Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1595355yba; Thu, 25 Apr 2019 02:26:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqwdE8RAqtg+5IRTOvMNuQpd2v7MwO44dP6Z5yHhBV5Hh6smwf4Jtm4vz4ScMlR9kQdudY1o X-Received: by 2002:a62:ee0a:: with SMTP id e10mr38404240pfi.6.1556184396992; Thu, 25 Apr 2019 02:26:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556184396; cv=none; d=google.com; s=arc-20160816; b=jbhvJlTAc+5rGPq85AtXd26xS5Taq2rtRJAicJis8TnvZY0CsMj4DrK+xU/QkkjmsM hNSKGPisueu8sYOyAlqBA5n0TnniRylKBSFFklbIBUKKlybpkVUQQbeWbIbAzq3p9Bnq gGJ+ZACsZssVBkNa8PlJpYd3InJIf4LLCv+SIgAp78dR2s5oSfzxeCBlm9cnarD0yiiY zNEFYXZbJkSoYsdP9i741AfoqdjN/f6WRtnSRnUSoKWE9ghzIIUMLYo/L68KA94GRRlZ XWoZdFCFxSoNloN2nFrwDQlQwu5BqXWGd0z7iAA+Vhj1AkI78HUIyRk89hp8WN66QHIt FKZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=x3QkF/mHVsWvxcMToE/RuwjL0vBvc1pW4GKlzPt3abQ=; b=M9EGIxVS/Z44Ey5BPvWsMZ65gL4f1tcAVSy0uR+ImDrNayXhzOWnMMsBSg1MKXLQTr EVnARGmMFNxrym7dmysCSCR5Wo/qNHpuUzCxoa1D8kxAj6YxEiY2QFvsfvNt36yw5t5k OtEZLvJaf6+iqBC0nr5YCYarbvVZ+FLsi9NSKJ54+h5TkT/ZorDvzV/8x7QZN5jTaJmp Fbugs0k++8jjueL9sO+FsYdnvcUhE/bNlI3Dw5doTn4g+Ta6WWIe++S9ru6CTHKR/IUl bLrBEMgZ7QcXSdy5iXaND577y9sQjVc5yYwkERxzTQEzxdt3vxgxRjaNzFktYQtsO5O8 9dgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3si20312267pgv.28.2019.04.25.02.26.20; Thu, 25 Apr 2019 02:26:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726836AbfDYJYv (ORCPT + 99 others); Thu, 25 Apr 2019 05:24:51 -0400 Received: from gate.crashing.org ([63.228.1.57]:49608 "EHLO gate.crashing.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726304AbfDYJYv (ORCPT ); Thu, 25 Apr 2019 05:24:51 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by gate.crashing.org (8.14.1/8.14.1) with ESMTP id x3P9OdMm015565; Thu, 25 Apr 2019 04:24:40 -0500 Message-ID: <24b0fff3775147c04b006282727d94fea7f408b4.camel@kernel.crashing.org> Subject: Re: [PATCH] driver core: Fix use-after-free and double free on glue directory From: Benjamin Herrenschmidt To: Muchun Song , gregkh@linuxfoundation.org, rafael@kernel.org Cc: linux-kernel@vger.kernel.org Date: Thu, 25 Apr 2019 19:24:39 +1000 In-Reply-To: <20190423143258.96706-1-smuchun@gmail.com> References: <20190423143258.96706-1-smuchun@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2019-04-23 at 22:32 +0800, Muchun Song wrote: > There is a race condition between removing glue directory and adding a new > device under the glue directory. It can be reproduced in following test: > .../... > In order to avoid this happening, we we should not call kobject_del() on > path2 when the reference count of glue_dir is greater than 1. So we add a > conditional statement to fix it. Good catch ! However I'm not completely happy about the fix you propose. I find relying on the object count for such decisions rather fragile as it could be taken temporarily for other reasons, couldn't it ? In which case we would just fail... Ideally, the looking up of the glue dir and creation of its child should be protected by the same lock instance (the gdp_mutex in that case). That might require a bit of shuffling around though. Greg, thoughts ? This whole gluedir business is annoyingly racy still. My gut feeling is that the "right fix" is to ensure the lookup of the glue dir and creation of the child object(s) are done under a single instance of gdp_mutex so we never see a stale "empty" but still poentially used glue dir around. This should also be true when creating such gluedir in the first place in fact, though that race is a lot harder to hit. Cheers, Ben.