Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp935350rdh; Thu, 26 Oct 2023 22:57:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFURLfxpRw+c3cNUDnPnc13xY/J252Y0J0oum0tiNM5/kscFtRHxDFsbKwvIbgYwuvhA9v7 X-Received: by 2002:a05:6122:71b:b0:48d:5be:2899 with SMTP id 27-20020a056122071b00b0048d05be2899mr2065468vki.2.1698386228099; Thu, 26 Oct 2023 22:57:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698386228; cv=none; d=google.com; s=arc-20160816; b=yMbc0umsVwRx1rAtkyTyMHhU0TDo0y4MWhclQK60UOBfIaNZR6NGVkDsWx2qlMZqMh PqoAhB0E+CdQDaVYCkY1X6CJIujtpW7ESCgztVVkZOqExw5V7iN9wGQWfehAbx/MNdD4 QmaRtcdV/KACMvPvQJQqqbldSOWZT358PrZPTSJDJkvZ/aPdo+PFCs59mo+tEvnxaE2X spxi+pdHaH1xO8H/6PNvw+9X8i9Wz2qSeVKSYQzct7Kd4/8fWmXfUoNQio5J12de7V8R M9pLl2BpW2iG77A3cbTbmyDtlyQTmtzqyILdExnKY3mzjItgtGfPuPZYSzwALqbC3xTI Lv5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from :dkim-signature; bh=HcgtgyqVgwVPsC7c5S46Kjt9jM8feIZ/sGbAy6H27hs=; fh=CNRf3SKJT5WcCONNRYNOFkB2+L3+3dUJaLc8Nj20qfg=; b=Yxz5oCJp70UNIcoizZfCEak3J8gTuMu1Nxt9JHiRBg0d+h9hsVEwJowmrndoUZ3ex8 dhAAFk/z+zyRJ6Li+DVyJ9tpFINokD+/ZhrvwT9qPAyFVajVvpmKf9vZEnvePJvm/6v2 h8DSUIiY7hgbEG51+1D4nnES10HreSxT5aqHk7w51bI3sBcEPJHuRhbUxW43EZOxh0VJ aCgMOvUwRGolC3Vyad0ZMDN86fEUTSnfLZY5mRxliorGwxihW0dYGvSNimkEuEUGwspB 78MsGbQPCD5CDgoDhrV9mZ9CY5eWpqP/5cz9CDpPWsI4+5/qMVKBcFRCmjXOONYu2Wn2 KwZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=lAaK1MXR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id s13-20020a81bf4d000000b005861659568csi1372611ywk.180.2023.10.26.22.57.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Oct 2023 22:57:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=lAaK1MXR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id D899C807E920; Thu, 26 Oct 2023 22:56:11 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230178AbjJ0Fzp (ORCPT + 99 others); Fri, 27 Oct 2023 01:55:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229590AbjJ0Fzo (ORCPT ); Fri, 27 Oct 2023 01:55:44 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B9EC1A7 for ; Thu, 26 Oct 2023 22:55:41 -0700 (PDT) Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39R5jfjO009798; Fri, 27 Oct 2023 05:55:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-type; s=qcppdkim1; bh=HcgtgyqVgwVPsC7c5S46Kjt9jM8feIZ/sGbAy6H27hs=; b=lAaK1MXRyMizGTeTDHuDQ3IB6mhS92CNo28axgM7qrmFLIf42/YOsddduGWHnl4qHsia lDqIXPOV69pq1j9H3NDOQ7k4wjkdQlSRZjBCB2vm226hSY/wzF6C9FiyeN6ovbY3quEE qid7g8Bu5ul0MuCe72HsDo3vlIfsYvzlclsE8lh++n/SVbF5VA4ArQLO1HRLV/x2VMz7 INAhl+H38ogBpG++jXBmno76NPPnIsmhME0Ov5d200ADKcSsZs19xTlqgHldIQav2AXk ZsrknQCzbIJi7hzxP6LmzHez69dpX8wo9k33tTDraKJfFAxwFwwoHFPkvKr1S/lDDY1p OA== Received: from nalasppmta05.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3tyxqgh58q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 27 Oct 2023 05:55:30 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 39R5tTpt019461 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 27 Oct 2023 05:55:29 GMT Received: from hu-yyuwang-lv.qualcomm.com (10.49.16.6) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.39; Thu, 26 Oct 2023 22:55:26 -0700 From: Yu Wang To: , , CC: , Subject: [PATCH] Devcoredump: fix use-after-free issue when releasing devcd device Date: Thu, 26 Oct 2023 22:55:21 -0700 Message-ID: <20231027055521.2679-1-quic_yyuwang@quicinc.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.49.16.6] X-ClientProxiedBy: nalasex01c.na.qualcomm.com (10.47.97.35) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: hLaacIDROCzwa98lERQF0NoVqnjPPUl8 X-Proofpoint-ORIG-GUID: hLaacIDROCzwa98lERQF0NoVqnjPPUl8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-27_03,2023-10-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 priorityscore=1501 spamscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310240000 definitions=main-2310270051 X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 26 Oct 2023 22:56:12 -0700 (PDT) With sample code as below, it may hit use-after-free issue when releasing devcd device. struct my_coredump_state { struct completion dump_done; ... }; static void my_coredump_free(void *data) { struct my_coredump_state *dump_state = data; ... complete(&dump_state->dump_done); } static void my_dev_release(struct device *dev) { kfree(dev); } static void my_coredump() { struct my_coredump_state dump_state; struct device *new_device = kzalloc(sizeof(*new_device), GFP_KERNEL); ... new_device->release = my_dev_release; device_initialize(new_device); ... device_add(new_device); ... init_completion(&dump_state.dump_done); dev_coredumpm(new_device, NULL, &dump_state, datalen, GFP_KERNEL, my_coredump_read, my_coredump_free); wait_for_completion(&dump_state.dump_done); device_del(new_device); put_device(new_device); } In devcoredump framework, devcd_dev_release() will be called when releasing the devcd device, it will call the free() callback first and try to delete the symlink in sysfs directory of the failing device. Eventhough it has checked 'devcd->failing_dev->kobj.sd' before that, there is no mechanism to ensure it's still available when accessing it in kernfs_find_ns(), refer to the diagram as below: Thread A was waiting for 'dump_state.dump_done' at #A-1-2 after calling dev_coredumpm(). When thread B calling devcd->free() at #B-2-1, it wakes up thread A from point #A-1-2, which will call device_del() to delete the device. If #B-2-2 comes before #A-3-1, but #B-4 comes after #A-4, it will hit use-after-free issue when trying to access 'devcd->failing_dev->kobj.sd'. #A-1-1: dev_coredumpm() #A-1-2: wait_for_completion(&dump_state.dump_done) #A-1-3: device_del() #A-2: kobject_del() #A-3-1: sysfs_remove_dir() --> set kobj->sd=NULL #A-3-2: kernfs_put() #A-4: kmem_cache_free() --> free kobj->sd #B-1: devcd_dev_release() #B-2-1: devcd->free(devcd->data) #B-2-2: check devcd->failing_dev->kobj.sd #B-2-3: sysfs_delete_link() #B-3: kernfs_remove_by_name_ns() #B-4: kernfs_find_ns() --> access devcd->failing_dev->kobj.sd To fix this issue, put operations on devcd->failing_dev before calling the free() callback in devcd_dev_release(). Signed-off-by: Yu Wang --- drivers/base/devcoredump.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/base/devcoredump.c b/drivers/base/devcoredump.c index 91536ee05f14..35c704ddfeae 100644 --- a/drivers/base/devcoredump.c +++ b/drivers/base/devcoredump.c @@ -83,9 +83,6 @@ static void devcd_dev_release(struct device *dev) { struct devcd_entry *devcd = dev_to_devcd(dev); - devcd->free(devcd->data); - module_put(devcd->owner); - /* * this seems racy, but I don't see a notifier or such on * a struct device to know when it goes away? @@ -95,6 +92,8 @@ static void devcd_dev_release(struct device *dev) "devcoredump"); put_device(devcd->failing_dev); + devcd->free(devcd->data); + module_put(devcd->owner); kfree(devcd); } -- 2.17.1