From: l1za0.sec@gmail.com
To: gregkh@linuxfoundation.org
Cc: rafael@kernel.org, dakr@kernel.org, driver-core@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: [PATCH] sysfs: fix use-after-free in sysfs_create_dir_ns
Date: Wed, 1 Jul 2026 21:16:58 +0800 [thread overview]
Message-ID: <20260701131658.11369-1-l1za0.sec@gmail.com> (raw)
From: Haocheng Yu <l1za0.sec@gmail.com>
A KASAN: slab-use-after-free Read in kernfs_next_descendant_post is
reported by a modified Syzkaller-based kernel fuzzing tool we
developed.
This problem is caused by a race condition between sysfs directory
creation for a child kobject and removal of the parent kobject. In this
case, the ueagle-atm driver starts an async firmware request for a
pre-firmware USB device. The firmware work falls back to the sysfs
firmware loader and tries to add a firmware class device under the USB
device while usb_disconnect() is removing the USB device from sysfs.
sysfs_create_dir_ns() reads kobj->parent->sd without taking a reference
to the parent kernfs_node. sysfs_remove_dir() may concurrently detach the
same parent from sysfs and drop the last kernfs reference. The following
kernfs_create_dir_ns() then uses a freed parent kernfs_node and
kernfs_activate() can dereference it, triggering a use-after-free.
To fix this vulnerability, take a kernfs reference to the parent while
holding sysfs_symlink_target_lock, the same lock that serializes
sysfs_remove_dir() against kobj->sd detachment. If the parent has already
been detached, fail the creation with -ENOENT. Drop the temporary
reference after the child directory creation attempt completes.
Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
fs/sysfs/dir.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index ffdcd4153c58..1883a4380250 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -46,10 +46,16 @@ int sysfs_create_dir_ns(struct kobject *kobj, const struct ns_common *ns)
if (WARN_ON(!kobj))
return -EINVAL;
- if (kobj->parent)
+ if (kobj->parent) {
+ spin_lock(&sysfs_symlink_target_lock);
parent = kobj->parent->sd;
- else
+ if (parent)
+ kernfs_get(parent);
+ spin_unlock(&sysfs_symlink_target_lock);
+ } else {
parent = sysfs_root_kn;
+ kernfs_get(parent);
+ }
if (!parent)
return -ENOENT;
@@ -61,10 +67,12 @@ int sysfs_create_dir_ns(struct kobject *kobj, const struct ns_common *ns)
if (IS_ERR(kn)) {
if (PTR_ERR(kn) == -EEXIST)
sysfs_warn_dup(parent, kobject_name(kobj));
+ kernfs_put(parent);
return PTR_ERR(kn);
}
kobj->sd = kn;
+ kernfs_put(parent);
return 0;
}
base-commit: 665159e246749578d4e4bfe106ee3b74edcdab18
--
2.51.0
next reply other threads:[~2026-07-01 13:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 13:16 l1za0.sec [this message]
2026-07-01 13:42 ` [PATCH] sysfs: fix use-after-free in sysfs_create_dir_ns Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701131658.11369-1-l1za0.sec@gmail.com \
--to=l1za0.sec@gmail.com \
--cc=dakr@kernel.org \
--cc=driver-core@lists.linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox