lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 23 Jul 2021 13:15:49 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Luis Chamberlain <mcgrof@...nel.org>
Cc:     akpm@...ux-foundation.org, minchan@...nel.org, jeyu@...nel.org,
        ngupta@...are.org, sergey.senozhatsky.work@...il.com,
        rafael@...nel.org, axboe@...nel.dk, tj@...nel.org, mbenes@...e.com,
        jpoimboe@...hat.com, tglx@...utronix.de, keescook@...omium.org,
        jikos@...nel.org, rostedt@...dmis.org, peterz@...radead.org,
        linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 2/3] zram: fix deadlock with sysfs attribute usage and
 module removal

On Thu, Jul 22, 2021 at 03:17:05PM -0700, Luis Chamberlain wrote:
> On Wed, Jul 21, 2021 at 01:29:29PM +0200, Greg KH wrote:
> > On Fri, Jul 02, 2021 at 05:19:57PM -0700, Luis Chamberlain wrote:
> > > +#define MODULE_DEVICE_ATTR_FUNC_STORE(_name) \
> > > +static ssize_t module_ ## _name ## _store(struct device *dev, \
> > > +				   struct device_attribute *attr, \
> > > +				   const char *buf, size_t len) \
> > > +{ \
> > > +	ssize_t __ret; \
> > > +	if (!try_module_get(THIS_MODULE)) \
> > > +		return -ENODEV; \
> > 
> > I feel like this needs to be written down somewhere as I see it come up
> > all the time.
> 
> I'll go ahead and cook up a patch to do just this after I send this
> email out.
> 
> > Again, this is racy and broken code.  You can NEVER try to increment
> > your own module reference count unless it has already been incremented
> > by someone external first.
> 
> In the zram driver's case the sysfs files are still pegged on, because
> as we noted before the kernfs active reference will ensure the store
> operation still exists.

How does that happen without a module lock?

> If the driver removes the operation prior to
> getting the active reference, the write will just fail. kernfs ensures
> once a file is opened the op is not removed until the operation completes.

How does it do that?

> If a file is opened then, the module cannot possibly be removed. The
> piece of information we realy care about is the use of module_is_live()
> inside try_module_get() which does:
> 
> static inline bool module_is_live(struct module *mod)
> {                                                                               
> 	return mod->state != MODULE_STATE_GOING;
> }
> 
> The try allows module removal to trump use of the sysfs file. If
> userspace wants the module removed, it gives up in favor for that
> operation.

I do not see the tie in kernfs to module reference counts, what am I
missing?

thanks,

greg k-h

Powered by blists - more mailing lists