| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230926212515.GN800259@ZenIV>
Date: Tue, 26 Sep 2023 22:25:15 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Christoph Hellwig <hch@....de>
Cc: Christian Brauner <brauner@...nel.org>,
Heiko Carstens <hca@...ux.ibm.com>,
Vasily Gorbik <gor@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>,
Fenghua Yu <fenghua.yu@...el.com>,
Reinette Chatre <reinette.chatre@...el.com>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Richard Weinberger <richard@....at>,
Vignesh Raghavendra <vigneshr@...com>,
Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>,
Tejun Heo <tj@...nel.org>,
Trond Myklebust <trond.myklebust@...merspace.com>,
Anna Schumaker <anna@...nel.org>,
Kees Cook <keescook@...omium.org>,
Damien Le Moal <dlemoal@...nel.org>,
Naohiro Aota <naohiro.aota@....com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-s390@...r.kernel.org, linux-rdma@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-hardening@...r.kernel.org,
cgroups@...r.kernel.org
Subject: Re: [PATCH 03/19] fs: release anon dev_t in deactivate_locked_super
On Tue, Sep 26, 2023 at 11:38:34AM +0200, Christoph Hellwig wrote:
> How?
>
> Old sequence before his patch:
>
> deactivate_locked_super()
> -> kill_anon_super()
> -> generic_shutdown_super()
> -> kill_super_notify()
> -> free_anon_bdev()
> -> kill_super_notify()
>
> New sequence with this patch:
>
> deactivate_locked_super()
> -> generic_shutdown_super()
> -> kill_super_notify()
> -> free_anon_bdev()
>
Before your patch: foo_kill_super() calls kill_anon_super(),
which calls kill_super_notify(), which removes the sucker from
the list, then frees ->s_fs_info. After your patch:
removal from the lists happens via the call of kill_super_notify()
*after* both of your methods had been called, while freeing
->s_fs_info happens from the method call. IOW, you've restored
the situation prior to "super: ensure valid info". The whole
point of that commit had been to make sure that we have nothing
in the lists with ->s_fs_info pointing to a freed object.
It's not about free_anon_bdev(); that part is fine - it's the
"we can drop the weird second call site of kill_super_notify()"
thing that is broken.
Al, still slogging through the rcu pathwalk races in the methods...
The latest catch: nfs_set_verifier() can get called on a dentry
that had just been seen to have positive parent, but is not
pinned down.
grab ->d_lock; OK, we know that dentry won't get freed under us
fetch ->d_parent->d_inode
pass that to nfs_verify_change_attribute()
... which assumes that inode it's been given is not NULL. Normally it
would've been - ->d_lock stabilizes ->d_parent, and negative dentries
obviously have no children. Except that we might've been just hit
by dentry_kill() due to eviction on memory pressure, got ->d_lock
right after that and proceeded to play with ->d_parent, just as
that parent is going through dentry_kill() from the same eviction on
memory pressure... If it gets to dentry_unlink_inode() before we get to
fetching ->d_parent->d_inode, nfs_verify_change_attribute(NULL, whatever)
is going to oops...
Powered by blists - more mailing lists