Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp585896yba; Thu, 16 May 2019 05:59:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqyJ/Hu/n9nssKvoNmqGjpm3wV5i5lkIVu/EQlUQI0REjtL4q2M9aK+jKiLPb5eP1zHfXXmP X-Received: by 2002:a17:902:6a4:: with SMTP id 33mr8262283plh.338.1558011560993; Thu, 16 May 2019 05:59:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558011560; cv=none; d=google.com; s=arc-20160816; b=c6Th098+UXP3f+jjBno4JIRxoLpI4+h1EY44o3eMJR0eD3kpjFvkm++stVBuX0IUcG YI3yJgtYJoSDU+BWMLgOxt3lqDPi4VZNfItAz/ht2eXiH2bQkiHAjKKWFTHaNgrR+ETG K/TpLrEEoD4D8U1pw064n/Ja9Ny6qk/kHblrgX7ILfFEUdMPvRB9VOtVFeHA6WukNAt+ 5qvTNh0qDmOZVsb0NBza2Abv8CjANRyPqs7llRdxSObNm0AC3HZqygARGRQLOmxtvstJ lKMm3RLHXx+AMofzH6sohdlIPulrngn7y/HOGn1kIuJ0M6z1quwzwKDQG7qq/hGSD5Q+ bzyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:message-id:references :in-reply-to:subject:to:from:date:content-transfer-encoding :mime-version:dkim-signature:dkim-signature; bh=vdgzA1hkX34lL822E8t7GwkhPWlo7nRIFTzNQamF96k=; b=PJ8umLyP5P40TBPYRm5wkFg8ua2SEe+QXa57mYEF0IuF+9o9godiCKBrp5+Dx0GnBi hDPxosi7fh/BOV6u00jVsevDGb7vtGLOaad6Lk7j5Kmcy4rkbfzaiJ6/xh0KFPvHAxx+ JSpp6JAHfxKH/p2MKx/17BrcUFdP+2q/UhEe/RGxpQ57/5twXpg7c/cgI/8WDPCIE9wG PZR721Y7TjQC9MnygT8QwL+V2wi5/bfjVnWzzffjNolcZJk/Ar6PLCzM+QsUjLEU3TUi 8Lvw8RXLUU1XkRf0DfjoNPEQDOlxWlHOqbsDtuOgpu4P0Bn2OJPhzLXrY+rdd8QWW/Xe 89uA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=cENApoOz; dkim=pass header.i=@codeaurora.org header.s=default header.b=ev9uBfYP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b193si5755653pfb.118.2019.05.16.05.59.05; Thu, 16 May 2019 05:59:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=cENApoOz; dkim=pass header.i=@codeaurora.org header.s=default header.b=ev9uBfYP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727188AbfEPM5z (ORCPT + 99 others); Thu, 16 May 2019 08:57:55 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:45057 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbfEPM5z (ORCPT ); Thu, 16 May 2019 08:57:55 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 9F455606CF; Thu, 16 May 2019 12:57:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1558011474; bh=wNPWdSNFLowBHRWGc2iu547/48b9Xj6CKUNFA19mcuU=; h=Date:From:To:Subject:In-Reply-To:References:From; b=cENApoOzXNBti6omO3W5/s3d0hfJTsLL/vGKAuMi7qeI14X+rw36bPY30gOivvRtY IVephdNgSG9ZXNdWBAQA8jMn1HxXv33Y5BGtVFiCA/X1NUWtNhGVPHtUHaLk3R4fnF RZq7gOpbqwUvejW42UL1Wb4KVX5u1ql/PAhcCpRQ= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.codeaurora.org (Postfix) with ESMTP id B3843606CF; Thu, 16 May 2019 12:57:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1558011473; bh=wNPWdSNFLowBHRWGc2iu547/48b9Xj6CKUNFA19mcuU=; h=Date:From:To:Subject:In-Reply-To:References:From; b=ev9uBfYPnkJiIVUo6J3Y0XY7X+Jqx8INNORcoWg+csM1tdvjghMm6E07MzP5qmXsy DZ+7m5v/h4Dd0Khcn/3W2rv0v5bFQpkni+9ZDmdNFt3abtgdNu0d7g349WN91tBSfd nx2QM01mKw5D+r16lvhZubB8eVw8/T/pADhZJamQ= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 16 May 2019 18:27:53 +0530 From: stummala@codeaurora.org To: Junxiao Bi , Joel Becker , Christoph Hellwig , Al Viro , linux-kernel@vger.kernel.org, stummala@codeaurora.org Subject: Re: [PATCH v2] configfs: Fix use-after-free when accessing sd->s_dentry In-Reply-To: <20190131032011.GC7308@codeaurora.org> References: <1546514295-24818-1-git-send-email-stummala@codeaurora.org> <20190131032011.GC7308@codeaurora.org> Message-ID: <0081e5c8083f5ed9f1c1e9b456739728@codeaurora.org> X-Sender: stummala@codeaurora.org User-Agent: Roundcube Webmail/1.2.5 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Christoph, Al, Can you please consider this patch for merging? Thanks, Sahitya. On 2019-01-31 08:50, Sahitya Tummala wrote: > Al, > > Can we merge this patch, if there are no further comments? > > Thanks, > Sahitya. > > On Thu, Jan 03, 2019 at 04:48:15PM +0530, Sahitya Tummala wrote: >> In the vfs_statx() context, during path lookup, the dentry gets >> added to sd->s_dentry via configfs_attach_attr(). In the end, >> vfs_statx() kills the dentry by calling path_put(), which invokes >> configfs_d_iput(). Ideally, this dentry must be removed from >> sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result, >> sd->s_dentry is holding reference to a stale dentry pointer whose >> memory is already freed up. This results in use-after-free issue, >> when this stale sd->s_dentry is accessed later in >> configfs_readdir() path. >> >> This issue can be easily reproduced, by running the LTP test case - >> sh fs_racer_file_list.sh /config >> (https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh) >> >> Fixes: 76ae281f6307 ('configfs: fix race between dentry put and >> lookup') >> Signed-off-by: Sahitya Tummala >> --- >> v2: >> - update comments relevant to the code. >> >> fs/configfs/dir.c | 9 ++++----- >> 1 file changed, 4 insertions(+), 5 deletions(-) >> >> diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c >> index 39843fa..f113101 100644 >> --- a/fs/configfs/dir.c >> +++ b/fs/configfs/dir.c >> @@ -58,15 +58,14 @@ static void configfs_d_iput(struct dentry * >> dentry, >> if (sd) { >> /* Coordinate with configfs_readdir */ >> spin_lock(&configfs_dirent_lock); >> - /* Coordinate with configfs_attach_attr where will increase >> - * sd->s_count and update sd->s_dentry to new allocated one. >> - * Only set sd->dentry to null when this dentry is the only >> - * sd owner. >> + /* >> + * Set sd->s_dentry to null only when this dentry is the >> + * one that is going to be killed. >> * If not do so, configfs_d_iput may run just after >> * configfs_attach_attr and set sd->s_dentry to null >> * even it's still in use. >> */ >> - if (atomic_read(&sd->s_count) <= 2) >> + if (sd->s_dentry == dentry) >> sd->s_dentry = NULL; >> >> spin_unlock(&configfs_dirent_lock); >> -- >> Qualcomm India Private Limited, on behalf of Qualcomm Innovation >> Center, Inc. >> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a >> Linux Foundation Collaborative Project. >>