From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sahitya Tummala <stummala@codeaurora.org>,
Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 27/45] configfs: Fix use-after-free when accessing sd->s_dentry
Date: Thu, 20 Jun 2019 19:57:29 +0200 [thread overview]
Message-ID: <20190620174338.663341683@linuxfoundation.org> (raw)
In-Reply-To: <20190620174328.608036501@linuxfoundation.org>
[ Upstream commit f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 ]
In the vfs_statx() context, during path lookup, the dentry gets
added to sd->s_dentry via configfs_attach_attr(). In the end,
vfs_statx() kills the dentry by calling path_put(), which invokes
configfs_d_iput(). Ideally, this dentry must be removed from
sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result,
sd->s_dentry is holding reference to a stale dentry pointer whose
memory is already freed up. This results in use-after-free issue,
when this stale sd->s_dentry is accessed later in
configfs_readdir() path.
This issue can be easily reproduced, by running the LTP test case -
sh fs_racer_file_list.sh /config
(https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh)
Fixes: 76ae281f6307 ('configfs: fix race between dentry put and lookup')
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/configfs/dir.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index d7955dc56737..a1985a9ad2d6 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry,
if (sd) {
/* Coordinate with configfs_readdir */
spin_lock(&configfs_dirent_lock);
- /* Coordinate with configfs_attach_attr where will increase
- * sd->s_count and update sd->s_dentry to new allocated one.
- * Only set sd->dentry to null when this dentry is the only
- * sd owner.
- * If not do so, configfs_d_iput may run just after
- * configfs_attach_attr and set sd->s_dentry to null
- * even it's still in use.
+ /*
+ * Set sd->s_dentry to null only when this dentry is the one
+ * that is going to be killed. Otherwise configfs_d_iput may
+ * run just after configfs_attach_attr and set sd->s_dentry to
+ * NULL even it's still in use.
*/
- if (atomic_read(&sd->s_count) <= 2)
+ if (sd->s_dentry == dentry)
sd->s_dentry = NULL;
spin_unlock(&configfs_dirent_lock);
--
2.20.1
next prev parent reply other threads:[~2019-06-20 18:09 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 17:57 [PATCH 4.14 00/45] 4.14.129-stable review Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 01/45] perf machine: Guard against NULL in machine__exit() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 02/45] ax25: fix inconsistent lock state in ax25_destroy_timer Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 03/45] be2net: Fix number of Rx queues used for flow hashing Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 04/45] ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 05/45] lapb: fixed leak of control-blocks Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 06/45] neigh: fix use-after-free read in pneigh_get_next Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 07/45] net: openvswitch: do not free vport if register_netdevice() is failed Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 08/45] sctp: Free cookie before we memdup a new one Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 09/45] sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 10/45] Staging: vc04_services: Fix a couple error codes Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 11/45] perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 12/45] netfilter: nf_queue: fix reinject verdict handling Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 13/45] ipvs: Fix use-after-free in ip_vs_in Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 14/45] selftests: netfilter: missing error check when setting up veth interface Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 15/45] clk: ti: clkctrl: Fix clkdm_clk handling Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 16/45] powerpc/powernv: Return for invalid IMC domain Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 17/45] mISDN: make sure device name is NUL terminated Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 18/45] x86/CPU/AMD: Dont force the CPB cap when running under a hypervisor Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 19/45] perf/ring_buffer: Fix exposing a temporarily decreased data_head Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 20/45] perf/ring_buffer: Add ordering to rb->nest increment Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 21/45] perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 22/45] gpio: fix gpio-adp5588 build errors Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 23/45] net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 24/45] net: aquantia: fix LRO with FCS error Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 25/45] i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 26/45] ALSA: hda - Force polling mode on CNL for fixing codec communication Greg Kroah-Hartman
2019-06-20 17:57 ` Greg Kroah-Hartman [this message]
2019-06-20 17:57 ` [PATCH 4.14 28/45] perf data: Fix strncat may truncate build failure with recent gcc Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 29/45] perf record: Fix s390 missing module symbol and warning for non-root users Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 30/45] ia64: fix build errors by exporting paddr_to_nid() Greg Kroah-Hartman
2019-06-20 17:57 ` Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 31/45] KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 32/45] KVM: PPC: Book3S HV: Dont take kvm->lock around kvm_for_each_vcpu Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 33/45] net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 34/45] net: phy: dp83867: Set up RGMII TX delay Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 35/45] scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 36/45] scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 37/45] scsi: scsi_dh_alua: Fix possible null-ptr-deref Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 38/45] scsi: libsas: delete sas port if expander discover failed Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 39/45] mlxsw: spectrum: Prevent force of 56G Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 40/45] HID: wacom: Dont set tool type until were in range Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 41/45] HID: wacom: Dont report anything prior to the tool entering range Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 42/45] HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 43/45] coredump: fix race condition between collapse_huge_page() and core dumping Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 44/45] infiniband: fix race condition between infiniband mlx4, mlx5 driver " Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.14 45/45] Abort file_remove_privs() for non-reg. files Greg Kroah-Hartman
2019-06-20 21:51 ` [PATCH 4.14 00/45] 4.14.129-stable review kernelci.org bot
2019-06-21 3:49 ` Naresh Kamboju
2019-06-22 0:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620174338.663341683@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stummala@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.