Hi,
在 2023/04/27 14:53, Xiao Ni 写道:
for example, null-ptr-dereference:
t1: t2:
raid10_write_request:
// read rdev
rdev = conf->mirros[].rdev;
raid10_remove_disk
p = conf->mirros + number;
rdevp = &p->rdev;
// reset rdev
*rdevp = NULL
raid10_write_one_disk
// reread rdev got NULL
rdev = conf->mirrors[devnum].rdev
// null-ptr-dereference
mbio = bio_alloc_clone(rdev->bdev...)
synchronize_rcu()
Hi Yu kuai
raid10_write_request adds the rdev->nr_pending with rcu lock
protection. Can this case happen? After adding ->nr_pending, the rdev
can't be removed.
The current rcu protection really is a mess, many places access rdev
after rcu_read_unlock()...
For the above case, noted that raid10_remove_disk is called before
nr_pending is increased, and raid10_write_one_disk() is called after
rcu_read_unlock().
t1: t2:
raid10_write_request
rcu_read_lock
rdev = conf->mirros[].rdev
raid10_remove_disk
......
// nr_pending is 0, remove disk
// read inside rcu
rcu_read_unlock
raid10_write_one_disk
// trigger null-ptr-dereference
synchronize_rcu()
Thanks,
Kuai
for example, data loss:
t1:
// assum that rdev is NULL, and replacement is not NULL
How can trigger this? Could you give the detailed commands?
Best Regards
Xiao Ni
