From: Coiby Xu <coiby.xu@gmail.com>
To: Sourabh Jain <sourabhjain@linux.ibm.com>
Cc: kexec@lists.infradead.org,
Andrew Morton <akpm@linux-foundation.org>,
Baoquan He <baoquan.he@linux.dev>,
Dave Young <ruirui.yang@linux.dev>,
Mike Rapoport <rppt@kernel.org>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Pratyush Yadav <pratyush@kernel.org>, Coiby Xu <coxu@redhat.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall
Date: Fri, 8 May 2026 21:08:39 +0800 [thread overview]
Message-ID: <af3dlOG-X9geaP8w@Rk> (raw)
In-Reply-To: <b6a29516-ff17-4a36-b90c-812160fa8d19@linux.ibm.com>
On Wed, May 06, 2026 at 07:26:16PM +0530, Sourabh Jain wrote:
>
>
>On 02/05/26 05:13, Coiby Xu wrote:
>>If writing to the configfs group happens concurrently during
>>kexec_file_load syscall, it may lead to the following issues,
>> - buffer overflow if dm-crypt keys are added after allocation
>> - stale total_keys if dm-crypt keys are removed during iteration
>> - keys_header will not be freed if config/crash_dm_crypt_key/reuse is
>> set true
>>
>>So hold config_keys_subsys.su_mutex for the entire sequence during the
>>kexec_file_load syscall to ensure a consistent snapshot.
>
>
>Yes, this will solve many synchronization problems when a user tries to
>perform any operation under our configfs_subsystem while the kernel is
>executing the kexec_file_load system call.
>
>Now, regarding the third point about freeing key_header: this will work
>only if configfs takes the su_mutex lock before invoking the store callback.
>I am not sure whether it actually does.
I can confirm configfs will automatically acquire the su_mutex lock when
creating configfs item. But I forgot to try if writing to an item will
also acquire the mutux lock. I'll do an experiment and share the result
later.
>
>However, based on my previous comment on (2/9), if we keep
>config_keys_reuse_store()
>under the kexec lock, this will be taken care of. This is because the entire
>kexec_file_load system call already runs under the kexec lock.
>
>
>>
>>Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved memory")
>>Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
>>---
>> kernel/crash_dump_dm_crypt.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>>diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c
>>index 4d8a3331bbe7..6377ee86ec50 100644
>>--- a/kernel/crash_dump_dm_crypt.c
>>+++ b/kernel/crash_dump_dm_crypt.c
>>@@ -429,6 +429,7 @@ int crash_load_dm_crypt_keys(struct kimage *image)
>> };
>> int r = 0;
>>+ mutex_lock(&config_keys_subsys.su_mutex);
>> if (key_count <= 0) {
>> kexec_dprintk("No dm-crypt keys\n");
>>@@ -479,6 +480,9 @@ void kexec_file_post_load_cleanup_dm_crypt(struct kimage *image)
>> kfree_sensitive(keys_header);
>> keys_header = NULL;
>> }
>>+
>>+ if (mutex_is_locked(&config_keys_subsys.su_mutex))
>>+ mutex_unlock(&config_keys_subsys.su_mutex);
>How about release the lock in crash_load_dm_crypt_keys() itself? Given
>that config_keys_reuse_store() is placed under kexec lock?
Thanks for proposing another solution! I'll give a try and make a
comparison.
--
Best regards,
Coiby
next prev parent reply other threads:[~2026-05-08 13:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260501234342.2518281-1-coiby.xu@gmail.com>
[not found] ` <20260501234342.2518281-3-coiby.xu@gmail.com>
2026-05-06 12:28 ` [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header Sourabh Jain
2026-05-08 12:33 ` Coiby Xu
2026-05-08 20:06 ` Sourabh Jain
2026-05-10 0:14 ` Coiby Xu
[not found] ` <20260501234342.2518281-4-coiby.xu@gmail.com>
2026-05-06 13:56 ` [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall Sourabh Jain
2026-05-08 13:08 ` Coiby Xu [this message]
[not found] ` <20260501234342.2518281-5-coiby.xu@gmail.com>
2026-05-06 14:18 ` [PATCH v2 4/9] crash_dump: Read the number of dm-crypt keys from reserved memory Sourabh Jain
[not found] ` <20260501234342.2518281-8-coiby.xu@gmail.com>
2026-05-06 14:33 ` [PATCH v2 7/9] crash_dump: Improve readability of config_keys_restore_store Sourabh Jain
[not found] ` <20260501234342.2518281-9-coiby.xu@gmail.com>
2026-05-06 16:09 ` [PATCH v2 8/9] crash_dump: Disallow configfs/crash_dm_crypt_key/reuse if CONFIG_CRASH_HOTPLUG enabled Sourabh Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af3dlOG-X9geaP8w@Rk \
--to=coiby.xu@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=baoquan.he@linux.dev \
--cc=coxu@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
--cc=sourabhjain@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox