From: Nicolai Stange <nicstange@gmail.com>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Nicolai Stange <nicstange@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jonathan Corbet <corbet@lwn.net>, Jan Kara <jack@suse.com>,
Andrew Morton <akpm@linux-foundation.org>,
Julia Lawall <Julia.Lawall@lip6.fr>,
Gilles Muller <Gilles.Muller@lip6.fr>,
Nicolas Palix <nicolas.palix@imag.fr>,
Michal Marek <mmarek@suse.com>,
linux-kernel@vger.kernel.org, cocci@systeme.lip6.fr
Subject: Re: [PATCH v6 2/8] debugfs: prevent access to removed files' private data
Date: Wed, 18 May 2016 18:32:15 +0200 [thread overview]
Message-ID: <87mvnnxr74.fsf@gmail.com> (raw)
In-Reply-To: <573C87B8.902@oracle.com> (Sasha Levin's message of "Wed, 18 May 2016 11:18:16 -0400")
Sasha Levin <sasha.levin@oracle.com> writes:
> On 05/18/2016 11:01 AM, Nicolai Stange wrote:
>> Thanks a million for reporting!
>>
>> 1.) Do you have lockdep enabled?
>
> Yup, nothing there.
>
>> 2.) Does this happen before or after userspace init has been spawned,
>> i.e. does the lockup happen at debugfs file creation time or
>> possibly at usage time?
>
> So I looked closer, and it seems to happen after starting syzkaller, which
> as far as I know tries to open many different debugfs files.
>
> Is there debug code I can add it that'll help us figure out what's up?
Could you try the patch below? I stared at the new full_proxy_open() for
a while now and had to recognize the fact that if the original real_fops'
->open() fails, then its owning module's reference won't ever get
dropped :(
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 6eb58a8..2e663d4 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -263,10 +263,14 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
if (real_fops->open) {
r = real_fops->open(inode, filp);
- if (filp->f_op != proxy_fops) {
+ if (r) {
+ replace_fops(filp, d_inode(dentry)->i_fop);
+ goto free_proxy;
+ } else if (filp->f_op != proxy_fops) {
/* No protection against file removal anymore. */
WARN(1, "debugfs file owner replaced proxy fops: %pd",
dentry);
+ replace_fops(filp, d_inode(dentry)->i_fop);
goto free_proxy;
}
}
I don't see directly how this could lead to lockups, but I think it's
better to rule out the obvious before inserting more or less random
printks...
Thank you very much again,
Nicolai
WARNING: multiple messages have this Message-ID (diff)
From: nicstange@gmail.com (Nicolai Stange)
To: cocci@systeme.lip6.fr
Subject: [Cocci] [PATCH v6 2/8] debugfs: prevent access to removed files' private data
Date: Wed, 18 May 2016 18:32:15 +0200 [thread overview]
Message-ID: <87mvnnxr74.fsf@gmail.com> (raw)
In-Reply-To: <573C87B8.902@oracle.com> (Sasha Levin's message of "Wed, 18 May 2016 11:18:16 -0400")
Sasha Levin <sasha.levin@oracle.com> writes:
> On 05/18/2016 11:01 AM, Nicolai Stange wrote:
>> Thanks a million for reporting!
>>
>> 1.) Do you have lockdep enabled?
>
> Yup, nothing there.
>
>> 2.) Does this happen before or after userspace init has been spawned,
>> i.e. does the lockup happen at debugfs file creation time or
>> possibly at usage time?
>
> So I looked closer, and it seems to happen after starting syzkaller, which
> as far as I know tries to open many different debugfs files.
>
> Is there debug code I can add it that'll help us figure out what's up?
Could you try the patch below? I stared at the new full_proxy_open() for
a while now and had to recognize the fact that if the original real_fops'
->open() fails, then its owning module's reference won't ever get
dropped :(
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 6eb58a8..2e663d4 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -263,10 +263,14 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
if (real_fops->open) {
r = real_fops->open(inode, filp);
- if (filp->f_op != proxy_fops) {
+ if (r) {
+ replace_fops(filp, d_inode(dentry)->i_fop);
+ goto free_proxy;
+ } else if (filp->f_op != proxy_fops) {
/* No protection against file removal anymore. */
WARN(1, "debugfs file owner replaced proxy fops: %pd",
dentry);
+ replace_fops(filp, d_inode(dentry)->i_fop);
goto free_proxy;
}
}
I don't see directly how this could lead to lockups, but I think it's
better to rule out the obvious before inserting more or less random
printks...
Thank you very much again,
Nicolai
next prev parent reply other threads:[~2016-05-18 16:32 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-22 13:11 [PATCH v6 0/8] fix debugfs file removal races Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 1/8] debugfs: prevent access to possibly dead file_operations at file open Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 2/8] debugfs: prevent access to removed files' private data Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-05-18 14:48 ` Sasha Levin
2016-05-18 15:01 ` Nicolai Stange
2016-05-18 15:01 ` [Cocci] " Nicolai Stange
2016-05-18 15:18 ` Sasha Levin
2016-05-18 16:05 ` Greg Kroah-Hartman
2016-05-20 16:57 ` Sasha Levin
2016-05-21 17:57 ` Nicolai Stange
2016-05-21 17:57 ` [Cocci] " Nicolai Stange
2016-05-22 13:28 ` Nicolai Stange
2016-05-22 13:28 ` [Cocci] " Nicolai Stange
2016-05-18 16:32 ` Nicolai Stange [this message]
2016-05-18 16:32 ` Nicolai Stange
2016-05-20 16:55 ` Sasha Levin
2016-03-22 13:11 ` [PATCH v6 3/8] debugfs: add support for self-protecting attribute file fops Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 4/8] debugfs, coccinelle: check for obsolete DEFINE_SIMPLE_ATTRIBUTE() usage Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:18 ` Julia Lawall
2016-03-22 13:18 ` [Cocci] " Julia Lawall
2016-03-22 13:11 ` [PATCH v6 5/8] debugfs: unproxify integer attribute files Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 6/8] debugfs: unproxify files created through debugfs_create_bool() Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 7/8] debugfs: unproxify files created through debugfs_create_blob() Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2016-03-22 13:11 ` [PATCH v6 8/8] debugfs: unproxify files created through debugfs_create_u32_array() Nicolai Stange
2016-03-22 13:11 ` [Cocci] " Nicolai Stange
2017-03-19 16:30 [PATCH v6 2/8] debugfs: prevent access to removed files' private data Arkady
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mvnnxr74.fsf@gmail.com \
--to=nicstange@gmail.com \
--cc=Gilles.Muller@lip6.fr \
--cc=Julia.Lawall@lip6.fr \
--cc=akpm@linux-foundation.org \
--cc=cocci@systeme.lip6.fr \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=mmarek@suse.com \
--cc=nicolas.palix@imag.fr \
--cc=paulmck@linux.vnet.ibm.com \
--cc=sasha.levin@oracle.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.