lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55784305.4040309@universe-factory.net>
Date:	Wed, 10 Jun 2015 16:00:37 +0200
From:	Matthias Schiffer <mschiffer@...verse-factory.net>
To:	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
CC:	Lisa Du <cldu@...vell.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: A race condition between debugfs and seq_file operation

On 06/10/2015 07:20 AM, gregkh@...uxfoundation.org wrote:
> On Wed, Jun 10, 2015 at 05:00:03AM +0000, Lisa Du wrote:
>>> -----Original Message-----
>>> From: gregkh@...uxfoundation.org [mailto:gregkh@...uxfoundation.org]
>>> Sent: 2015年6月10日 5:12
>>> To: Lisa Du
>>> Cc: linux-kernel@...r.kernel.org
>>> Subject: Re: A race condition between debugfs and seq_file operation
>>>
>>> On Mon, Jun 08, 2015 at 04:28:10AM +0000, Lisa Du wrote:
>>>> Hi, All
>>>> Recently I met one race condition related to debugfs.
>>>>
>>>> Take an example from ion.c in kernel3.14:
>>>> static int ion_debug_client_open(struct inode *inode, struct file
>>>> *file) {
>>>> 	return single_open(file, ion_debug_client_show, inode->i_private); }
>>>>
>>>> static const struct file_operations debug_client_fops = {
>>>> 	.open = ion_debug_client_open,
>>>> 	.read = seq_read,
>>>> 	.llseek = seq_lseek,
>>>> 	.release = single_release,
>>>> };
>>>> client->debug_root = debugfs_create_file(client->display_name, 0664,
>>>> 					dev->clients_debug_root,
>>>> 					client, &debug_client_fops);
>>>>
>>>> I find during I read the debugfs node, driver can do
>>>> debugfs_remove_recursive(dentry); Is it expected?
>>>
>>> Yes.  Well, not "expected", but a mess, yes.
>>>
>>> Removing debugfs files are known to have lots of races, this isn't the only
>>> one :(
>> Thanks for the reply! 
>> Not sure if there is any plan to resolve such races in the future?
> 
> Yes, I have "plans", but it's on my very long todo list behind lots of
> other things...
> 
> If you want to look into it, please, that would be wonderful.
> 
> thanks,
> 
> greg k-h

I've stumbled across related issues a few days ago (mostly in network
drivers). What I've found out:

* I couldn't find any driver using device-specific debugfs files
removing them in a race-free way
* Userspace can make the race window arbitrarily large by opening a
debugfs file and reading from it later:

  modprobe batman-adv
  modprobe dummy
  echo bat0 > /sys/class/net/dummy0/batman_adv/mesh_iface
  (sleep 5; cat) < /sys/kernel/debug/batman_adv/bat0/originators &
  echo none > /sys/class/net/dummy0/batman_adv/mesh_iface
  # When the sleep finishs, batman-adv will read from a freed net_device

* There also seems to be a bug debugfs_remove_recursive hanging when
removing subdirectories with files that are still open:

  modprobe mac80211_hwsim
  # Or whatever phyX the hwsim PHY is
  (sleep 5; cat) < \
  /sys/kernel/debug/ieee80211/phy0/statistics/retry_count &
  rmmod mac80211_hwsim
  # Will hang in wiphy_unregister() until the sleep finishes,
  # with RTNL held!

Is there a sane way to check from the read fops callback if the file has
been removed (and lock against removal while doing that)? The nice
debugfs_create_u32() etc. helpers are useless as well for dynamic files
at the moment as they can't be used without this race condition...

I'd also like to get this cleaned up as soon as possible as changes I
plan for batman-adv might make the issue more prominent there.

Matthias


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ