lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20220103114931.uup7lw3d4pj7yrrx@work>
Date:   Mon, 3 Jan 2022 12:49:31 +0100
From:   Lukas Czerner <lczerner@...hat.com>
To:     Theodore Ts'o <tytso@....edu>
Cc:     linux-ext4@...r.kernel.org, kernel test robot <lkp@...el.com>
Subject: Re: [tytso-ext4:dev] BUILD REGRESSION
 cc5fef71a1c741473eebb1aa6f7056ceb49bc33d

On Sun, Dec 26, 2021 at 08:12:47PM -0500, Theodore Ts'o wrote:
> On Sat, Dec 25, 2021 at 11:27:04PM +0800, kernel test robot wrote:
> > tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
> > branch HEAD: cc5fef71a1c741473eebb1aa6f7056ceb49bc33d  ext4: replace snprintf in show functions with sysfs_emit
> > 
> > Error/Warning reports:
> > 
> > https://lore.kernel.org/linux-ext4/202112101722.3Kpomg0h-lkp@intel.com
> > 
> > possible Error/Warning in current branch (please contact us if interested):
> > 
> > fs/ext4/super.c:2640:22-40: ERROR: reference preceded by free on line 2639
> 
> The Intel test robot mis-identified the commit which introduced this
> problem (it looks like the first commit with the problem is commit
> e6e268cb6822 ("ext4: move quota configuration out of
> handle_mount_opt()"), but it caused me to take a closer look, and this
> looks... wrong.
> 
> From ext4_apply_quota_options() in fs/extr4/super.c:
> 
> 			qname = ctx->s_qf_names[i]; /* May be NULL */
> 			ctx->s_qf_names[i] = NULL;
> 			kfree(sbi->s_qf_names[i]);
> 			rcu_assign_pointer(sbi->s_qf_names[i], qname);
> 			set_opt(sb, QUOTA);
> 
> sbi->s_qf_names[i] is an RCU protected pointer, which is used via
> rcu_derference().  So how can it be safe to kfree() the pointer;
> should that be kfree_rcu() at the very least?
> 
> Lukas, can you take a look and let me know?   Thanks!
> 
>        	       	      	       	      - Ted

Hi Ted,

yes indeed this is a bug. Something like this untested patch should fix
it I believe.

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index b72d989b77fb..6f52609a334c 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2633,8 +2633,10 @@ static void ext4_apply_quota_options(struct fs_context *fc,

                        qname = ctx->s_qf_names[i]; /* May be NULL */
                        ctx->s_qf_names[i] = NULL;
-                       kfree(sbi->s_qf_names[i]);
-                       rcu_assign_pointer(sbi->s_qf_names[i], qname);
+                       qname = rcu_replace_pointer(sbi->s_qf_names[i], qname,
+                                               lockdep_is_held(&sb->s_umount));
+                       if (qname)
+                               kfree_rcu(qname);
                        set_opt(sb, QUOTA);
                }
        }


There is also a question of the other warning where we pass the pointer
to strcmp which we should silence as well. I'll send a proper patch.

Thanks!
-Lukas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ