lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190405113304.GA28420@kroah.com>
Date:   Fri, 5 Apr 2019 13:33:04 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Gaurav Kohli <gkohli@...eaurora.org>
Cc:     tj@...nel.org, linux-kernel@...r.kernel.org,
        linux-arm-msm@...r.kernel.org, Mukesh Ojha <mojha@...eaurora.org>
Subject: Re: [PATCH v0] kernfs: Skip kernfs_put of parent from child node

On Fri, Apr 05, 2019 at 04:51:07PM +0530, Gaurav Kohli wrote:
> While adding kernfs node for child to the parent kernfs
> node and when child node founds that parent kn count is
> zero, then below comes like:
> 
> WARNING: fs/kernfs/dir.c:494 kernfs_get+0x64/0x88
> 
> This indicates that parent is in kernfs_put path/ or already
> freed, and if the child node keeps continue to
> make new kernfs node, then there is chance of
> below race for parent node:
> 
> CPU0				         CPU1
> //Parent node			         //child node
> kernfs_put
> atomic_dec_and_test(&kn->count)
> //count is 0, so continue
> 					  kernfs_new_node(child)
> 					  kernfs_get(parent);
> 					  //increment parent count to 1
> 					  //warning come as parent count is 0
> 					  /* link in */
> 					  kernfs_add_one(kn);
> 					  // this should fail as parent is
> 					  //in free path.
> 					  kernfs_put(child)
> kmem_cache_free(parent)
> 					  kmem_cache_free(child)
> 					  kn = parent
> 					  atomic_dec_and_test(&kn->count))
> 					  //this is 0 now, so release will
> 					  continue for parent.
> 					  kmem_cache_free(parent)
> 
> To prevent this race, child simply has to decrement count of parent
> kernfs node and keep continue the free path for itself.
> 
> Signed-off-by: Gaurav Kohli <gkohli@...eaurora.org>
> Signed-off-by: Mukesh Ojha <mojha@...eaurora.org>
> 
> diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
> index b84d635..d5a36e8 100644
> --- a/fs/kernfs/dir.c
> +++ b/fs/kernfs/dir.c
> @@ -515,7 +515,6 @@ void kernfs_put(struct kernfs_node *kn)
>  	if (!kn || !atomic_dec_and_test(&kn->count))
>  		return;
>  	root = kernfs_root(kn);
> - repeat:
>  	/*
>  	 * Moving/renaming is always done while holding reference.
>  	 * kn->parent won't change beneath us.
> @@ -545,8 +544,8 @@ void kernfs_put(struct kernfs_node *kn)
>  
>  	kn = parent;
>  	if (kn) {
> -		if (atomic_dec_and_test(&kn->count))
> -			goto repeat;
> +	/* Parent may be on free path, so simply decrement the count */

That's the wrong indentation :(

And how are you hitting this issue?  What user of kernfs is causing
this?

thanks,

greg k-h

Powered by blists - more mailing lists