From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, ChenXiaoSong <chenxiaosong2@huawei.com>,
Laibin Qiu <qiulaibin@huawei.com>, Christoph Hellwig <hch@lst.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 14/34] configfs: fix a race in configfs_{,un}register_subsystem()
Date: Mon, 28 Feb 2022 18:24:20 +0100 [thread overview]
Message-ID: <20220228172209.596557623@linuxfoundation.org> (raw)
In-Reply-To: <20220228172207.090703467@linuxfoundation.org>
From: ChenXiaoSong <chenxiaosong2@huawei.com>
[ Upstream commit 84ec758fb2daa236026506868c8796b0500c047d ]
When configfs_register_subsystem() or configfs_unregister_subsystem()
is executing link_group() or unlink_group(),
it is possible that two processes add or delete list concurrently.
Some unfortunate interleavings of them can cause kernel panic.
One of cases is:
A --> B --> C --> D
A <-- B <-- C <-- D
delete list_head *B | delete list_head *C
--------------------------------|-----------------------------------
configfs_unregister_subsystem | configfs_unregister_subsystem
unlink_group | unlink_group
unlink_obj | unlink_obj
list_del_init | list_del_init
__list_del_entry | __list_del_entry
__list_del | __list_del
// next == C |
next->prev = prev |
| next->prev = prev
prev->next = next |
| // prev == B
| prev->next = next
Fix this by adding mutex when calling link_group() or unlink_group(),
but parent configfs_subsystem is NULL when config_item is root.
So I create a mutex configfs_subsystem_mutex.
Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem")
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/configfs/dir.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index f9628fc20fec0..796a6cd5f302f 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -50,6 +50,14 @@ DECLARE_RWSEM(configfs_rename_sem);
*/
DEFINE_SPINLOCK(configfs_dirent_lock);
+/*
+ * All of link_obj/unlink_obj/link_group/unlink_group require that
+ * subsys->su_mutex is held.
+ * But parent configfs_subsystem is NULL when config_item is root.
+ * Use this mutex when config_item is root.
+ */
+static DEFINE_MUTEX(configfs_subsystem_mutex);
+
static void configfs_d_iput(struct dentry * dentry,
struct inode * inode)
{
@@ -1937,7 +1945,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys)
group->cg_item.ci_name = group->cg_item.ci_namebuf;
sd = root->d_fsdata;
+ mutex_lock(&configfs_subsystem_mutex);
link_group(to_config_group(sd->s_element), group);
+ mutex_unlock(&configfs_subsystem_mutex);
inode_lock_nested(d_inode(root), I_MUTEX_PARENT);
@@ -1962,7 +1972,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys)
inode_unlock(d_inode(root));
if (err) {
+ mutex_lock(&configfs_subsystem_mutex);
unlink_group(group);
+ mutex_unlock(&configfs_subsystem_mutex);
configfs_release_fs();
}
put_fragment(frag);
@@ -2008,7 +2020,9 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys)
dput(dentry);
+ mutex_lock(&configfs_subsystem_mutex);
unlink_group(group);
+ mutex_unlock(&configfs_subsystem_mutex);
configfs_release_fs();
}
--
2.34.1
next prev parent reply other threads:[~2022-02-28 17:34 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 17:24 [PATCH 4.19 00/34] 4.19.232-rc1 review Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 01/34] cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug Greg Kroah-Hartman
2022-03-08 15:12 ` Michal Koutný
2022-03-14 8:06 ` Greg Kroah-Hartman
2022-03-14 9:11 ` Zhang Qiao
2022-03-14 11:19 ` Michal Koutný
2022-03-16 14:27 ` Greg Kroah-Hartman
2022-03-17 2:41 ` Zhang Qiao
2022-03-17 10:24 ` Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 02/34] vhost/vsock: dont check owner in vhost_vsock_stop() while releasing Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 03/34] parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 04/34] parisc/unaligned: Fix ldw() and stw() unalignment handlers Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 05/34] sr9700: sanity check for packet length Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 06/34] USB: zaurus: support another broken Zaurus Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 07/34] ping: remove pr_err from ping_lookup Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 08/34] net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 09/34] tipc: Fix end of loop tests for list_for_each_entry() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 10/34] gso: do not skip outer ip header in case of ipip and net_failover Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 11/34] openvswitch: Fix setting ipv6 fields causing hw csum failure Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 12/34] drm/edid: Always set RGB444 Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 13/34] net/mlx5e: Fix wrong return value on ioctl EEPROM query failure Greg Kroah-Hartman
2022-02-28 17:24 ` Greg Kroah-Hartman [this message]
2022-02-28 17:24 ` [PATCH 4.19 15/34] RDMA/ib_srp: Fix a deadlock Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 16/34] tty: n_gsm: fix proper link termination after failed open Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 17/34] gpio: tegra186: Fix chip_data type confusion Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 18/34] Revert "drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR" Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 19/34] memblock: use kfree() to release kmalloced memblock regions Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 20/34] fget: clarify and improve __fget_files() implementation Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 21/34] tracing: Have traceon and traceoff trigger honor the instance Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 22/34] iio: adc: men_z188_adc: Fix a resource leak in an error handling path Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 23/34] ata: pata_hpt37x: disable primary channel on HPT371 Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 24/34] Revert "USB: serial: ch341: add new Product ID for CH341A" Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 25/34] usb: gadget: rndis: add spinlock for rndis response list Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 26/34] USB: gadget: validate endpoint index for xilinx udc Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 27/34] tracefs: Set the group ownership in apply_options() not parse_options() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 28/34] USB: serial: option: add support for DW5829e Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 29/34] USB: serial: option: add Telit LE910R1 compositions Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 30/34] usb: dwc3: pci: Fix Bay Trail phy GPIO mappings Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 31/34] usb: dwc3: gadget: Let the interrupt handler disable bottom halves Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 32/34] xhci: re-initialize the HC during resume if HCE was set Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 33/34] xhci: Prevent futile URB re-submissions due to incorrect return value Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 4.19 34/34] tty: n_gsm: fix encoding of control signal octet bit DV Greg Kroah-Hartman
2022-02-28 21:21 ` [PATCH 4.19 00/34] 4.19.232-rc1 review Pavel Machek
2022-02-28 21:42 ` Shuah Khan
2022-03-01 9:13 ` Jon Hunter
2022-03-01 11:32 ` Sudip Mukherjee
2022-03-01 16:37 ` Naresh Kamboju
2022-03-01 18:23 ` Jeffrin Thalakkottoor
2022-03-01 19:10 ` Guenter Roeck
2022-03-01 19:36 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228172209.596557623@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chenxiaosong2@huawei.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=qiulaibin@huawei.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.