LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH v2] configfs: fix a race in configfs_lookup()
@ 2021-08-23 19:43 sishuaigong
  2021-08-23 23:33 ` kernel test robot
  0 siblings, 1 reply; 2+ messages in thread
From: sishuaigong @ 2021-08-23 19:43 UTC (permalink / raw)
  To: jlbec, hch; +Cc: linux-kernel, sishuaigong

When configfs_lookup() is executing list_for_each_entry(),
it is possible that configfs_dir_lseek() is calling list_del().
Some unfortunate interleavings of them can cause a kernel NULL
pointer dereference error

Thread 1                  Thread 2
//configfs_dir_lseek()    //configfs_lookup()
list_del(&cursor->s_sibling);
			 list_for_each_entry(sd, ...)

Fix this bug by grabbing configfs_dirent_lock in configfs_lookup().

Reported-by: Sishuai Gong <sishuai@purdue.edu>
Signed-off-by: sishuaigong <sishuai@purdue.edu>
---
 fs/configfs/dir.c | 86 +++++++++++++++++++----------------------------
 1 file changed, 35 insertions(+), 51 deletions(-)

diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index ac5e0c0e9181..c9af54f75051 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -417,44 +417,13 @@ static void configfs_remove_dir(struct config_item * item)
 	dput(dentry);
 }
 
-
-/* attaches attribute's configfs_dirent to the dentry corresponding to the
- * attribute file
- */
-static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * dentry)
-{
-	struct configfs_attribute * attr = sd->s_element;
-	struct inode *inode;
-
-	spin_lock(&configfs_dirent_lock);
-	dentry->d_fsdata = configfs_get(sd);
-	sd->s_dentry = dentry;
-	spin_unlock(&configfs_dirent_lock);
-
-	inode = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG);
-	if (IS_ERR(inode)) {
-		configfs_put(sd);
-		return PTR_ERR(inode);
-	}
-	if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
-		inode->i_size = 0;
-		inode->i_fop = &configfs_bin_file_operations;
-	} else {
-		inode->i_size = PAGE_SIZE;
-		inode->i_fop = &configfs_file_operations;
-	}
-	d_add(dentry, inode);
-	return 0;
-}
-
 static struct dentry * configfs_lookup(struct inode *dir,
 				       struct dentry *dentry,
 				       unsigned int flags)
 {
 	struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata;
 	struct configfs_dirent * sd;
-	int found = 0;
-	int err;
+	struct inode *inode = NULL;
 
 	/*
 	 * Fake invisibility if dir belongs to a group/default groups hierarchy
@@ -464,38 +433,53 @@ static struct dentry * configfs_lookup(struct inode *dir,
 	 * not complete their initialization, since the dentries of the
 	 * attributes won't be instantiated.
 	 */
-	err = -ENOENT;
 	if (!configfs_dirent_is_ready(parent_sd))
-		goto out;
+		return ERR_PTR(-ENOENT);
 
+	spin_lock(&configfs_dirent_lock);
 	list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
 		if (sd->s_type & CONFIGFS_NOT_PINNED) {
-			const unsigned char * name = configfs_get_name(sd);
-
+			const unsigned char *name = configfs_get_name(sd);
 			if (strcmp(name, dentry->d_name.name))
 				continue;
 
-			found = 1;
-			err = configfs_attach_attr(sd, dentry);
-			break;
-		}
-	}
+			struct configfs_attribute *attr = sd->s_element;
+			umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG;
 
-	if (!found) {
-		/*
-		 * If it doesn't exist and it isn't a NOT_PINNED item,
-		 * it must be negative.
-		 */
-		if (dentry->d_name.len > NAME_MAX)
-			return ERR_PTR(-ENAMETOOLONG);
-		d_add(dentry, NULL);
-		return NULL;
+			dentry->d_fsdata = configfs_get(sd);
+			sd->s_dentry = dentry;
+
+			spin_unlock(&configfs_dirent_lock);
+
+			inode = configfs_create(dentry, mode);
+			if (IS_ERR(inode)) {
+				configfs_put(sd);
+				return ERR_CAST(inode);
+			}
+			if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
+				inode->i_size = 0;
+				inode->i_fop = &configfs_bin_file_operations;
+			} else {
+				inode->i_size = PAGE_SIZE;
+				inode->i_fop = &configfs_file_operations;
+			}
+			goto out;
+		}
 	}
+	spin_unlock(&configfs_dirent_lock);
 
+	/*
+	 * If it doesn't exist and it isn't a NOT_PINNED item,
+	 * it must be negative.
+	 */
+	if (dentry->d_name.len > NAME_MAX)
+		return ERR_PTR(-ENAMETOOLONG);
 out:
-	return ERR_PTR(err);
+	d_add(dentry, inode);
+	return NULL;
 }
 
+
 /*
  * Only subdirectories count here.  Files (CONFIGFS_NOT_PINNED) are
  * attributes and are removed by rmdir().  We recurse, setting
-- 
2.17.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] configfs: fix a race in configfs_lookup()
  2021-08-23 19:43 [PATCH v2] configfs: fix a race in configfs_lookup() sishuaigong
@ 2021-08-23 23:33 ` kernel test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2021-08-23 23:33 UTC (permalink / raw)
  To: sishuaigong, jlbec, hch; +Cc: kbuild-all, linux-kernel, sishuaigong

[-- Attachment #1: Type: text/plain, Size: 3989 bytes --]

Hi sishuaigong,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on hch-configfs/for-next]
[also build test WARNING on v5.14-rc7 next-20210823]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/sishuaigong/configfs-fix-a-race-in-configfs_lookup/20210824-034517
base:   git://git.infradead.org/users/hch/configfs.git for-next
config: m68k-buildonly-randconfig-r006-20210822 (attached as .config)
compiler: m68k-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/ff28c41926fb184655325e34dba02c438963dcf5
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review sishuaigong/configfs-fix-a-race-in-configfs_lookup/20210824-034517
        git checkout ff28c41926fb184655325e34dba02c438963dcf5
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=m68k 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   fs/configfs/dir.c: In function 'configfs_lookup':
>> fs/configfs/dir.c:446:25: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
     446 |                         struct configfs_attribute *attr = sd->s_element;
         |                         ^~~~~~


vim +446 fs/configfs/dir.c

   419	
   420	static struct dentry * configfs_lookup(struct inode *dir,
   421					       struct dentry *dentry,
   422					       unsigned int flags)
   423	{
   424		struct configfs_dirent * parent_sd = dentry->d_parent->d_fsdata;
   425		struct configfs_dirent * sd;
   426		struct inode *inode = NULL;
   427	
   428		/*
   429		 * Fake invisibility if dir belongs to a group/default groups hierarchy
   430		 * being attached
   431		 *
   432		 * This forbids userspace to read/write attributes of items which may
   433		 * not complete their initialization, since the dentries of the
   434		 * attributes won't be instantiated.
   435		 */
   436		if (!configfs_dirent_is_ready(parent_sd))
   437			return ERR_PTR(-ENOENT);
   438	
   439		spin_lock(&configfs_dirent_lock);
   440		list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
   441			if (sd->s_type & CONFIGFS_NOT_PINNED) {
   442				const unsigned char *name = configfs_get_name(sd);
   443				if (strcmp(name, dentry->d_name.name))
   444					continue;
   445	
 > 446				struct configfs_attribute *attr = sd->s_element;
   447				umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG;
   448	
   449				dentry->d_fsdata = configfs_get(sd);
   450				sd->s_dentry = dentry;
   451	
   452				spin_unlock(&configfs_dirent_lock);
   453	
   454				inode = configfs_create(dentry, mode);
   455				if (IS_ERR(inode)) {
   456					configfs_put(sd);
   457					return ERR_CAST(inode);
   458				}
   459				if (sd->s_type & CONFIGFS_ITEM_BIN_ATTR) {
   460					inode->i_size = 0;
   461					inode->i_fop = &configfs_bin_file_operations;
   462				} else {
   463					inode->i_size = PAGE_SIZE;
   464					inode->i_fop = &configfs_file_operations;
   465				}
   466				goto out;
   467			}
   468		}
   469		spin_unlock(&configfs_dirent_lock);
   470	
   471		/*
   472		 * If it doesn't exist and it isn't a NOT_PINNED item,
   473		 * it must be negative.
   474		 */
   475		if (dentry->d_name.len > NAME_MAX)
   476			return ERR_PTR(-ENAMETOOLONG);
   477	out:
   478		d_add(dentry, inode);
   479		return NULL;
   480	}
   481	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 20766 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-08-23 23:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-23 19:43 [PATCH v2] configfs: fix a race in configfs_lookup() sishuaigong
2021-08-23 23:33 ` kernel test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).