Linux driver-core infrastructure
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: l1za0.sec@gmail.com
Cc: rafael@kernel.org, dakr@kernel.org, driver-core@lists.linux.dev,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sysfs: fix use-after-free in sysfs_create_dir_ns
Date: Wed, 1 Jul 2026 15:42:49 +0200	[thread overview]
Message-ID: <2026070131-bonus-garbage-7487@gregkh> (raw)
In-Reply-To: <20260701131658.11369-1-l1za0.sec@gmail.com>

On Wed, Jul 01, 2026 at 09:16:58PM +0800, l1za0.sec@gmail.com wrote:
> From: Haocheng Yu <l1za0.sec@gmail.com>
> 
> A KASAN: slab-use-after-free Read in kernfs_next_descendant_post is
> reported by a modified Syzkaller-based kernel fuzzing tool we
> developed.
> 
> This problem is caused by a race condition between sysfs directory
> creation for a child kobject and removal of the parent kobject. In this
> case, the ueagle-atm driver starts an async firmware request for a
> pre-firmware USB device. The firmware work falls back to the sysfs
> firmware loader and tries to add a firmware class device under the USB
> device while usb_disconnect() is removing the USB device from sysfs.

And that is the problem, that root issue needs to be fixed, and I think
we have patches in the queue to do so.  Can you test them instead?


> 
> sysfs_create_dir_ns() reads kobj->parent->sd without taking a reference
> to the parent kernfs_node. sysfs_remove_dir() may concurrently detach the
> same parent from sysfs and drop the last kernfs reference. The following
> kernfs_create_dir_ns() then uses a freed parent kernfs_node and
> kernfs_activate() can dereference it, triggering a use-after-free.
> 
> To fix this vulnerability, take a kernfs reference to the parent while
> holding sysfs_symlink_target_lock, the same lock that serializes
> sysfs_remove_dir() against kobj->sd detachment. If the parent has already
> been detached, fail the creation with -ENOENT. Drop the temporary
> reference after the child directory creation attempt completes.

This is not a "vulnerability" it is a bug in the callers to "do not do
that!" so let's fix the real issue here instead of papering over it in
sysfs.

Given just how old this USB driver is, and the fact that no one has this
hardware, it's not like this is a new issue :)

thanks,

greg k-h

      reply	other threads:[~2026-07-01 13:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 13:16 [PATCH] sysfs: fix use-after-free in sysfs_create_dir_ns l1za0.sec
2026-07-01 13:42 ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026070131-bonus-garbage-7487@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=dakr@kernel.org \
    --cc=driver-core@lists.linux.dev \
    --cc=l1za0.sec@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rafael@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox