diff options
| author | Yu Kuai <yukuai3@huawei.com> | 2023-05-23 10:10:17 +0800 |
|---|---|---|
| committer | Song Liu <song@kernel.org> | 2023-06-13 15:25:39 -0700 |
| commit | 4469315439827290923fce4f3f672599cabeb366 (patch) | |
| tree | 83e7d30c4570cd28774226f0e9d36b110c823ff8 /drivers/md/md-multipath.c | |
| parent | 4eeb6535cd51100460ec8873bb68addef17b3e81 (diff) | |
| download | linux-stable-4469315439827290923fce4f3f672599cabeb366.tar.gz linux-stable-4469315439827290923fce4f3f672599cabeb366.tar.bz2 linux-stable-4469315439827290923fce4f3f672599cabeb366.zip | |
md: protect md_thread with rcu
Currently, there are many places that md_thread can be accessed without
protection, following are known scenarios that can cause
null-ptr-dereference or uaf:
1) sync_thread that is allocated and started from md_start_sync()
2) mddev->thread can be accessed directly from timeout_store() and
md_bitmap_daemon_work()
3) md_unregister_thread() from action_store().
Currently, a global spinlock 'pers_lock' is borrowed to protect
'mddev->thread' in some places, this problem can be fixed likewise,
however, use a global lock for all the cases is not good.
Fix this problem by protecting all md_thread with rcu.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230523021017.3048783-6-yukuai1@huaweicloud.com
Diffstat (limited to 'drivers/md/md-multipath.c')
| -rw-r--r-- | drivers/md/md-multipath.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/md/md-multipath.c b/drivers/md/md-multipath.c index 66edf5e72bd6..92c45be203d7 100644 --- a/drivers/md/md-multipath.c +++ b/drivers/md/md-multipath.c @@ -400,8 +400,8 @@ static int multipath_run (struct mddev *mddev) if (ret) goto out_free_conf; - mddev->thread = md_register_thread(multipathd, mddev, - "multipath"); + rcu_assign_pointer(mddev->thread, + md_register_thread(multipathd, mddev, "multipath")); if (!mddev->thread) goto out_free_conf; |