lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 May 2020 18:15:10 -0700 From: Bart Van Assche <bvanassche@....org> To: Luis Chamberlain <mcgrof@...nel.org>, Christoph Hellwig <hch@...radead.org> Cc: axboe@...nel.dk, viro@...iv.linux.org.uk, gregkh@...uxfoundation.org, rostedt@...dmis.org, mingo@...hat.com, jack@...e.cz, ming.lei@...hat.com, nstange@...e.de, akpm@...ux-foundation.org, mhocko@...e.com, yukuai3@...wei.com, linux-block@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org, Omar Sandoval <osandov@...com>, Hannes Reinecke <hare@...e.com>, Michal Hocko <mhocko@...nel.org>, syzbot+603294af2d01acfdd6da@...kaller.appspotmail.com Subject: Re: [PATCH v5 5/7] blktrace: fix debugfs use after free On 2020-05-26 20:12, Luis Chamberlain wrote: > + /* > + * Blktrace needs a debugsfs name even for queues that don't register > + * a gendisk, so it lazily registers the debugfs directory. But that > + * can get us into a situation where a SCSI device is found, with no > + * driver for it (yet). Then blktrace is used on the device, creating > + * the debugfs directory, and only after that a drivers is loaded. In ^^^^^^^ driver? > @@ -494,6 +490,38 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev, > */ > strreplace(buts->name, '/', '_'); > > + /* > + * We also have to use a partition directory if a partition is > + * being worked on, even though the same request_queue is shared. > + */ > + if (bdev && bdev != bdev->bd_contains) > + dir = bdev->bd_part->debugfs_dir; Please balance braces in if-statements as required by the kernel coding style. > + else { > + /* > + * For queues that do not have a gendisk attached to them, the > + * debugfs directory will not have been created at setup time. > + * Create it here lazily, it will only be removed when the > + * queue is torn down. > + */ Is the above comment perhaps a reference to blk_register_queue()? If so, please mention the name of that function explicitly. > + if (!q->debugfs_dir) { > + q->debugfs_dir = > + debugfs_create_dir(buts->name, > + blk_debugfs_root); > + } > + dir = q->debugfs_dir; > + } > + > + /* > + * As blktrace relies on debugfs for its interface the debugfs directory > + * is required, contrary to the usual mantra of not checking for debugfs > + * files or directories. > + */ > + if (IS_ERR_OR_NULL(q->debugfs_dir)) { > + pr_warn("debugfs_dir not present for %s so skipping\n", > + buts->name); > + return -ENOENT; > + } How are do_blk_trace_setup() calls serialized against the debugfs directory creation code in blk_register_queue()? Perhaps via q->blk_trace_mutex? Are mutex lock and unlock calls for that mutex perhaps missing from compat_blk_trace_setup()? How about adding a lockdep_assert_held(&q->blk_trace_mutex) statement in do_blk_trace_setup()? Thanks, Bart.
Powered by blists - more mailing lists