Hi,
在 2023/03/15 17:39, Guoqing Jiang 写道:
On 3/15/23 14:18, Yu Kuai wrote:
From: Yu Kuai <yukuai3@xxxxxxxxxx>
Our test reports a uaf for 'mddev->sync_thread':
T1 T2
md_start_sync
md_register_thread
raid1d
md_check_recovery
md_reap_sync_thread
md_unregister_thread
kfree
md_wakeup_thread
wake_up
->sync_thread was freed
Better to provide the relevant uaf (user after free perhaps you mean)
log from the test.
Ok, I'll add uaf report(the report is from v5.10) in the next version.
Currently, a global spinlock 'pers_lock' is borrowed to protect
'mddev->thread', this problem can be fixed likewise, however, there might
be similar problem for other md_thread, and I really don't like the
idea to
borrow a global lock.
This patch use a disk level spinlock to protect md_thread in relevant
apis.
It is array level I think, and you probably want to remove the comment.
* pers_lockdoes extra service to protect accesses to
* mddev->thread when the mutex cannot be held.
Yes, I missed this.
Thanks,
Kuai
Thanks,
Guoqing
.
