Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1996923yba;
        Thu, 25 Apr 2019 09:01:17 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzVf8wa92M2faO2MmIDH1CoKHuaVctozGN5hp9083cDm3iH5ITSC2JCEr/jUSTE8FCJ0I7S
X-Received: by 2002:a62:1815:: with SMTP id 21mr41070009pfy.107.1556208077182;
        Thu, 25 Apr 2019 09:01:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556208077; cv=none;
        d=google.com; s=arc-20160816;
        b=L8zdCJjReuoBJz++RYb7xf9/T0fxgJNQj6l7o7TItyPXwnzaWAguYwqd0WaRRj09zg
         psSjG79JSj3RkYAHzp0TBqqPiDByGP8yk1wctIzHij+rWeP0i9GfawgrnAoFypgeaOJp
         w/K2ILz3fz/k4yAO1jU9jgy62MCHi5nNbNF0CjL4ymrVuFzCMFQOm0K1B4HuttmSUS2N
         xJ93zGc23bUdApZ+5wXEkh9TWTFwshoWHQ4uAbiu4ZviydwZDjcMk+Fh2LHS1Ckp53bz
         5wgwZO7mkjPjPEepIkaqFMSaYFlRXAzuk1LursfUhQ83PlBhtO4iSCYGspNBXywH1Zee
         OYJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=2E9W7oTH/iN84BNoNRhpXZPqpqKBdUlhu4ojiw1m7OA=;
        b=UJAgqJlxa5tfnMlRGG48ZMuQcq0KVNAzxiLpX5FiEtygsWyQNgrtYNPsXci0cuM4Jm
         tT2J86nuYoDL5OnObw635aqsAVMDxFw/xAL6cQS9AZs6+qiGnS2aSFeHZuxBdxaHE0lM
         TktusjPdSk4ZokEx0QpwqIWYyPVZ2HfSVTQHYNQvGkDFCId5HR62B4pd32pfEalIGJtu
         SmXPU6+wgoYQGY8ZP2ZqRzkQNqilZWPjQ+E+ZFMnwm+oMIMLJlutTdfRo6BotD+q3Usl
         qJFu8hqFf9Z6XZcstBHzIPAqasflokdaFRyav9XdtlTfbhUtuf1XebwIop4QcFxXFWPX
         EWmw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Dqh9FRre;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l1si4279632pgs.415.2019.04.25.09.01.00;
        Thu, 25 Apr 2019 09:01:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Dqh9FRre;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727570AbfDYPoK (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 25 Apr 2019 11:44:10 -0400
Received: from mail-qt1-f193.google.com ([209.85.160.193]:36822 "EHLO
        mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726579AbfDYPoK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Apr 2019 11:44:10 -0400
Received: by mail-qt1-f193.google.com with SMTP id c35so622622qtk.3
        for <linux-kernel@vger.kernel.org>; Thu, 25 Apr 2019 08:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=2E9W7oTH/iN84BNoNRhpXZPqpqKBdUlhu4ojiw1m7OA=;
        b=Dqh9FRrew0QtPU8reAGDm9gc/6Ox+rCYhI0zLPkgXd6pQOJ6j1feMvUMSqap5Bjb2+
         vRgY9Ya+gEuR9poRLhTTnZZ/rjDsqUcxYoSqt3kKrc6xk4RdlowZV95KDUJtPFlwdh/D
         1LrIcOQI5zmd2qmprUTBfL5Sta6hW1ivy7ik6fn9xwWKaXmrORzNZbs8Vit5Igh7t/Ai
         LHGkHCE36V7YBOSQNPnSsOHyfPM2D20CrJRijXO5e3QLM4K+B0nYRoPpjQnVOEyXXV1c
         CH3NIn0f0bRjELePUkxDwUuvu8yQBnYU/uE33enhY6UaNzDTGZFpSNDNkxDFE54YIa5u
         dcpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=2E9W7oTH/iN84BNoNRhpXZPqpqKBdUlhu4ojiw1m7OA=;
        b=J6DOpkOc6ZpYAdO6UylkeB1C95IphcCuJyMdhmqw+F+wS928kheoPgLhFgRHklzOZl
         Ybd+OmuY1EHTprIw+xHTgtxamaRSBmyFSgiGXA8trsE6hHTLhYDO7h5bz5iOymINE/Rt
         nFK0hCyNHEr8qQ8Gg9U93rGqdAEPFZt+BMWBWoC6LCU2EhWWmhKC+rb88n3ssItgnbUe
         K7yYo7u+jcdKo70rx2RZRoFY/5eBO8y4UeD4i/j2GvDA/fMWRxpaYklQRnJKAUjwyUnh
         ZGiVerlYIy2CnIJb22jim9tITpvMMssmswtBMhV9mjfjOfnLy3sB/QKbLEo9UYjGYft9
         Yx5Q==
X-Gm-Message-State: APjAAAUYsiP0gJBkRdYW8pB83U7TwWWT1eE/2Zn8bFZYoNSbVrDLTo5/
        81fWXISQjjxiYsdplIhDpjodiDNdtqPVZBoXE4s=
X-Received: by 2002:a0c:e892:: with SMTP id b18mr13357898qvo.16.1556207049182;
 Thu, 25 Apr 2019 08:44:09 -0700 (PDT)
MIME-Version: 1.0
References: <20190423143258.96706-1-smuchun@gmail.com> <24b0fff3775147c04b006282727d94fea7f408b4.camel@kernel.crashing.org>
In-Reply-To: <24b0fff3775147c04b006282727d94fea7f408b4.camel@kernel.crashing.org>
From:   Muchun Song <smuchun@gmail.com>
Date:   Thu, 25 Apr 2019 23:44:00 +0800
Message-ID: <CAPSr9jHhwASv7=83hU+81mC0JJyuyt2gGxLmyzpCOfmc9vKgGQ@mail.gmail.com>
Subject: Re: [PATCH] driver core: Fix use-after-free and double free on glue directory
To:     Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc:     gregkh@linuxfoundation.org, rafael@kernel.org,
        linux-kernel <linux-kernel@vger.kernel.org>,
        zhaowuyun@wingtech.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Cheers,

Benjamin Herrenschmidt <benh@kernel.crashing.org> =E4=BA=8E2019=E5=B9=B44=
=E6=9C=8825=E6=97=A5=E5=91=A8=E5=9B=9B =E4=B8=8B=E5=8D=885:24=E5=86=99=E9=
=81=93=EF=BC=9A
>
> On Tue, 2019-04-23 at 22:32 +0800, Muchun Song wrote:
> > There is a race condition between removing glue directory and adding a =
new
> > device under the glue directory. It can be reproduced in following test=
:
> >
>
>  .../...
>
> > In order to avoid this happening, we we should not call kobject_del() o=
n
> > path2 when the reference count of glue_dir is greater than 1. So we add=
 a
> > conditional statement to fix it.
>
> Good catch ! However I'm not completely happy about the fix you
> propose.
>
> I find relying on the object count for such decisions rather fragile as
> it could be taken temporarily for other reasons, couldn't it ? In which
> case we would just fail...

It could be taken temporarily for other reasons, what reasons?
I also can not figure out which case could result in this.

>
> Ideally, the looking up of the glue dir and creation of its child
> should be protected by the same lock instance (the gdp_mutex in that
> case).
>
> That might require a bit of shuffling around though.
>
> Greg, thoughts ? This whole gluedir business is annoyingly racy still.
>
> My gut feeling is that the "right fix" is to ensure the lookup of the
> glue dir and creation of the child object(s) are done under a single
> instance of gdp_mutex so we never see a stale "empty" but still
> poentially used glue dir around.

I agree with you that the looking up of the glue dir and creation of its ch=
ild
should be protected by the same lock of gdp_mutex. So, do you agree with
the fix of the following code snippet?

--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1740,8 +1740,11 @@ class_dir_create_and_add(struct class *class,
struct kobject *parent_kobj)
 static DEFINE_MUTEX(gdp_mutex);

 static struct kobject *get_device_parent(struct device *dev,
-                                        struct device *parent)
+                                        struct device *parent,
+                                        bool *locked)
 {
+       *locked =3D false;
+
        if (dev->class) {
                struct kobject *kobj =3D NULL;
                struct kobject *parent_kobj;
@@ -1779,7 +1782,7 @@ static struct kobject *get_device_parent(struct
device *dev,
                        }
                spin_unlock(&dev->class->p->glue_dirs.list_lock);
                if (kobj) {
-                       mutex_unlock(&gdp_mutex);
+                       *locked =3D true;
                        return kobj;
                }

@@ -2007,6 +2010,7 @@ int device_add(struct device *dev)
        struct class_interface *class_intf;
        int error =3D -EINVAL;
        struct kobject *glue_dir =3D NULL;
+       bool locked;

        dev =3D get_device(dev);
        if (!dev)
@@ -2040,7 +2044,7 @@ int device_add(struct device *dev)
        pr_debug("device: '%s': %s\n", dev_name(dev), __func__);

        parent =3D get_device(dev->parent);
-       kobj =3D get_device_parent(dev, parent);
+       kobj =3D get_device_parent(dev, parent, &locked);
        if (IS_ERR(kobj)) {
                error =3D PTR_ERR(kobj);
                goto parent_error;
@@ -2057,9 +2061,14 @@ int device_add(struct device *dev)
        error =3D kobject_add(&dev->kobj, dev->kobj.parent, NULL);
        if (error) {
                glue_dir =3D get_glue_dir(dev);
+               if (locked)
+                       mutex_unlock(&gdp_mutex);
                goto Error;
        }

+       if (locked)
+               mutex_unlock(&gdp_mutex);
+
        /* notify platform of device entry */
        error =3D device_platform_notify(dev, KOBJ_ADD);
        if (error)

Yours
Muchun