Commit c018088b authored Dec 15, 2023 by Yu Kuai Committed by openeuler-sync-bot Jan 04, 2024

md: factor out a helper to wake up md_thread directly

mainline inclusion
from mainline-v6.5-rc1
commit e5e9b9cb
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8OPEK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e5e9b9cb71a09d86d5e8d147e6a6457e1f8887b5



--------------------------------

md_wakeup_thread() can't wakeup md_thread->tsk if md_thread->run is
still in progress, and in some cases md_thread->tsk need to be woke up
directly, like md_set_readonly() and do_md_stop().

Commit 9dfbdafd ("md: unlock mddev before reap sync_thread in
action_store") introduce a new scenario where unregister sync_thread is
not protected by 'reconfig_mutex', this can cause null-ptr-deference in
theroy:

t1: md_set_readonly		t2: action_store
				md_unregister_thread
				// 'reconfig_mutex' is not held
// 'reconfig_mutex' is held by caller
if (mddev->sync_thread)
				 thread = *threadp
				 *threadp = NULL
 wake_up_process(mddev->sync_thread->tsk)
 // null-ptr-deference

Fix this problem by factoring out a helper to wake up md_thread directly,
so that 'sync_thread' won't be accessed multiple times from the reader
side. This helper also prepare to protect md_thread with rcu.

Noted that later patches is going to fix that unregister sync_thread is
not protected by 'reconfig_mutex' from action_store().

Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230523021017.3048783-2-yukuai1@huaweicloud.com



Conflict:
  drivers/md/md.c
  commit 3ce94ce5 ("md: fix duplicate filename for rdev") adds declaration
  of export_rdev()
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
(cherry picked from commit e7dc0e1e)

parent 3b063171

drivers/md/md.c

+19 −8

Original line number	Diff line number	Diff line
		@@ -90,6 +90,7 @@ static struct workqueue_struct *md_rdev_misc_wq;
		static int remove_and_add_spares(struct mddev *mddev,
		struct md_rdev *this);
		static void mddev_detach(struct mddev *mddev);
		static void md_wakeup_thread_directly(struct md_thread *thread);

		/*
		* Default number of read corrections we'll attempt on an rdev
		@@ -6396,10 +6397,12 @@ static int md_set_readonly(struct mddev mddev, struct block_device bdev)
		}
		if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
		set_bit(MD_RECOVERY_INTR, &mddev->recovery);
		if (mddev->sync_thread)
		/* Thread might be blocked waiting for metadata update
		* which will now never happen */
		wake_up_process(mddev->sync_thread->tsk);

		/*
		* Thread might be blocked waiting for metadata update which will now
		* never happen
		*/
		md_wakeup_thread_directly(mddev->sync_thread);

		if (mddev->external && test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags))
		return -EBUSY;
		@@ -6460,10 +6463,12 @@ static int do_md_stop(struct mddev *mddev, int mode,
		}
		if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
		set_bit(MD_RECOVERY_INTR, &mddev->recovery);
		if (mddev->sync_thread)
		/* Thread might be blocked waiting for metadata update
		* which will now never happen */
		wake_up_process(mddev->sync_thread->tsk);

		/*
		* Thread might be blocked waiting for metadata update which will now
		* never happen
		*/
		md_wakeup_thread_directly(mddev->sync_thread);

		mddev_unlock(mddev);
		wait_event(resync_wait, (mddev->sync_thread == NULL &&
		@@ -8010,6 +8015,12 @@ static int md_thread(void *arg)
		return 0;
		}

		static void md_wakeup_thread_directly(struct md_thread *thread)
		{
		if (thread)
		wake_up_process(thread->tsk);
		}

		void md_wakeup_thread(struct md_thread *thread)
		{
		if (thread) {