diff options
| author |  Yu Kuai <yukuai3@huawei.com>
| 2023-05-23 10:10:16 +0800 |
|---|---|---|
| committer |  Song Liu <song@kernel.org>
| 2023-06-13 15:25:13 -0700 |
| commit | 4eeb6535cd51100460ec8873bb68addef17b3e81 (patch) | |
| tree | e0ee7a0187df038af55335cead677cedff99189f /drivers/md/raid1.h | |
| parent | md/bitmap: always wake up md_thread in timeout_store (diff) | |
| download | linux-4eeb6535cd51100460ec8873bb68addef17b3e81.tar.gz linux-4eeb6535cd51100460ec8873bb68addef17b3e81.tar.bz2 linux-4eeb6535cd51100460ec8873bb68addef17b3e81.zip | |
md/bitmap: factor out a helper to set timeout
Register/unregister 'mddev->thread' are both under 'reconfig_mutex',
however, some context didn't hold the mutex to access mddev->thread,
which can cause null-ptr-deference:
1) md_bitmap_daemon_work() can be called from md_check_recovery() where
'reconfig_mutex' is not held, deference 'mddev->thread' might cause
null-ptr-deference, because md_unregister_thread() reset the pointer
before stopping the thread.
2) timeout_store() access 'mddev->thread' multiple times,
null-ptr-deference can be triggered if 'mddev->thread' is reset in the
middle.
This patch factor out a helper to set timeout, the new helper always
check if 'mddev->thread' is null first, so that problem 1 can be fixed.
Now that this helper only access 'mddev->thread' once, but it's possible
that 'mddev->thread' can be freed while this helper is still in progress,
hence the problem is not fixed yet. Follow up patches will fix this by
protecting md_thread with rcu.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230523021017.3048783-5-yukuai1@huaweicloud.com
Diffstat (limited to 'drivers/md/raid1.h')
0 files changed, 0 insertions, 0 deletions