Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1811910pxb; Fri, 20 Aug 2021 14:54:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2ydwhl3iSIFcZzCbQniaYy7NMnj2tOJBsTQjydgFyDtfVGbg+2HrJWe6WwY+eAwNPoDNe X-Received: by 2002:aa7:d547:: with SMTP id u7mr24203177edr.28.1629496454337; Fri, 20 Aug 2021 14:54:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629496454; cv=none; d=google.com; s=arc-20160816; b=jbP3qTJXeskS1d0kmeBIHaqVSFkbPLyADdbEXqPBOABElcoyr87ilx7F+QheTwwYdr 4S39QPofX3DIyb4UfAv2aQqbnPTqOt3qqDGiNoR1YlgYGQMFgPjIW0g5Mp0MW5HZ8jV9 ERc0Co8wFojbnjG7v4gf966BO+DUDNO0mWjEhjwo1tHvdUYjjiv4fuekPC/l/OscIdKm cslUfYd8E3vbvVb9LSndwwruaaaz4AL/3HoE1qk4/MtMRQIJ7ardMZsh1IqVQRVnt/0x UDqJ2MT9ffShYosGKqTpA78i57+8vd/xXEn9FttuUaYJ7tBLggRNHqZ+4PYBm8dxnHhW loCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :ironport-hdrordr:ironport-sdr; bh=nqB/KPlY9dVynwCF/zMcN+fNxVIRZwMEWb53+3sUWss=; b=PI0hgRu3YH/LjVWyKaM0NncGMepYJCr6Gsf2YcRZH+hhF4ucPAEfXziRJZOPNk71RT vrPyJl1zWxU1lPw8PC8uaNfBG69zfL8YQO0qVuF+OKT2521sbKa0X+cqf4IbM7BKsLL5 8rCiw9Mors5ZBDiMeamMF2QIgiPTFs8OoyZpzUkHCI8xCyfl/u6mLIkBn9JVKR8OveIV f306QS5XYYTk+idHChF5LPBtLaimjb+0KkJSD/QCRf/BMNhVqbzL/McryA16jRNscnXR YmK9h1Hzeu1+37lcK/gLguglUX5DM7NvyIgtODfQawgiHYTQAX/mZ6soFtTq/fq3El2v 8NVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=purdue.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si1026247eja.129.2021.08.20.14.53.50; Fri, 20 Aug 2021 14:54:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=purdue.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232174AbhHTVwx (ORCPT + 99 others); Fri, 20 Aug 2021 17:52:53 -0400 Received: from xppmailspam11.itap.purdue.edu ([128.210.1.215]:54618 "EHLO xppmailspam11.itap.purdue.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229760AbhHTVws (ORCPT ); Fri, 20 Aug 2021 17:52:48 -0400 X-Greylist: delayed 427 seconds by postgrey-1.27 at vger.kernel.org; Fri, 20 Aug 2021 17:52:48 EDT IronPort-SDR: KBJfo//jnLPko2SrkSQKskvNYd2Xr6KkJjhbFSoSG2K7gLn9cI8CZ6U4N0gCbH/tqhmUET6Ff4 9y8fzENPTlY/j8k/w2ObU919As8S9JRts= X-Ironport-AuthID: sishuai@purdue.edu IronPort-HdrOrdr: =?us-ascii?q?A9a23=3A2wWELql3R4+4WcdsCKwDKNp9C6jpDfJC3D?= =?us-ascii?q?Abv31ZSRFFG/FwWfrCoB1173DJYVoqM03I5+rvBEDoexq1yXcf2+Us1NmZNj?= =?us-ascii?q?UOwFHIEL1f?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.84,338,1620705600"; d="scan'208";a="375256756" Received: from switch-lwsn2133-z1r11.cs.purdue.edu (HELO rssys-server.cs.purdue.edu) ([128.10.127.250]) by xppmailspam11.itap.purdue.edu with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 20 Aug 2021 17:45:01 -0400 From: sishuaigong To: jlbec@evilplan.org, hch@lst.de Cc: linux-kernel@vger.kernel.org, sishuaigong Subject: [PATCH] configfs: fix a race in configfs_lookup() Date: Fri, 20 Aug 2021 17:44:58 -0400 Message-Id: <20210820214458.14087-1-sishuai@purdue.edu> X-Mailer: git-send-email 2.17.1 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When configfs_lookup() is executing list_for_each_entry(), it is possible that configfs_dir_lseek() is calling list_del(). Some unfortunate interleavings of them can cause a kernel NULL pointer dereference error Thread 1 Thread 2 //configfs_dir_lseek() //configfs_lookup() list_del(&cursor->s_sibling); list_for_each_entry(sd, ...) Fix this bug by using list_for_each_entry_safe() instead. Reported-by: Sishuai Gong Signed-off-by: sishuaigong --- fs/configfs/dir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index ac5e0c0e9181..8f5d0309fb4a 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c @@ -452,7 +452,7 @@ static struct dentry * configfs_lookup(struct inode *dir, unsigned int flags) { struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata; - struct configfs_dirent * sd; + struct configfs_dirent *sd, *tmp; int found = 0; int err; @@ -468,7 +468,7 @@ static struct dentry * configfs_lookup(struct inode *dir, if (!configfs_dirent_is_ready(parent_sd)) goto out; - list_for_each_entry(sd, &parent_sd->s_children, s_sibling) { + list_for_each_entry_safe(sd, tmp, &parent_sd->s_children, s_sibling) { if (sd->s_type & CONFIGFS_NOT_PINNED) { const unsigned char * name = configfs_get_name(sd); -- 2.17.1