From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: YueHaibing <yuehaibing@huawei.com>,
Hulk Robot <hulkci@huawei.com>, Christoph Hellwig <hch@lst.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 09/24] configfs: fix possible use-after-free in configfs_register_group
Date: Tue, 4 Jun 2019 19:24:00 -0400 [thread overview]
Message-ID: <20190604232416.7479-9-sashal@kernel.org> (raw)
In-Reply-To: <20190604232416.7479-1-sashal@kernel.org>
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit 35399f87e271f7cf3048eab00a421a6519ac8441 ]
In configfs_register_group(), if create_default_group() failed, we
forget to unlink the group. It will left a invalid item in the parent list,
which may trigger the use-after-free issue seen below:
BUG: KASAN: use-after-free in __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
Read of size 8 at addr ffff8881ef61ae20 by task syz-executor.0/5996
CPU: 1 PID: 5996 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xa9/0x10e lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
__list_add_valid+0xd4/0xe0 lib/list_debug.c:26
__list_add include/linux/list.h:60 [inline]
list_add_tail include/linux/list.h:93 [inline]
link_obj+0xb0/0x190 fs/configfs/dir.c:759
link_group+0x1c/0x130 fs/configfs/dir.c:784
configfs_register_group+0x56/0x1e0 fs/configfs/dir.c:1751
configfs_register_default_group+0x72/0xc0 fs/configfs/dir.c:1834
? 0xffffffffc1be0000
iio_sw_trigger_init+0x23/0x1000 [industrialio_sw_trigger]
do_one_initcall+0xbc/0x47d init/main.c:887
do_init_module+0x1b5/0x547 kernel/module.c:3456
load_module+0x6405/0x8c10 kernel/module.c:3804
__do_sys_finit_module+0x162/0x190 kernel/module.c:3898
do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f494ecbcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007f494ecbcc70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494ecbd6bc
R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
Allocated by task 5987:
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
configfs_register_default_group+0x4c/0xc0 fs/configfs/dir.c:1829
0xffffffffc1bd0023
do_one_initcall+0xbc/0x47d init/main.c:887
do_init_module+0x1b5/0x547 kernel/module.c:3456
load_module+0x6405/0x8c10 kernel/module.c:3804
__do_sys_finit_module+0x162/0x190 kernel/module.c:3898
do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5987:
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
slab_free_hook mm/slub.c:1429 [inline]
slab_free_freelist_hook mm/slub.c:1456 [inline]
slab_free mm/slub.c:3003 [inline]
kfree+0xe1/0x270 mm/slub.c:3955
configfs_register_default_group+0x9a/0xc0 fs/configfs/dir.c:1836
0xffffffffc1bd0023
do_one_initcall+0xbc/0x47d init/main.c:887
do_init_module+0x1b5/0x547 kernel/module.c:3456
load_module+0x6405/0x8c10 kernel/module.c:3804
__do_sys_finit_module+0x162/0x190 kernel/module.c:3898
do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881ef61ae00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 32 bytes inside of
192-byte region [ffff8881ef61ae00, ffff8881ef61aec0)
The buggy address belongs to the page:
page:ffffea0007bd8680 count:1 mapcount:0 mapping:ffff8881f6c03000 index:0xffff8881ef61a700
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0007ca4740 0000000500000005 ffff8881f6c03000
raw: ffff8881ef61a700 000000008010000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ef61ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881ef61ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881ef61ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881ef61ae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8881ef61af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 5cf6a51e6062 ("configfs: allow dynamic group creation")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/configfs/dir.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index d2a1a79fa324..d7955dc56737 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -1755,12 +1755,19 @@ int configfs_register_group(struct config_group *parent_group,
inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
ret = create_default_group(parent_group, group);
- if (!ret) {
- spin_lock(&configfs_dirent_lock);
- configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
- spin_unlock(&configfs_dirent_lock);
- }
+ if (ret)
+ goto err_out;
+
+ spin_lock(&configfs_dirent_lock);
+ configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
+ spin_unlock(&configfs_dirent_lock);
+ inode_unlock(d_inode(parent));
+ return 0;
+err_out:
inode_unlock(d_inode(parent));
+ mutex_lock(&subsys->su_mutex);
+ unlink_group(group);
+ mutex_unlock(&subsys->su_mutex);
return ret;
}
EXPORT_SYMBOL(configfs_register_group);
--
2.20.1
next prev parent reply other threads:[~2019-06-04 23:24 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-04 23:23 [PATCH AUTOSEL 4.14 01/24] x86/uaccess, kcov: Disable stack protector Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 02/24] ALSA: seq: Protect in-kernel ioctl calls with mutex Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 03/24] ALSA: seq: Fix race of get-subscription call vs port-delete ioctls Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 04/24] Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 05/24] ALSA: seq: Cover unsubscribe_port() in list_mutex Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 06/24] s390/kasan: fix strncpy_from_user kasan checks Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 07/24] driver core: platform: Fix the usage of platform device name(pdev->name) Sasha Levin
2019-06-04 23:23 ` [PATCH AUTOSEL 4.14 08/24] Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var Sasha Levin
2019-06-04 23:24 ` Sasha Levin [this message]
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 10/24] ipc: prevent lockup on alloc_msg and free_msg Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 11/24] scsi: qedi: remove memset/memcpy to nfunc and use func instead Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 12/24] scsi: qedi: remove set but not used variables 'cdev' and 'udev' Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 13/24] scsi: lpfc: add check for loss of ndlp when sending RRQ Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 14/24] arm64/mm: Inhibit huge-vmap with ptdump Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 15/24] nvme: remove the ifdef around nvme_nvm_ioctl Sasha Levin
2019-06-04 23:24 ` Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 16/24] platform/x86: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 17/24] platform/x86: pmc_atom: Add several Beckhoff Automation boards " Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 18/24] scsi: bnx2fc: fix incorrect cast to u64 on shift operation Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 19/24] libnvdimm: Fix compilation warnings with W=1 Sasha Levin
2019-06-04 23:24 ` Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 20/24] selftests/timers: Add missing fflush(stdout) calls Sasha Levin
2019-06-04 23:24 ` Sasha Levin
2019-06-04 23:24 ` sashal
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 21/24] usbnet: ipheth: fix racing condition Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 22/24] usbnet: fix kernel crash after disconnect Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 23/24] KVM: x86/pmu: do not mask the value that is written to fixed PMUs Sasha Levin
2019-06-04 23:24 ` [PATCH AUTOSEL 4.14 24/24] KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190604232416.7479-9-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hch@lst.de \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.