md: protect md_thread with rcu
Currently, there are many places that md_thread can be accessed without protection, following are known scenarios that can cause null-ptr-dereference or uaf: 1) sync_thread that is allocated and started from md_start_sync() 2) mddev->thread can be accessed directly from timeout_store() and md_bitmap_daemon_work() 3) md_unregister_thread() from action_store(). Currently, a global spinlock 'pers_lock' is borrowed to protect 'mddev->thread' in some places, this problem can be fixed likewise, however, use a global lock for all the cases is not good. Fix this problem by protecting all md_thread with rcu. Signed-off-by:Yu Kuai <yukuai3@huawei.com> Signed-off-by:
Showing
- drivers/md/md-bitmap.c 8 additions, 2 deletionsdrivers/md/md-bitmap.c
- drivers/md/md-cluster.c 11 additions, 6 deletionsdrivers/md/md-cluster.c
- drivers/md/md-multipath.c 2 additions, 2 deletionsdrivers/md/md-multipath.c
- drivers/md/md.c 32 additions, 37 deletionsdrivers/md/md.c
- drivers/md/md.h 4 additions, 4 deletionsdrivers/md/md.h
- drivers/md/raid1.c 4 additions, 3 deletionsdrivers/md/raid1.c
- drivers/md/raid1.h 1 addition, 1 deletiondrivers/md/raid1.h
- drivers/md/raid10.c 12 additions, 8 deletionsdrivers/md/raid10.c
- drivers/md/raid10.h 1 addition, 1 deletiondrivers/md/raid10.h
- drivers/md/raid5-cache.c 13 additions, 9 deletionsdrivers/md/raid5-cache.c
- drivers/md/raid5.c 8 additions, 7 deletionsdrivers/md/raid5.c
- drivers/md/raid5.h 1 addition, 1 deletiondrivers/md/raid5.h
Loading
Please register or sign in to comment