Re: use after free in sysfs_find_dirent

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <levinsasha928@gmail.com>
To: Ming Lei <tom.leiming@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>, Dave Jones <davej@redhat.com>,
	Greg Kroah-Hartman <greg@kroah.com>,
	Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: use after free in sysfs_find_dirent
Date: Sun, 17 Mar 2013 10:24:54 -0400	[thread overview]
Message-ID: <5145D236.70203@gmail.com> (raw)
In-Reply-To: <CACVXFVOKi=wKsLP850XJ95P=e1B2z+CP=t0GATCZL0gNDOCwnA@mail.gmail.com>

On 03/16/2013 09:02 PM, Ming Lei wrote:
> On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin <levinsasha928@gmail.com> wrote:
>>
>> I don't think it shows what we want it to show thought:
>>
>> [  327.416905] Pid: 10504, comm: trinity-child98 Tainted: G        W    3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301
>> [  327.418815] Call Trace:
>> [  327.419255]  [<ffffffff812f880e>] release_sysfs_dirent+0x4e/0x120
>> [  327.420595]  [<ffffffff812f89d2>] sysfs_dir_pos+0x92/0x130
>> [  327.421608]  [<ffffffff812f8b8d>] sysfs_readdir+0x11d/0x280
>> [  327.422562]  [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
>> [  327.423441]  [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
>> [  327.424314]  [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
>> [  327.425263]  [<ffffffff8128b54c>] SyS_getdents+0x8c/0x110
>> [  327.426173]  [<ffffffff83d919d8>] tracesys+0xe1/0xe6
>>
> 
> Sasha, looks there is a race when sys_readdir() is run concurrently
> on same directory, and the below patch may fix the race, could you test the
> attachment patch to see if the use after free can be fixed?

I still see it going on with the patch applied:


[  521.881968] release_sysfs_dirent sysfs_dirent use after free: altera_jtaguart-bind
[  521.883202] Pid: 29624, comm: trinity-child51 Tainted: G        W    3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #302
[  521.885030] Call Trace:
[  521.885503]  [<ffffffff812f880e>] release_sysfs_dirent+0x4e/0x120
[  521.886559]  [<ffffffff812f89d2>] sysfs_dir_pos+0x92/0x130
[  521.887514]  [<ffffffff812f8bd4>] sysfs_readdir+0x164/0x2c0
[  521.888403]  [<ffffffff8128b170>] ? filldir+0x100/0x100
[  521.889241]  [<ffffffff8128b170>] ? filldir+0x100/0x100
[  521.890222]  [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
[  521.891028]  [<ffffffff8117999d>] ? trace_hardirqs_on+0xd/0x10
[  521.891976]  [<ffffffff8128b660>] SyS_getdents64+0x90/0x120
[  521.892831]  [<ffffffff83d91a18>] tracesys+0xe1/0xe6
[  526.910352] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[  526.911625] Dumping ftrace buffer:
[  526.912158]    (ftrace buffer empty)
[  526.912715] Modules linked in:
[  526.913213] CPU 3
[  526.913521] Pid: 374, comm: trinity-child86 Tainted: G        W    3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #302
[  526.915342] RIP: 0010:[<ffffffff812f8a10>]  [<ffffffff812f8a10>] sysfs_dir_pos+0xd0/0x130
[  526.916622] RSP: 0018:ffff88008caa9e18  EFLAGS: 00010202
[  526.917453] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800b417d128 RCX: ffff8800b417cb70
[  526.918525] RDX: 000000006b6b6b6b RSI: ffff8800b417c988 RDI: 0000000000000000
[  526.919579] RBP: ffff88008caa9e48 R08: 2222222222222222 R09: 2222222222222222
[  526.920058] R10: 2222222222222222 R11: 0000000000000000 R12: 0000000000000000
[  526.920058] R13: 0000000049619f4a R14: ffff8800b417c988 R15: 0000000000000000
[  526.920058] FS:  00007fd9e349b700(0000) GS:ffff8800bbe00000(0000) knlGS:0000000000000000
[  526.920058] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  526.920058] CR2: 0000000100000000 CR3: 0000000084c61000 CR4: 00000000000406e0
[  526.920058] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  526.920058] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  526.920058] Process trinity-child86 (pid: 374, threadinfo ffff88008caa8000, task ffff880082a63000)
[  526.920058] Stack:
[  526.920058]  ffff8800a4d26088 ffff88008dc7f180 ffff88008dc7f180 0000000000000000
[  526.920058]  ffff8800a4d26088 ffff8800a4d25fa0 ffff88008caa9eb8 ffffffff812f8bd4
[  526.920058]  2222222222222222 2222222222222222 ffff88008caa9e98 ffffffff8128b170
[  526.920058] Call Trace:
[  526.920058]  [<ffffffff812f8bd4>] sysfs_readdir+0x164/0x2c0
[  526.920058]  [<ffffffff8128b170>] ? filldir+0x100/0x100
[  526.920058]  [<ffffffff8128b170>] ? filldir+0x100/0x100
[  526.920058]  [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
[  526.920058]  [<ffffffff8117999d>] ? trace_hardirqs_on+0xd/0x10
[  526.920058]  [<ffffffff8128b660>] SyS_getdents64+0x90/0x120
[  526.920058]  [<ffffffff83d91a18>] tracesys+0xe1/0xe6
[  526.920058] Code: 44 00 00 48 85 db 74 6d 4c 39 63 68 75 45 eb 65 0f 1f 00 49 81 fd fe ff ff 7f 7f 59 49 8b 86 88 00 00 00 48
85 c0 74 4d 0f 1f 00 <8b> 50 28 48 8d 58 b8 49 39 d5 7d 0c 48 8b 40 10 eb 0c 66 0f 1f
[  526.920058] RIP  [<ffffffff812f8a10>] sysfs_dir_pos+0xd0/0x130
[  526.920058]  RSP <ffff88008caa9e18>
[  526.946105] ---[ end trace ec3353999032c934 ]---

next prev parent reply	other threads:[~2013-03-17 14:24 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-07  5:28 use after free in sysfs_find_dirent Dave Jones
2013-03-07  5:33 ` sysfs_dir_cache slab corruption Dave Jones
2013-03-07  6:03   ` Greg Kroah-Hartman
2013-03-07  6:02 ` use after free in sysfs_find_dirent Greg Kroah-Hartman
2013-03-07  6:26   ` Dave Jones
2013-03-13 11:47     ` Ming Lei
2013-03-15  4:03     ` Sasha Levin
2013-03-15  5:04       ` Sasha Levin
2013-03-15  7:38         ` Ming Lei
2013-03-15 16:27           ` Sasha Levin
2013-03-16 12:39         ` Hillf Danton
2013-03-16 13:30           ` Ming Lei
2013-03-16 15:07             ` Sasha Levin
2013-03-16 15:22               ` Ming Lei
2013-03-16 15:58                 ` Ming Lei
2013-03-16 18:33                   ` Sasha Levin
2013-03-17  1:02                     ` Ming Lei
2013-03-17 14:24                       ` Sasha Levin [this message]
2013-03-17 16:23                         ` Ming Lei
2013-03-19  2:06                           ` Sasha Levin
2013-03-19  3:40                             ` Ming Lei
2013-03-19 11:54                               ` Ming Lei
2013-03-19 16:28                                 ` Sasha Levin
2013-03-20  1:02                                   ` Ming Lei
2013-03-20 14:34                                     ` Sasha Levin
2013-03-20 17:17                                       ` Greg Kroah-Hartman
2013-03-16 15:59                 ` Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5145D236.70203@gmail.com \
    --to=levinsasha928@gmail.com \
    --cc=davej@redhat.com \
    --cc=dhillf@gmail.com \
    --cc=greg@kroah.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tom.leiming@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.