.c | 6 +- drivers/md/md-cluster.c | 39 +++++----- drivers/md/md-multipath.c | 8 +- drivers/md/md.c | 157 ++++++++++++++++++++------------------ drivers/md/md.h | 15 ++-- drivers/md/raid1.c | 19 +++-- drivers/md/raid10.c | 31 ++++---- drivers/md/raid5-cache.c | 19 +++-- drivers/md/raid5-ppl.c | 2 +- drivers/md/raid5.c | 48 ++++++------ 11 files changed, 175 insertions(+), 175 deletions(-) -- 2.31.1