From: Guoqing Jiang <guoqing.jiang@linux.dev>
To: Yu Kuai <yukuai1@huaweicloud.com>,
agk@redhat.com, snitzer@kernel.org, song@kernel.org
Cc: linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
yukuai3@huawei.com, yi.zhang@huawei.com, yangerkun@huawei.com
Subject: Re: [PATCH v2 5/5] md: protect md_thread with a new disk level spin lock
Date: Wed, 15 Mar 2023 17:39:32 +0800 [thread overview]
Message-ID: <16613534-5482-23c5-fa97-cfaedecab3d7@linux.dev> (raw)
In-Reply-To: <20230315061810.653263-6-yukuai1@huaweicloud.com>
On 3/15/23 14:18, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
>
> Our test reports a uaf for 'mddev->sync_thread':
>
> T1 T2
> md_start_sync
> md_register_thread
> raid1d
> md_check_recovery
> md_reap_sync_thread
> md_unregister_thread
> kfree
>
> md_wakeup_thread
> wake_up
> ->sync_thread was freed
Better to provide the relevant uaf (user after free perhaps you mean)
log from the test.
> Currently, a global spinlock 'pers_lock' is borrowed to protect
> 'mddev->thread', this problem can be fixed likewise, however, there might
> be similar problem for other md_thread, and I really don't like the idea to
> borrow a global lock.
>
> This patch use a disk level spinlock to protect md_thread in relevant apis.
It is array level I think, and you probably want to remove the comment.
* pers_lockdoes extra service to protect accesses to
* mddev->thread when the mutex cannot be held.
Thanks,
Guoqing
next prev parent reply other threads:[~2023-03-15 9:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-15 6:18 [PATCH v2 0/5] md: fix uaf for sync_thread Yu Kuai
2023-03-15 6:18 ` [PATCH v2 1/5] md: pass a md_thread pointer to md_register_thread() Yu Kuai
2023-03-15 6:18 ` [PATCH v2 2/5] md: refactor md_wakeup_thread() Yu Kuai
2023-03-15 6:18 ` [PATCH v2 3/5] md: use md_thread api to wake up sync_thread Yu Kuai
2023-03-17 2:30 ` kernel test robot
2023-03-17 3:30 ` Yu Kuai
2023-03-18 2:31 ` Yu Kuai
2023-03-15 6:18 ` [PATCH v2 4/5] md: pass a mddev to md_unregister_thread() Yu Kuai
2023-03-15 6:18 ` [PATCH v2 5/5] md: protect md_thread with a new disk level spin lock Yu Kuai
2023-03-15 9:39 ` Guoqing Jiang [this message]
2023-03-15 10:02 ` Yu Kuai
2023-03-15 10:39 ` Guoqing Jiang
2023-03-15 8:30 ` [PATCH v2 0/5] md: fix uaf for sync_thread Paul Menzel
2023-03-15 22:55 ` Logan Gunthorpe
2023-03-16 1:26 ` Yu Kuai
2023-03-28 23:31 ` Song Liu
2023-03-29 1:14 ` Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16613534-5482-23c5-fa97-cfaedecab3d7@linux.dev \
--to=guoqing.jiang@linux.dev \
--cc=agk@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=snitzer@kernel.org \
--cc=song@kernel.org \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.