When configfs_lookup() is executing list_for_each_entry(),
it is possible that configfs_dir_lseek() is calling list_del().
Some unfortunate interleavings of them can cause a kernel NULL
pointer dereference error
Thread 1 Thread 2
//configfs_dir_lseek() //configfs_lookup()
list_del(&cursor->s_sibling);
list_for_each_entry(sd, ...)
Fix this bug by grabbing configfs_dirent_lock in configfs_lookup().
Reported-by: Sishuai Gong <[email protected]>
Signed-off-by: sishuaigong <[email protected]>
---
fs/configfs/dir.c | 86 +++++++++++++++++++----------------------------
1 file changed, 35 insertions(+), 51 deletions(-)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index ac5e0c0e9181..c9af54f75051 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -417,44 +417,13 @@ static void configfs_remove_dir(struct config_item * item)
dput(dentry);
}
-
-/* attaches attribute's configfs_dirent to the dentry corresponding to the
- * attribute file
- */
-static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * dentry)
-{
- struct configfs_attribute * attr = sd->s_element;
- struct inode *inode;
-
- spin_lock(&configfs_dirent_lock);
- dentry->d_fsdata = configfs_get(sd);
- sd->s_dentry = dentry;
- spin_unlock(&configfs_dirent_lock);
-
- inode = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG);
- if (IS_ERR(inode)) {
- configfs_put(sd);
- return PTR_ERR(inode);
- }
- if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
- inode->i_size = 0;
- inode->i_fop = &configfs_bin_file_operations;
- } else {
- inode->i_size = PAGE_SIZE;
- inode->i_fop = &configfs_file_operations;
- }
- d_add(dentry, inode);
- return 0;
-}
-
static struct dentry * configfs_lookup(struct inode *dir,
struct dentry *dentry,
unsigned int flags)
{
struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata;
struct configfs_dirent * sd;
- int found = 0;
- int err;
+ struct inode *inode = NULL;
/*
* Fake invisibility if dir belongs to a group/default groups hierarchy
@@ -464,38 +433,53 @@ static struct dentry * configfs_lookup(struct inode *dir,
* not complete their initialization, since the dentries of the
* attributes won't be instantiated.
*/
- err = -ENOENT;
if (!configfs_dirent_is_ready(parent_sd))
- goto out;
+ return ERR_PTR(-ENOENT);
+ spin_lock(&configfs_dirent_lock);
list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
if (sd->s_type & CONFIGFS_NOT_PINNED) {
- const unsigned char * name = configfs_get_name(sd);
-
+ const unsigned char *name = configfs_get_name(sd);
if (strcmp(name, dentry->d_name.name))
continue;
- found = 1;
- err = configfs_attach_attr(sd, dentry);
- break;
- }
- }
+ struct configfs_attribute *attr = sd->s_element;
+ umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG;
- if (!found) {
- /*
- * If it doesn't exist and it isn't a NOT_PINNED item,
- * it must be negative.
- */
- if (dentry->d_name.len > NAME_MAX)
- return ERR_PTR(-ENAMETOOLONG);
- d_add(dentry, NULL);
- return NULL;
+ dentry->d_fsdata = configfs_get(sd);
+ sd->s_dentry = dentry;
+
+ spin_unlock(&configfs_dirent_lock);
+
+ inode = configfs_create(dentry, mode);
+ if (IS_ERR(inode)) {
+ configfs_put(sd);
+ return ERR_CAST(inode);
+ }
+ if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
+ inode->i_size = 0;
+ inode->i_fop = &configfs_bin_file_operations;
+ } else {
+ inode->i_size = PAGE_SIZE;
+ inode->i_fop = &configfs_file_operations;
+ }
+ goto out;
+ }
}
+ spin_unlock(&configfs_dirent_lock);
+ /*
+ * If it doesn't exist and it isn't a NOT_PINNED item,
+ * it must be negative.
+ */
+ if (dentry->d_name.len > NAME_MAX)
+ return ERR_PTR(-ENAMETOOLONG);
out:
- return ERR_PTR(err);
+ d_add(dentry, inode);
+ return NULL;
}
+
/*
* Only subdirectories count here. Files (CONFIGFS_NOT_PINNED) are
* attributes and are removed by rmdir(). We recurse, setting
--
2.17.1
Hi sishuaigong,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on hch-configfs/for-next]
[also build test WARNING on v5.14-rc7 next-20210823]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/sishuaigong/configfs-fix-a-race-in-configfs_lookup/20210824-034517
base: git://git.infradead.org/users/hch/configfs.git for-next
config: m68k-buildonly-randconfig-r006-20210822 (attached as .config)
compiler: m68k-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/ff28c41926fb184655325e34dba02c438963dcf5
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review sishuaigong/configfs-fix-a-race-in-configfs_lookup/20210824-034517
git checkout ff28c41926fb184655325e34dba02c438963dcf5
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=m68k
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
fs/configfs/dir.c: In function 'configfs_lookup':
>> fs/configfs/dir.c:446:25: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
446 | struct configfs_attribute *attr = sd->s_element;
| ^~~~~~
vim +446 fs/configfs/dir.c
419
420 static struct dentry * configfs_lookup(struct inode *dir,
421 struct dentry *dentry,
422 unsigned int flags)
423 {
424 struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata;
425 struct configfs_dirent * sd;
426 struct inode *inode = NULL;
427
428 /*
429 * Fake invisibility if dir belongs to a group/default groups hierarchy
430 * being attached
431 *
432 * This forbids userspace to read/write attributes of items which may
433 * not complete their initialization, since the dentries of the
434 * attributes won't be instantiated.
435 */
436 if (!configfs_dirent_is_ready(parent_sd))
437 return ERR_PTR(-ENOENT);
438
439 spin_lock(&configfs_dirent_lock);
440 list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
441 if (sd->s_type & CONFIGFS_NOT_PINNED) {
442 const unsigned char *name = configfs_get_name(sd);
443 if (strcmp(name, dentry->d_name.name))
444 continue;
445
> 446 struct configfs_attribute *attr = sd->s_element;
447 umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG;
448
449 dentry->d_fsdata = configfs_get(sd);
450 sd->s_dentry = dentry;
451
452 spin_unlock(&configfs_dirent_lock);
453
454 inode = configfs_create(dentry, mode);
455 if (IS_ERR(inode)) {
456 configfs_put(sd);
457 return ERR_CAST(inode);
458 }
459 if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
460 inode->i_size = 0;
461 inode->i_fop = &configfs_bin_file_operations;
462 } else {
463 inode->i_size = PAGE_SIZE;
464 inode->i_fop = &configfs_file_operations;
465 }
466 goto out;
467 }
468 }
469 spin_unlock(&configfs_dirent_lock);
470
471 /*
472 * If it doesn't exist and it isn't a NOT_PINNED item,
473 * it must be negative.
474 */
475 if (dentry->d_name.len > NAME_MAX)
476 return ERR_PTR(-ENAMETOOLONG);
477 out:
478 d_add(dentry, inode);
479 return NULL;
480 }
481
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]