github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-04 20:46:48 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
8542870237
linux/drivers
History
Yu Kuai 8542870237 md: fix mddev uaf while iterating all_mddevs list 
While iterating all_mddevs list from md_notify_reboot() and md_exit(),
list_for_each_entry_safe is used, and this can race with deletint the
next mddev, causing UAF:

t1:
spin_lock
//list_for_each_entry_safe(mddev, n, ...)
 mddev_get(mddev1)
 // assume mddev2 is the next entry
 spin_unlock
            t2:
            //remove mddev2
            ...
            mddev_free
            spin_lock
            list_del
            spin_unlock
            kfree(mddev2)
 mddev_put(mddev1)
 spin_lock
 //continue dereference mddev2->all_mddevs

The old helper for_each_mddev() actually grab the reference of mddev2
while holding the lock, to prevent from being freed. This problem can be
fixed the same way, however, the code will be complex.

Hence switch to use list_for_each_entry, in this case mddev_put() can free
the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor
out a helper mddev_put_locked() to fix this problem.

Cc: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/linux-raid/20250220124348.845222-1-yukuai1@huaweicloud.com
Fixes: f265143422 ("md: stop using for_each_mddev in md_notify_reboot")
Fixes: 16648bac86 ("md: stop using for_each_mddev in md_exit")
Reported-and-tested-by: Guillaume Morin <guillaume@morinfr.org>
Closes: https://lore.kernel.org/all/Z7Y0SURoA8xwg7vn@bender.morinfr.org/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2025-03-05 00:29:41 +08:00
..
accel A couple of fixes for ivpu to error handling, komeda for format 2025-02-07 14:47:25 +10:00
accessibility
acpi Merge branches 'acpi-property' and 'acpi-resource' 2025-02-07 13:06:31 +01:00
amba
android Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
ata ata changes for 6.14 part2 2025-01-31 11:07:56 -08:00
atm
auxdisplay auxdisplay for v6.14-1 2025-01-24 08:03:52 -08:00
base PM: sleep: core: Restrict power.set_active propagation 2025-02-09 14:41:48 +01:00
bcma
block loop: release the lo_work_lock before queue_work 2025-02-11 07:14:28 -07:00
bluetooth Bluetooth: btnxpuart: Fix glitches seen in dual A2DP streaming 2025-01-29 15:23:49 -05:00
bus genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
cache
cdrom treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
cdx
char treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
clk The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
clocksource
comedi
connector
counter
cpufreq amd-pstate fixes 2/6/25 2025-02-06 20:39:43 +01:00
cpuidle More power management updates for 6.14-rc1 2025-01-30 15:10:34 -08:00
crypto Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
cxl cxl changes for v6.14 2025-01-29 11:23:22 -08:00
dax
dca
devfreq
dio
dma dmaengine updates for v6.14 2025-01-29 14:29:57 -08:00
dma-buf
dpll
edac - The first part of a restructuring of AMD's representation of a northbridge 2025-01-21 09:38:52 -08:00
eisa
extcon
firewire Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
firmware * Kconfig and IPv6 minor fixes. 2025-02-07 11:05:50 -08:00
fpga
fsi
gnss
gpio gpio: GPIO_GRGPIO should depend on OF 2025-02-05 14:37:53 +01:00
gpu - Fix the build error with clamp after WARN_ON on gcc 13.x+ (Guenter) 2025-02-07 15:42:21 +10:00
greybus
hid pci-v6.14-changes 2025-01-25 16:03:40 -08:00
hsi
hte
hv treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
hwmon Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
hwspinlock
hwtracing KVM/arm64 updates for 6.14 2025-01-28 09:01:36 -08:00
i2c Revert "i2c: Replace list-based mechanism for handling auto-detected clients" 2025-02-05 14:22:12 +01:00
i3c I3C for 6.14 2025-01-24 15:48:01 -08:00
idle Power management updates for 6.14-rc1 2025-01-22 11:16:14 -08:00
iio IIO: 2nd set of fixes for the 6.13 cycle. 2025-01-16 13:46:08 +01:00
infiniband Mainly individually changelogged singleton patches. The patch series in 2025-01-26 17:50:53 -08:00
input platform-drivers-x86 for v6.14-1 2025-01-24 07:18:39 -08:00
interconnect interconnect changes for 6.14 2025-01-16 14:01:40 +01:00
iommu hyperv-next for v6.14 2025-01-25 09:22:55 -08:00
ipack
irqchip genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
isdn
leds Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
macintosh The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
mailbox mailbox: th1520: Fix memory corruption due to incorrect array size 2025-01-18 16:20:55 -06:00
mcb
md md: fix mddev uaf while iterating all_mddevs list 2025-03-05 00:29:41 +08:00
media [GIT PULL for v6.14] media updates 2025-02-01 09:15:01 -08:00
memory spi: Support DTR in spi-mem 2025-01-15 19:07:39 +01:00
memstick Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
message
mfd - Fix race in device_node_get_regmap() using more extensive locking. 2025-01-22 09:16:02 -08:00
misc treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
mmc blk-crypto: add basic hardware-wrapped key support 2025-02-10 09:54:19 -07:00
most
mtd block-6.14-20250131 2025-01-31 11:49:30 -08:00
mux
net Revert "net: stmmac: Specify hardware capability value when FIFO size isn't specified" 2025-02-06 11:53:54 +01:00
nfc nfc: mrvl: Don't use "proxy" headers 2025-01-18 17:10:05 -08:00
ntb PCI: Remove devres from pci_intx() 2025-01-18 14:38:49 -06:00
nubus
nvdimm
nvme nvme fixes for Linux 6.14 2025-02-03 09:19:03 -07:00
nvmem
of Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
opp Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
parisc
parport
pci PCI/TPH: Restore TPH Requester Enable correctly 2025-02-06 10:30:11 -06:00
pcmcia
peci
perf treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
phy phy-for-6.14 2025-01-29 14:32:38 -08:00
pinctrl Pin control changes for the v6.14 kernel cycle: 2025-01-24 07:38:50 -08:00
platform platform/x86/intel/ifs: Update documentation with image download path 2025-02-04 10:00:45 +02:00
pmdomain pmdomain: airoha: Fix compilation error with Clang-20 and Thumb2 mode 2025-01-21 10:45:24 +01:00
pnp
power power supply and reset changes for the 6.14 series 2025-01-27 15:37:16 -08:00
powercap Merge branch 'pm-powercap' 2025-02-07 12:43:58 +01:00
pps
ps3
ptp First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
pwm Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
rapidio
ras
regulator regulator: Fixes for v6.14 2025-01-29 11:56:55 -08:00
remoteproc remoteproc: st: Use syscon_regmap_lookup_by_phandle_args 2025-01-15 10:04:27 -07:00
reset soc: driver updates for 6.14 2025-01-24 14:56:59 -08:00
rpmsg
rtc RTC for 6.13 2025-01-30 17:50:02 -08:00
s390 more s390 updates for 6.14 merge window 2025-01-30 10:48:17 -08:00
sbus
scsi scsi: qla1280: Fix kernel oops when debug level > 2 2025-02-03 17:54:56 -05:00
sh
siox
slimbus Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
soc genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
soundwire soundwire updates for 6.14 2025-01-29 14:38:19 -08:00
spi spi: Fix for v6.14 2025-01-24 16:12:12 -08:00
spmi spmi: hisi-spmi-controller: Drop duplicated OF node assignment in spmi_controller_probe() 2025-01-17 12:58:49 +01:00
ssb
staging Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
target Merge branch '6.14/scsi-queue' into 6.14/scsi-fixes 2025-02-03 16:28:51 -05:00
tc
tee
thermal Merge branch 'thermal-intel' 2025-01-20 13:10:15 +01:00
thunderbolt Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
tty fsnotify: use accessor to set FMODE_NONOTIFY_* 2025-02-07 10:27:26 +01:00
ufs blk-crypto: add basic hardware-wrapped key support 2025-02-10 09:54:19 -07:00
uio Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
usb Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
vdpa virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
vfio VFIO updates for v6.14-rc1 2025-01-28 14:16:46 -08:00
vhost vhost/net: Set num_buffers for virtio 1.0 2025-01-27 09:39:25 -05:00
video fbdev fixes and updates for 6.14-rc1: 2025-01-24 11:32:13 -08:00
virt - A segmented Reverse Map table (RMP) is a across-nodes distributed 2025-01-21 09:00:31 -08:00
virtio virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
w1
watchdog linux-watchdog 6.14-rc1 tag 2025-01-25 16:19:10 -08:00
xen xen: branch for v6.14-rc1 2025-01-29 11:39:20 -08:00
zorro
Kconfig
Makefile