* [PATCH v2 0/2] Fix slab-out-of-bounds Write in dbgfs_rm_context_write
@ 2022-11-07 16:49 SeongJae Park
2022-11-07 16:50 ` [PATCH v2 1/2] mm/damon/dbgfs: check if rm_contexts input is for a real context SeongJae Park
2022-11-07 16:50 ` [PATCH v2 2/2] selftests/damon: test non-context inputs to rm_contexts file SeongJae Park
0 siblings, 2 replies; 3+ messages in thread
From: SeongJae Park @ 2022-11-07 16:49 UTC (permalink / raw)
To: Andrew Morton
Cc: SeongJae Park, Shuah Khan, damon, linux-mm, linux-kselftest,
linux-kernel
Changes from v1
(https://lore.kernel.org/damon/20221031182554.7882-1-sj@kernel.org/)
- Rebase on latest mm-unstable
---
This patchset is for fixing (patch 1) the syzbot-reported
slab-out-of-bounds write in dbgfs_rm_context_write[1], and adding a
selftest for the bug (patch 2).
[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/
SeongJae Park (2):
mm/damon/dbgfs: check if rm_contexts input is for a real context
selftests/damon: test non-context inputs to rm_contexts file
mm/damon/dbgfs.c | 7 +++++++
tools/testing/selftests/damon/Makefile | 1 +
.../damon/debugfs_rm_non_contexts.sh | 19 +++++++++++++++++++
3 files changed, 27 insertions(+)
create mode 100755 tools/testing/selftests/damon/debugfs_rm_non_contexts.sh
--
2.25.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2 1/2] mm/damon/dbgfs: check if rm_contexts input is for a real context
2022-11-07 16:49 [PATCH v2 0/2] Fix slab-out-of-bounds Write in dbgfs_rm_context_write SeongJae Park
@ 2022-11-07 16:50 ` SeongJae Park
2022-11-07 16:50 ` [PATCH v2 2/2] selftests/damon: test non-context inputs to rm_contexts file SeongJae Park
1 sibling, 0 replies; 3+ messages in thread
From: SeongJae Park @ 2022-11-07 16:50 UTC (permalink / raw)
To: Andrew Morton
Cc: damon, linux-mm, linux-kernel, SeongJae Park,
syzbot+6087eafb76a94c4ac9eb, stable
A user could write a name of a file under 'damon/' debugfs directory,
which is not a user-created context, to 'rm_contexts' file. In the
case, 'dbgfs_rm_context()' just assumes it's the valid DAMON context
directory only if a file of the name exist. As a result, invalid memory
access could happen as below. Fix the bug by checking if the given
input is for a directory. This check can filter out non-context inputs
because directories under 'damon/' debugfs directory can be created via
only 'mk_contexts' file.
This bug has found by syzbot[1].
[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/
Reported-by: syzbot+6087eafb76a94c4ac9eb@syzkaller.appspotmail.com
Fixes: 75c1c2b53c78 ("mm/damon/dbgfs: support multiple contexts")
Cc: <stable@vger.kernel.org> # 5.15.x
Signed-off-by: SeongJae Park <sj@kernel.org>
---
mm/damon/dbgfs.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/damon/dbgfs.c b/mm/damon/dbgfs.c
index 6f0ae7d3ae39..b3f454a5c682 100644
--- a/mm/damon/dbgfs.c
+++ b/mm/damon/dbgfs.c
@@ -890,6 +890,7 @@ static ssize_t dbgfs_mk_context_write(struct file *file,
static int dbgfs_rm_context(char *name)
{
struct dentry *root, *dir, **new_dirs;
+ struct inode *inode;
struct damon_ctx **new_ctxs;
int i, j;
int ret = 0;
@@ -905,6 +906,12 @@ static int dbgfs_rm_context(char *name)
if (!dir)
return -ENOENT;
+ inode = d_inode(dir);
+ if (!S_ISDIR(inode->i_mode)) {
+ ret = -EINVAL;
+ goto out_dput;
+ }
+
new_dirs = kmalloc_array(dbgfs_nr_ctxs - 1, sizeof(*dbgfs_dirs),
GFP_KERNEL);
if (!new_dirs) {
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH v2 2/2] selftests/damon: test non-context inputs to rm_contexts file
2022-11-07 16:49 [PATCH v2 0/2] Fix slab-out-of-bounds Write in dbgfs_rm_context_write SeongJae Park
2022-11-07 16:50 ` [PATCH v2 1/2] mm/damon/dbgfs: check if rm_contexts input is for a real context SeongJae Park
@ 2022-11-07 16:50 ` SeongJae Park
1 sibling, 0 replies; 3+ messages in thread
From: SeongJae Park @ 2022-11-07 16:50 UTC (permalink / raw)
To: Andrew Morton
Cc: Shuah Khan, damon, linux-mm, linux-kselftest, linux-kernel,
SeongJae Park
There was a bug[1] that triggered by writing non-context DAMON debugfs
file names to the 'rm_contexts' DAMON debugfs file. Add a selftest for
the bug to avoid it happen again.
[1] https://lore.kernel.org/damon/000000000000ede3ac05ec4abf8e@google.com/
Signed-off-by: SeongJae Park <sj@kernel.org>
---
tools/testing/selftests/damon/Makefile | 1 +
.../damon/debugfs_rm_non_contexts.sh | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
create mode 100755 tools/testing/selftests/damon/debugfs_rm_non_contexts.sh
diff --git a/tools/testing/selftests/damon/Makefile b/tools/testing/selftests/damon/Makefile
index af490acc5348..838a8e49f77b 100644
--- a/tools/testing/selftests/damon/Makefile
+++ b/tools/testing/selftests/damon/Makefile
@@ -7,6 +7,7 @@ TEST_FILES = _chk_dependency.sh _debugfs_common.sh
TEST_PROGS = debugfs_attrs.sh debugfs_schemes.sh debugfs_target_ids.sh
TEST_PROGS += debugfs_empty_targets.sh debugfs_huge_count_read_write.sh
TEST_PROGS += debugfs_duplicate_context_creation.sh
+TEST_PROGS += debugfs_rm_non_contexts.sh
TEST_PROGS += sysfs.sh
TEST_PROGS += reclaim.sh lru_sort.sh
diff --git a/tools/testing/selftests/damon/debugfs_rm_non_contexts.sh b/tools/testing/selftests/damon/debugfs_rm_non_contexts.sh
new file mode 100755
index 000000000000..48b7af6b022c
--- /dev/null
+++ b/tools/testing/selftests/damon/debugfs_rm_non_contexts.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+source _debugfs_common.sh
+
+# Test putting non-ctx files/dirs to rm_contexts file
+# ===================================================
+
+dmesg -C
+
+for file in "$DBGFS/"*
+do
+ echo "$(basename "$f")" > "$DBGFS/rm_contexts"
+ if dmesg | grep -q BUG
+ then
+ dmesg
+ exit 1
+ fi
+done
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-07 16:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-07 16:49 [PATCH v2 0/2] Fix slab-out-of-bounds Write in dbgfs_rm_context_write SeongJae Park
2022-11-07 16:50 ` [PATCH v2 1/2] mm/damon/dbgfs: check if rm_contexts input is for a real context SeongJae Park
2022-11-07 16:50 ` [PATCH v2 2/2] selftests/damon: test non-context inputs to rm_contexts file SeongJae Park
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.