Received: by 10.223.185.116 with SMTP id b49csp5535990wrg;
        Tue, 27 Feb 2018 15:21:51 -0800 (PST)
X-Google-Smtp-Source: AH8x227/k73e0ANLunLlcmq1uBXOi6KagxIT8cfz1nGHgmET4NYy/XpvMRIg+ojqLGgbMmoCyyiX
X-Received: by 10.99.122.71 with SMTP id j7mr12446753pgn.151.1519773711390;
        Tue, 27 Feb 2018 15:21:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519773711; cv=none;
        d=google.com; s=arc-20160816;
        b=KLSuyjaknsdP3p3a8dAGcTOo1E7f8KtftwmEv6TpCCNIxPKbe2ufxQ3BCf6Ql2/vxW
         fW9rSDTEKkEFJVrP+S/sLLNmhjpL2bayNvi7PbWI1GzWcZKFgb0zXZZTgLfNQtpQGsFl
         gS8SwV7NRR9u+aIf2s+q/GS4uaAFOXaPdGFNjAqZ/N7yqukAvOrHJVnr89iHuexqxpfB
         tFR9AHVRzlc5jyY8BxQCDfiB9RA1K8B5liCiScOokJUQBhRTxPp7ICbbnicRxHMxRPK7
         sV3WD+e3VRV6xK/gMs6T/pmfSHwHHZIPrw0mJUhI9WqBEySNz5Nspp8CI2hpI18GP/5a
         ZNMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:message-id:references
         :in-reply-to:subject:cc:to:from:date:content-transfer-encoding
         :mime-version:arc-authentication-results;
        bh=trPNnS5Lm9X5OnR16Tvrb5QY13mx4x4+IufhH8Fg8v8=;
        b=ES6okF6sZFLH1clpRQJK2yp/Eq0gyi2VF7Jx8KrDIGL9tVt9A63Ba+JwWWCXQfBZsZ
         oO6Ep60yVX5PXLwYGtrS6R7aD0BOmjTjlV+A/+I+dnZs0Adab1wd9KJOaqluC/zAB+c8
         tQOejuN0ND9X5kb5dolVUcD1G5ixuCRHZl4v0hxKD/MIO6KxXzNh5GqQpEf1aIHHeiYn
         lDgAkeiCbQ0D0li6ht74U+tzRZxTCgSE5yKXjjHgjNbCgzKeO60G+mKQYEhQAaZekdrB
         o+Fe+YeSLbJ9LXA6+ejNA1m47QL8eLN71fGUwEpwi32gcywBfyErcHjDkxSt5KYRBAa3
         WRqA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b68si150126pfd.345.2018.02.27.15.21.36;
        Tue, 27 Feb 2018 15:21:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752092AbeB0XUZ (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 27 Feb 2018 18:20:25 -0500
Received: from hs01.dk-develop.de ([213.136.71.231]:53116 "EHLO
        hs01.dk-develop.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751979AbeB0XUX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Feb 2018 18:20:23 -0500
Received: from mail.dk-develop.de (hs01.dk-develop.de [127.0.0.1])
        by hs01.dk-develop.de (Postfix) with ESMTPA id 6C4C41320F55;
        Wed, 28 Feb 2018 00:20:26 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date:   Wed, 28 Feb 2018 00:20:26 +0100
From:   Danilo Krummrich <danilokrummrich@dk-develop.de>
To:     Kees Cook <keescook@chromium.org>
Cc:     "Luis R. Rodriguez" <mcgrof@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org, keescook@google.com
Subject: Re: [PATCH 1/2] fs/sysctl: fix potential page fault while
 unregistering sysctl table
In-Reply-To: <CAGXu5j+geUKNMu8W-+CYUD0_d_LBv+78TE5QbKx2EBeCx_oP9A@mail.gmail.com>
References: <20180227224358.12672-1-danilokrummrich@dk-develop.de>
 <CAGXu5j+geUKNMu8W-+CYUD0_d_LBv+78TE5QbKx2EBeCx_oP9A@mail.gmail.com>
Message-ID: <55ea6fc33aa0385c90ea5a640fa5ad9d@dk-develop.de>
X-Sender: danilokrummrich@dk-develop.de
User-Agent: Roundcube Webmail/1.3.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2018-02-28 00:02, Kees Cook wrote:
> On Tue, Feb 27, 2018 at 2:43 PM, Danilo Krummrich
> <danilokrummrich@dk-develop.de> wrote:
>> proc_sys_link_fill_cache() does not take currently unregistering
>> sysctl tables into account, which might result into a page fault in
>> sysctl_follow_link() - add a check to fix it.
>> 
>> Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
>> ---
>>  fs/proc/proc_sysctl.c | 3 +++
>>  1 file changed, 3 insertions(+)
>> 
>> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
>> index c5cbbdff3c3d..a0b6c647835e 100644
>> --- a/fs/proc/proc_sysctl.c
>> +++ b/fs/proc/proc_sysctl.c
>> @@ -709,6 +709,9 @@ static bool proc_sys_link_fill_cache(struct file 
>> *file,
>>         bool ret = true;
> 
> Nothing appears to actually change "ret" in this function. It should
> likely be dropped too.
> 
proc_sys_fill_cache() potentially changes "ret".
>>         head = sysctl_head_grab(head);
>> 
>> +       if (IS_ERR(head))
>> +               return false;
>> +
> 
> This looks sensible. I'd drop the blank line between sysctl_head_grab
> and the IS_ERR, though.
> 
I'll do that.
> How are you testing this change?
> 
Honestly, not at all. Actually, I never run in such a page fault.
I spotted it by accident while reading the code.
> Thanks!
> 
> -Kees
> 
>>         if (S_ISLNK(table->mode)) {
>>                 /* It is not an error if we can not follow the link 
>> ignore it */
>>                 int err = sysctl_follow_link(&head, &table);
>> --
>> 2.14.1
>>