linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Christian A. Ehrhardt" <lk@c--e.de>
To: Tejun Heo <tj@kernel.org>
Cc: linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] kernfs: fix use-after-free in __kernfs_remove
Date: Fri, 9 Sep 2022 00:25:36 +0200	[thread overview]
Message-ID: <Yxpr4HSSxNw3SDrI@cae.in-ulm.de> (raw)
In-Reply-To: <YxojA7pDe8Ur7wpd@slm.duckdns.org>


Hello Tejun,

On Thu, Sep 08, 2022 at 07:14:43AM -1000, Tejun Heo wrote:
> Hello, Christian.
> 
> On Wed, Sep 07, 2022 at 10:08:11PM +0200, Christian A. Ehrhardt wrote:
> > Concurrent calls to __kernfs_remove can race on the removal
> > of the root node: The race occurs if the root node(kn) is freed
> > during kernfs_drain. The child node(pos) is explicitly protected
> > with an additional ref count. Do the same for the root node.
> 
> I don't think this is right. We don't support parallel invocations of
> __kernfs_remove() this way. If @kn can be freed during kernfs_drain(), it
> also means that it can be freed before kernfs_rwsem is grabbed in
> kernfs_remove().

Point taken. However, the syzkaller reproducer reliably triggers
the bug without the patch and the bug is gone with the patch.

> The caller must be responsible for ensuring that @kn
> remains allocated. Otherwise, it can't be made reliable.

In this case the caller of __kernfs_remove is not kernfs_remove but
kernfs_remove_by_name_ns and it fails to take a reference for the
node that it looks up and deletes. Thus a second call to
kernfs_remove_by_name_ns can remove the node while kernfs_drain
drops the semaphore.

I'll post an updated patch tomorrow.

      regards   Christian


  reply	other threads:[~2022-09-08 22:25 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-07 20:08 [PATCH] kernfs: fix use-after-free in __kernfs_remove Christian A. Ehrhardt
2022-09-08 17:14 ` Tejun Heo
2022-09-08 22:25   ` Christian A. Ehrhardt [this message]
2022-09-12 21:24     ` Christian A. Ehrhardt
2022-09-12 21:39       ` Tejun Heo
2022-09-13 12:17         ` [PATCH v2] " Christian A. Ehrhardt
2022-09-19 17:35           ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yxpr4HSSxNw3SDrI@cae.in-ulm.de \
    --to=lk@c--e.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).