From: Richard Weinberger <richard@nod.at>
To: "libaokun (A)" <libaokun1@huawei.com>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
yukuai3@huawei.com, Hulk Robot <hulkci@huawei.com>
Subject: Re: [PATCH -next V3] ubi: fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
Date: Thu, 23 Dec 2021 22:06:08 +0100 (CET) [thread overview]
Message-ID: <509065063.197038.1640293568550.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <7e00eda5-3b35-6d3c-29fb-664b12cca6dd@huawei.com>
----- Ursprüngliche Mail -----
> Von: "libaokun (A)" <libaokun1@huawei.com>
> 在 2021/11/5 17:30, Baokun Li 写道:
>
> ping
Thanks for your patience.
>> Hulk Robot reported a KASAN report about use-after-free:
[...]
>> The cause of this problem is that commit 714fb87e8bc0 make device
>> "available" before it becomes accessible via sysfs. Therefore, we
>> roll back the modification. We will fix the race condition between
>> ubi device creation and udev by removing ubi_get_device in
>> vol_attribute_show and dev_attribute_show.This avoids accessing
>> uninitialized ubi_devices[ubi_num].
>>
>> ubi_get_device is used to prevent devices from being deleted during
>> sysfs execution. However, now kernfs ensures that devices will not
>> be deleted before all reference counting are released.
>> The key process is shown in the following stack.
ubi_get_device() in dev_attribute_show() is used to detect whether
the ubi device got detached while the sysfs file is open.
Hmm. I thought for sysfs this is not the case since sysfs does not implement
a release() method. So kernfs_drain_open_files() will return early.
But there is a good chance that I don't got all kernfs/sysfs details.
Thanks,
//richard
next prev parent reply other threads:[~2021-12-23 21:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-05 9:30 [PATCH -next V3] ubi: fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl Baokun Li
2021-12-21 12:33 ` libaokun (A)
2021-12-23 21:06 ` Richard Weinberger [this message]
2021-12-28 7:48 ` Zhihao Cheng
2021-12-30 21:32 ` Richard Weinberger
2021-12-28 12:40 ` libaokun (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=509065063.197038.1640293568550.JavaMail.zimbra@nod.at \
--to=richard@nod.at \
--cc=hulkci@huawei.com \
--cc=libaokun1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=miquel.raynal@bootlin.com \
--cc=vigneshr@ti.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).