From: Al Viro <viro@zeniv.linux.org.uk>
To: Yunseong Kim <ysk@kzalloc.com>
Cc: Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Pavel Machek <pavel@kernel.org>, Len Brown <len.brown@intel.com>,
byungchul@sk.com, max.byungchul.park@gmail.com,
linux-fsdevel@vger.kernel.org, linux-pm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs: Prevent panic from NULL dereference in alloc_fs_context() during do_exit()
Date: Mon, 5 May 2025 23:36:15 +0100 [thread overview]
Message-ID: <20250505223615.GK2023217@ZenIV> (raw)
In-Reply-To: <20250505203801.83699-2-ysk@kzalloc.com>
On Tue, May 06, 2025 at 05:38:02AM +0900, Yunseong Kim wrote:
> The function alloc_fs_context() assumes that current->nsproxy and its
> net_ns field are valid. However, this assumption can be violated in
> cases such as task teardown during do_exit(), where current->nsproxy can
> be NULL or already cleared.
>
> This issue was triggered during stress-ng's kernel-coverage.sh testing,
> Since alloc_fs_context() can be invoked in various contexts — including
> from asynchronous or teardown paths like do_exit() — it's difficult to
> guarantee that its input arguments are always valid.
>
> A follow-up patch will improve the granularity of this fix by moving the
> check closer to the actual mount trigger(e.g., in efivarfs_pm_notify()).
UGH.
> diff --git a/fs/fs_context.c b/fs/fs_context.c
> index 582d33e81117..529de43b8b5e 100644
> --- a/fs/fs_context.c
> +++ b/fs/fs_context.c
> @@ -282,6 +282,9 @@ static struct fs_context *alloc_fs_context(struct file_system_type *fs_type,
> struct fs_context *fc;
> int ret = -ENOMEM;
>
> + if (!current->nsproxy || !current->nsproxy->net_ns)
> + return ERR_PTR(-EINVAL);
> +
> fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL_ACCOUNT);
> if (!fc)
> return ERR_PTR(-ENOMEM);
That might paper over the oops, but I very much doubt that this will be
a correct fix... Note that in efivarfs_pm_notify() we have other
fun issues when run from such context - have task_work_add() fail in
fput() and if delayed_fput() runs right afterwards and
efivar_init(efivarfs_check_missing, sfi->sb, false);
in there might end up with UAF...
next prev parent reply other threads:[~2025-05-05 22:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 20:38 [PATCH] fs: Prevent panic from NULL dereference in alloc_fs_context() during do_exit() Yunseong Kim
2025-05-05 22:36 ` Al Viro [this message]
2025-05-05 22:58 ` Yunseong Kim
2025-05-06 8:45 ` Christian Brauner
2025-05-06 9:42 ` Yunseong Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250505223615.GK2023217@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=byungchul@sk.com \
--cc=jack@suse.cz \
--cc=len.brown@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=max.byungchul.park@gmail.com \
--cc=pavel@kernel.org \
--cc=rafael@kernel.org \
--cc=ysk@kzalloc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.