Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2026175pxb; Mon, 23 Aug 2021 10:13:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuuBMTPrMT0psXPPvYaeL721s2BQmJcdvV9CQ9fPeQ3I8jWBN8f303Xmdw41XK314k1Qik X-Received: by 2002:a17:906:4801:: with SMTP id w1mr14236837ejq.299.1629738822397; Mon, 23 Aug 2021 10:13:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629738822; cv=none; d=google.com; s=arc-20160816; b=T0Nng1aA8URstRPWfM5HbQ4kmG0xX7Z3QrCgWXYBeGg9Q6rMeE8wcStLmK4YtrHAcI /j0YUMKVWCOPe1hxPP4OK2xqg87sGD6NNI2+tF+dCnEF7s9UAEVvVdUqHXxmu9RlJ1pi kql/lavAMMEmZzCDSiOlun/MZieaqtaw6tpegpyerHcb3NafIOcAINpOTCrGMHuPVs2v AAvhOAchaFwJWZCVv0O9093gkUqGsHPyZBSyS2yDveZ7RRz7ooSNU8KybtKRgORZqidJ Cr5iMRY16jqOLIpAxvuQS+d3r1T4TP17BrvH8pGknaBIepeEaUAAztmZDnZlo29NGVKX 0YYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=X0sXuZ4LnF7EBN6HAqM/irKHeywwqvEYuIqgdZiswgk=; b=ZWW4J6KTklbxUebEP31+sA1YiftPXLYo8hYKbFEJT8EdRjzRvf2RlzzT8ObX8lW5zY yRQSydQ7CrW2MbBnLBd9nlX6dmU5wNHRVeVtP3sz/JunOhaOqvoV1bRlipXYLmY6W84v l5CeeqTA9pfB23xTTAFB3tdCr0YOsPfnX4EZSPdZsmanyqRNuDL62oan/5ltw+tHK4pQ JP9pvItuNtZX8zoLo7sN3g1Z3ocqrGVj4RRAXXJMbOS9zmfb5sY12uQXishYGQxAYZ+X 5vKRNcwJSktiVChuTJYbAThz9fnC5zAV/SV+Wp+VpQBB+xNdMucWTyXOFaZN2re09cHF 3wSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lu2si15344365ejb.166.2021.08.23.10.13.17; Mon, 23 Aug 2021 10:13:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230506AbhHWRJd (ORCPT + 99 others); Mon, 23 Aug 2021 13:09:33 -0400 Received: from verein.lst.de ([213.95.11.211]:48564 "EHLO verein.lst.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229479AbhHWRJd (ORCPT ); Mon, 23 Aug 2021 13:09:33 -0400 Received: by verein.lst.de (Postfix, from userid 2407) id 1A35B67357; Mon, 23 Aug 2021 19:08:48 +0200 (CEST) Date: Mon, 23 Aug 2021 19:08:47 +0200 From: Christoph Hellwig To: "Gong, Sishuai" Cc: Christoph Hellwig , "jlbec@evilplan.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] configfs: fix a race in configfs_lookup() Message-ID: <20210823170847.GA617@lst.de> References: <20210820214458.14087-1-sishuai@purdue.edu> <20210823074636.GA23822@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 23, 2021 at 04:12:10PM +0000, Gong, Sishuai wrote: > On Aug 23, 2021, at 3:46 AM, Christoph Hellwig > wrote: > > On Fri, Aug 20, 2021 at 05:44:58PM -0400, sishuaigong wrote: > When configfs_lookup() is executing list_for_each_entry(), > it is possible that configfs_dir_lseek() is calling list_del(). > Some unfortunate interleavings of them can cause a kernel NULL > pointer dereference error > > Thread 1 Thread 2 > //configfs_dir_lseek() //configfs_lookup() > list_del(&cursor->s_sibling); > list_for_each_entry(sd, ...) > > Fix this bug by using list_for_each_entry_safe() instead. > > I don't see how list_for_each_entry_safe would save you there. > You need a lock to sychronize the two, list_for_each_entry_safe > only ensures the next entry is looked up before iterating over > the current one. > Thanks for pointing that out! > > It looks like config_lookup() should hold configfs_dirent_lock > when doing list_for_each_entry(), but configfs_attach_attr() > also needs to be changed since it might be called by > config_lookup() and then wait for configfs_dirent_lock, > which will cause a deadlock. > > Do you think a future patch like this makes sense? We can't hold a spinlock over inode allocation. So it would have to be something like this: diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index ac5e0c0e9181..48022e27664d 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c @@ -417,44 +417,13 @@ static void configfs_remove_dir(struct config_item * item) dput(dentry); } - -/* attaches attribute's configfs_dirent to the dentry corresponding to the - * attribute file - */ -static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * dentry) -{ - struct configfs_attribute * attr = sd->s_element; - struct inode *inode; - - spin_lock(&configfs_dirent_lock); - dentry->d_fsdata = configfs_get(sd); - sd->s_dentry = dentry; - spin_unlock(&configfs_dirent_lock); - - inode = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG); - if (IS_ERR(inode)) { - configfs_put(sd); - return PTR_ERR(inode); - } - if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) { - inode->i_size = 0; - inode->i_fop = &configfs_bin_file_operations; - } else { - inode->i_size = PAGE_SIZE; - inode->i_fop = &configfs_file_operations; - } - d_add(dentry, inode); - return 0; -} - static struct dentry * configfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) { - struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata; - struct configfs_dirent * sd; - int found = 0; - int err; + struct configfs_dirent *parent_sd = dentry->d_parent->d_fsdata; + struct configfs_dirent *sd; + struct inode *inode = NULL; /* * Fake invisibility if dir belongs to a group/default groups hierarchy @@ -464,36 +433,46 @@ static struct dentry * configfs_lookup(struct inode *dir, * not complete their initialization, since the dentries of the * attributes won't be instantiated. */ - err = -ENOENT; if (!configfs_dirent_is_ready(parent_sd)) - goto out; + return ERR_PTR(-ENOENT); + spin_lock(&configfs_dirent_lock); list_for_each_entry(sd, &parent_sd->s_children, s_sibling) { - if (sd->s_type & CONFIGFS_NOT_PINNED) { - const unsigned char * name = configfs_get_name(sd); + if ((sd->s_type & CONFIGFS_NOT_PINNED) && + !strcmp(configfs_get_name(sd), dentry->d_name.name)) { + struct configfs_attribute *attr = sd->s_element; + umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG; - if (strcmp(name, dentry->d_name.name)) - continue; + dentry->d_fsdata = configfs_get(sd); + sd->s_dentry = dentry; + spin_unlock(&configfs_dirent_lock); - found = 1; - err = configfs_attach_attr(sd, dentry); - break; + inode = configfs_create(dentry, mode); + if (IS_ERR(inode)) { + configfs_put(sd); + return ERR_CAST(inode); + } + if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) { + inode->i_size = 0; + inode->i_fop = &configfs_bin_file_operations; + } else { + inode->i_size = PAGE_SIZE; + inode->i_fop = &configfs_file_operations; + } + goto done; } } + spin_unlock(&configfs_dirent_lock); - if (!found) { - /* - * If it doesn't exist and it isn't a NOT_PINNED item, - * it must be negative. - */ - if (dentry->d_name.len > NAME_MAX) - return ERR_PTR(-ENAMETOOLONG); - d_add(dentry, NULL); - return NULL; - } - -out: - return ERR_PTR(err); + /* + * If it doesn't exist and it isn't a NOT_PINNED item, it must be + * negative. + */ + if (dentry->d_name.len > NAME_MAX) + return ERR_PTR(-ENAMETOOLONG); +done: + d_add(dentry, inode); + return NULL; } /*