From: Sourabh Jain <sourabhjain@linux.ibm.com>
To: Coiby Xu <coiby.xu@gmail.com>, kexec@lists.infradead.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
Baoquan He <baoquan.he@linux.dev>,
Dave Young <ruirui.yang@linux.dev>,
Mike Rapoport <rppt@kernel.org>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Pratyush Yadav <pratyush@kernel.org>, Coiby Xu <coxu@redhat.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall
Date: Wed, 6 May 2026 19:26:16 +0530 [thread overview]
Message-ID: <b6a29516-ff17-4a36-b90c-812160fa8d19@linux.ibm.com> (raw)
In-Reply-To: <20260501234342.2518281-4-coiby.xu@gmail.com>
On 02/05/26 05:13, Coiby Xu wrote:
> If writing to the configfs group happens concurrently during
> kexec_file_load syscall, it may lead to the following issues,
> - buffer overflow if dm-crypt keys are added after allocation
> - stale total_keys if dm-crypt keys are removed during iteration
> - keys_header will not be freed if config/crash_dm_crypt_key/reuse is
> set true
>
> So hold config_keys_subsys.su_mutex for the entire sequence during the
> kexec_file_load syscall to ensure a consistent snapshot.
Yes, this will solve many synchronization problems when a user tries to
perform any operation under our configfs_subsystem while the kernel is
executing the kexec_file_load system call.
Now, regarding the third point about freeing key_header: this will work
only if configfs takes the su_mutex lock before invoking the store callback.
I am not sure whether it actually does.
However, based on my previous comment on (2/9), if we keep
config_keys_reuse_store()
under the kexec lock, this will be taken care of. This is because the entire
kexec_file_load system call already runs under the kexec lock.
>
> Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved memory")
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
> kernel/crash_dump_dm_crypt.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c
> index 4d8a3331bbe7..6377ee86ec50 100644
> --- a/kernel/crash_dump_dm_crypt.c
> +++ b/kernel/crash_dump_dm_crypt.c
> @@ -429,6 +429,7 @@ int crash_load_dm_crypt_keys(struct kimage *image)
> };
> int r = 0;
>
> + mutex_lock(&config_keys_subsys.su_mutex);
>
> if (key_count <= 0) {
> kexec_dprintk("No dm-crypt keys\n");
> @@ -479,6 +480,9 @@ void kexec_file_post_load_cleanup_dm_crypt(struct kimage *image)
> kfree_sensitive(keys_header);
> keys_header = NULL;
> }
> +
> + if (mutex_is_locked(&config_keys_subsys.su_mutex))
> + mutex_unlock(&config_keys_subsys.su_mutex);
How about release the lock in crash_load_dm_crypt_keys() itself? Given
that config_keys_reuse_store() is placed under kexec lock?
- Sourabh Jain
> }
>
> static int __init configfs_dmcrypt_keys_init(void)
next prev parent reply other threads:[~2026-05-06 13:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260501234342.2518281-1-coiby.xu@gmail.com>
2026-05-01 23:43 ` [PATCH v2 1/9] crash_dump: Release reference to a keyring at correct time Coiby Xu
2026-05-01 23:43 ` [PATCH v2 2/9] crash_dump: Fix potential double free and UAF of keys_header Coiby Xu
2026-05-06 12:28 ` Sourabh Jain
2026-05-01 23:43 ` [PATCH v2 3/9] crash_dump: Disallow writing to dm-crypt configfs during kexec_file_load syscall Coiby Xu
2026-05-06 13:56 ` Sourabh Jain [this message]
2026-05-01 23:43 ` [PATCH v2 4/9] crash_dump: Read the number of dm-crypt keys from reserved memory Coiby Xu
2026-05-06 14:18 ` Sourabh Jain
2026-05-01 23:43 ` [PATCH v2 5/9] crash_dump: Free temporary dm-crypt keys_header buffer in kdump kernel Coiby Xu
2026-05-01 23:43 ` [PATCH v2 6/9] crash_dump: Only use kexec_dprintk during the kexec_file_load syscall Coiby Xu
2026-05-01 23:43 ` [PATCH v2 7/9] crash_dump: Improve readability of config_keys_restore_store Coiby Xu
2026-05-06 14:33 ` Sourabh Jain
2026-05-01 23:43 ` [PATCH v2 8/9] crash_dump: Disallow configfs/crash_dm_crypt_key/reuse if CONFIG_CRASH_HOTPLUG enabled Coiby Xu
2026-05-06 16:09 ` Sourabh Jain
2026-05-01 23:43 ` [PATCH v2 9/9] Documentation: kdump: Add arm64 and ppc64le to encrypted dump target support list Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6a29516-ff17-4a36-b90c-812160fa8d19@linux.ibm.com \
--to=sourabhjain@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=baoquan.he@linux.dev \
--cc=coiby.xu@gmail.com \
--cc=coxu@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=pratyush@kernel.org \
--cc=rppt@kernel.org \
--cc=ruirui.yang@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox