From: Steven Rostedt <rostedt@goodmis.org>
To: Mathias Krause <minipli@grsecurity.net>
Cc: "Masami Hiramatsu" <mhiramat@kernel.org>,
"Ajay Kaher" <ajay.kaher@broadcom.com>,
"Ilkka Naulapää" <digirigawa@gmail.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org,
regressions@leemhuis.info,
"Dan Carpenter" <dan.carpenter@linaro.org>
Subject: Re: tracing: user events UAF crash report
Date: Tue, 23 Jul 2024 10:43:48 -0400 [thread overview]
Message-ID: <20240723104348.645bf027@gandalf.local.home> (raw)
In-Reply-To: <20240719204701.1605950-1-minipli@grsecurity.net>
On Fri, 19 Jul 2024 22:47:01 +0200
Mathias Krause <minipli@grsecurity.net> wrote:
> Beside the obvious bug, I noticed the following (not fixing the issue,
> tho):
>
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 5d88c184f0fc..687ad0a26458 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -112,7 +112,7 @@ static void release_ei(struct kref *ref)
> entry->release(entry->name, ei->data);
> }
>
> - call_rcu(&ei->rcu, free_ei_rcu);
> + call_srcu(&eventfs_srcu, &ei->rcu, free_ei_rcu);
> }
This should be fixed too. Care to send a patch for this as well?
It use to need RCU but then everything was switched over to SRCU. This was
just leftover.
>
> static inline void put_ei(struct eventfs_inode *ei)
> @@ -735,7 +735,9 @@ struct eventfs_inode *eventfs_create_dir(const char *name, struct eventfs_inode
>
> /* Was the parent freed? */
> if (list_empty(&ei->list)) {
> + mutex_lock(&eventfs_mutex);
> cleanup_ei(ei);
> + mutex_unlock(&eventfs_mutex);
Why do you think this is needed? The ei is not on the list and has not been
made visible. It was just allocated but the parent it was going to be
attached to is about to be freed.
> ei = NULL;
> }
> return ei;
Thanks,
-- Steve
next prev parent reply other threads:[~2024-07-23 14:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 20:47 tracing: user events UAF crash report Mathias Krause
2024-07-20 3:33 ` Dan Carpenter
2024-07-22 11:13 ` Ajay Kaher
2024-07-22 12:08 ` Mathias Krause
2024-07-25 13:33 ` Ajay Kaher
2024-07-25 16:15 ` Ajay Kaher
2024-07-25 16:30 ` Ajay Kaher
2024-07-25 17:10 ` Steven Rostedt
2024-07-25 17:16 ` Steven Rostedt
2024-07-25 18:12 ` Mathias Krause
2024-07-25 19:05 ` Steven Rostedt
2024-07-25 19:42 ` Mathias Krause
2024-07-25 20:15 ` Steven Rostedt
2024-07-25 20:41 ` Mathias Krause
2024-07-25 21:14 ` Steven Rostedt
2024-07-25 21:32 ` Mathias Krause
2024-07-25 23:06 ` Steven Rostedt
2024-07-26 8:25 ` Mathias Krause
2024-07-25 19:53 ` Mathias Krause
2024-07-25 16:48 ` Steven Rostedt
2024-07-23 0:11 ` Steven Rostedt
2024-07-23 12:25 ` [PATCH] eventfs: Don't return NULL in eventfs_create_dir() Mathias Krause
2024-07-23 14:43 ` Steven Rostedt [this message]
2024-07-23 20:54 ` tracing: user events UAF crash report Mathias Krause
2024-07-23 21:07 ` [PATCH] eventfs: Use SRCU for freeing eventfs_inodes Mathias Krause
2024-07-23 21:23 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240723104348.645bf027@gandalf.local.home \
--to=rostedt@goodmis.org \
--cc=ajay.kaher@broadcom.com \
--cc=dan.carpenter@linaro.org \
--cc=digirigawa@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=minipli@grsecurity.net \
--cc=regressions@leemhuis.info \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).