Thread (10 messages) 10 messages, 3 authors, 2023-03-14

Re: [PATCH -next 0/5] md: fix uaf for sync_thread

From: Song Liu <song@kernel.org>
Date: 2023-03-14 00:44:07
Also in: lkml

On Sat, Mar 11, 2023 at 1:32 AM Yu Kuai [off-list ref] wrote:
From: Yu Kuai <redacted>

Our test reports a uaf for 'mddev->sync_thread':

T1                      T2
md_start_sync
 md_register_thread
                        raid1d
                         md_check_recovery
                          md_reap_sync_thread
                           md_unregister_thread
                            kfree

 md_wakeup_thread
  wake_up
  ->sync_thread was freed

Currently, a global spinlock 'pers_lock' is borrowed to protect
'mddev->thread', this problem can be fixed likewise, however, there might
be similar problem for other md_thread, and I really don't like the idea to
borrow a global lock.

This patchset do some refactor, and then use a disk level spinlock to
protect md_thread in relevant apis.

Yu Kuai (5):
  md: pass a md_thread pointer to md_register_thread()
  md: refactor md_wakeup_thread()
  md: use md_thread api to wake up sync_thread
  md: pass a mddev to md_unregister_thread()
  md: protect md_thread with a new disk level spin lock
Applied to md-next.

Thanks,
Song
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help