Received: by 10.223.185.116 with SMTP id b49csp5535990wrg; Tue, 27 Feb 2018 15:21:51 -0800 (PST) X-Google-Smtp-Source: AH8x227/k73e0ANLunLlcmq1uBXOi6KagxIT8cfz1nGHgmET4NYy/XpvMRIg+ojqLGgbMmoCyyiX X-Received: by 10.99.122.71 with SMTP id j7mr12446753pgn.151.1519773711390; Tue, 27 Feb 2018 15:21:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519773711; cv=none; d=google.com; s=arc-20160816; b=KLSuyjaknsdP3p3a8dAGcTOo1E7f8KtftwmEv6TpCCNIxPKbe2ufxQ3BCf6Ql2/vxW fW9rSDTEKkEFJVrP+S/sLLNmhjpL2bayNvi7PbWI1GzWcZKFgb0zXZZTgLfNQtpQGsFl gS8SwV7NRR9u+aIf2s+q/GS4uaAFOXaPdGFNjAqZ/N7yqukAvOrHJVnr89iHuexqxpfB tFR9AHVRzlc5jyY8BxQCDfiB9RA1K8B5liCiScOokJUQBhRTxPp7ICbbnicRxHMxRPK7 sV3WD+e3VRV6xK/gMs6T/pmfSHwHHZIPrw0mJUhI9WqBEySNz5Nspp8CI2hpI18GP/5a ZNMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:message-id:references :in-reply-to:subject:cc:to:from:date:content-transfer-encoding :mime-version:arc-authentication-results; bh=trPNnS5Lm9X5OnR16Tvrb5QY13mx4x4+IufhH8Fg8v8=; b=ES6okF6sZFLH1clpRQJK2yp/Eq0gyi2VF7Jx8KrDIGL9tVt9A63Ba+JwWWCXQfBZsZ oO6Ep60yVX5PXLwYGtrS6R7aD0BOmjTjlV+A/+I+dnZs0Adab1wd9KJOaqluC/zAB+c8 tQOejuN0ND9X5kb5dolVUcD1G5ixuCRHZl4v0hxKD/MIO6KxXzNh5GqQpEf1aIHHeiYn lDgAkeiCbQ0D0li6ht74U+tzRZxTCgSE5yKXjjHgjNbCgzKeO60G+mKQYEhQAaZekdrB o+Fe+YeSLbJ9LXA6+ejNA1m47QL8eLN71fGUwEpwi32gcywBfyErcHjDkxSt5KYRBAa3 WRqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b68si150126pfd.345.2018.02.27.15.21.36; Tue, 27 Feb 2018 15:21:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752092AbeB0XUZ (ORCPT + 99 others); Tue, 27 Feb 2018 18:20:25 -0500 Received: from hs01.dk-develop.de ([213.136.71.231]:53116 "EHLO hs01.dk-develop.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751979AbeB0XUX (ORCPT ); Tue, 27 Feb 2018 18:20:23 -0500 Received: from mail.dk-develop.de (hs01.dk-develop.de [127.0.0.1]) by hs01.dk-develop.de (Postfix) with ESMTPA id 6C4C41320F55; Wed, 28 Feb 2018 00:20:26 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 28 Feb 2018 00:20:26 +0100 From: Danilo Krummrich To: Kees Cook Cc: "Luis R. Rodriguez" , LKML , linux-fsdevel@vger.kernel.org, keescook@google.com Subject: Re: [PATCH 1/2] fs/sysctl: fix potential page fault while unregistering sysctl table In-Reply-To: References: <20180227224358.12672-1-danilokrummrich@dk-develop.de> Message-ID: <55ea6fc33aa0385c90ea5a640fa5ad9d@dk-develop.de> X-Sender: danilokrummrich@dk-develop.de User-Agent: Roundcube Webmail/1.3.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-02-28 00:02, Kees Cook wrote: > On Tue, Feb 27, 2018 at 2:43 PM, Danilo Krummrich > wrote: >> proc_sys_link_fill_cache() does not take currently unregistering >> sysctl tables into account, which might result into a page fault in >> sysctl_follow_link() - add a check to fix it. >> >> Signed-off-by: Danilo Krummrich >> --- >> fs/proc/proc_sysctl.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c >> index c5cbbdff3c3d..a0b6c647835e 100644 >> --- a/fs/proc/proc_sysctl.c >> +++ b/fs/proc/proc_sysctl.c >> @@ -709,6 +709,9 @@ static bool proc_sys_link_fill_cache(struct file >> *file, >> bool ret = true; > > Nothing appears to actually change "ret" in this function. It should > likely be dropped too. > proc_sys_fill_cache() potentially changes "ret". >> head = sysctl_head_grab(head); >> >> + if (IS_ERR(head)) >> + return false; >> + > > This looks sensible. I'd drop the blank line between sysctl_head_grab > and the IS_ERR, though. > I'll do that. > How are you testing this change? > Honestly, not at all. Actually, I never run in such a page fault. I spotted it by accident while reading the code. > Thanks! > > -Kees > >> if (S_ISLNK(table->mode)) { >> /* It is not an error if we can not follow the link >> ignore it */ >> int err = sysctl_follow_link(&head, &table); >> -- >> 2.14.1 >>