Re: [PATCH 002 of 6] md: Fix use-after-free bug when dropping an rdev from an md array.

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Neil Brown <neilb@...>

To: Al Viro <viro@...>

Cc: Andrew Morton <akpm@...>, <linux-raid@...>, <linux-kernel@...>

Subject: Re: [PATCH 002 of 6] md: Fix use-after-free bug when dropping an rdev from an md array.

Date: Monday, January 14, 2008 - 12:48 am

On Monday January 14, viro@ZenIV.linux.org.uk wrote:
quoted text> On Mon, Jan 14, 2008 at 02:21:45PM +1100, Neil Brown wrote:
> 
> > Maybe it isn't there any more....
> > 
> > Once upon a time, when I 
> >    echo remove > /sys/block/mdX/md/dev-YYY/state
> 
> Egads.  And just what will protect you from parallel callers
> of state_store()?  buffer->mutex does *not* do that - it only
> gives you exclusion on given struct file.  Run the command
> above from several shells and you've got independent open
> from each redirect => different struct file *and* different
> buffer for each => no exclusion whatsoever.

well in -mm, rdev_attr_store gets a lock on
rdev->mddev->reconfig_mutex. 
It doesn't test is rdev->mddev is NULL though, so if the write happens
after unbind_rdev_from_array, we lose.
A test for NULL would be easy enough.  And I think that the mddev
won't actually disappear until the rdevs are all gone (you subsequent
comment about kobject_del ordering seems to confirm that) so a simple test
for NULL should be sufficient.

quoted text> 
> And _that_ is present right in the mainline tree - it's unrelated
> to -mm kobject changes.
> 
> BTW, yes, you do have a deadlock there - kobject_del() will try to evict
> children, which will include waiting for currently running ->store()
> to finish, which will include the caller since .../state *is* a child of
> that sucker.
> 
> The real problem is the lack of any kind of exclusion considerations in
> md.c itself, AFAICS.  Fun with ordering is secondary (BTW, yes, it is
> a problem - will sysfs ->store() to attribute between export_rdev() and
> kobject_del() work correctly?)

Probably not.  The possibility that rdev->mddev could be NULL would
break a lot of these.  Maybe I should delay setting rdev->mddev to
NULL until after the kobject_del.  Then audit them all.

Thanks.  I'll see what I can some up with.

NeilBrown
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: [PATCH 002 of 6] md: Fix use-after-free bug when droppin..., Neil Brown, (Mon Jan 14, 12:48 am)

Navigation

Popular discussions


linux-kernel:
Trent Piepho	[PATCH] [POWERPC] Improve (in\|out)_beXX() asm code
Stoyan Gaydarov	From 2.4 to 2.6 to 2.7?
Andi Kleen	[PATCH] [4/50] x86: add cpu codenames for Kconfig.cpu
Greg Kroah-Hartman	[PATCH 013/196] Documentation: Replace obsolete "driverfs" with "sysfs".
git:

openbsd-misc:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Jarek Poplawski	Re: HTB accuracy for high speed
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	Re: [GIT]: Networking

Colocation donated by:

Online users

Syndicate