Re: [PATCH v2 5/5] md: protect md_thread with a new disk level spin lock

[Yu Kuai]

Hi,

在 2023/03/15 17:39, Guoqing Jiang 写道:
> On 3/15/23 14:18, Yu Kuai wrote:
> > From: Yu Kuai <yukuai3@xxxxxxxxxx>
> >
> > Our test reports a uaf for 'mddev->sync_thread':
> >
> > T1                      T2
> > md_start_sync
> >   md_register_thread
> >             raid1d
> >              md_check_recovery
> >               md_reap_sync_thread
> >                md_unregister_thread
> >                 kfree
> >
> >   md_wakeup_thread
> >    wake_up
> >    ->sync_thread was freed
>
> Better to provide the relevant uaf (user after free perhaps you mean)
> log from the test.
Ok, I'll add uaf report(the report is from v5.10) in the next version.
> > Currently, a global spinlock 'pers_lock' is borrowed to protect
> > 'mddev->thread', this problem can be fixed likewise, however, there might
> > be similar problem for other md_thread, and I really don't like the 
> > idea to
> > borrow a global lock.
> >
> > This patch use a disk level spinlock to protect md_thread in relevant 
> > apis.
>
> It is array level I think, and you probably want to remove the comment.
>
> * pers_lockdoes extra service to protect accesses to
> * mddev->thread when the mutex cannot be held.

Yes, I missed this.

Thanks,
Kuai
> Thanks,
> Guoqing
> .