lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240509110612.768196-1-leitao@debian.org>
Date: Thu,  9 May 2024 04:06:11 -0700
From: Breno Leitao <leitao@...ian.org>
To: Thomas Gleixner <tglx@...utronix.de>,
	Andrew Morton <akpm@...ux-foundation.org>
Cc: paulmck@...nel.org,
	linux-kernel@...r.kernel.org (open list:DEBUGOBJECTS:)
Subject: [PATCH] debugobjects: Fix potential data race in debug_objects_maxchain

KCSAN has identified a potential data race in debugobjects, where the
global variable debug_objects_maxchain is accessed for both reading and
writing simultaneously in separate and parallel data paths. This results
in the following splat printed by KCSAN:

	BUG: KCSAN: data-race in debug_check_no_obj_freed / debug_object_activate

	write to 0xffffffff847ccfc8 of 4 bytes by task 734 on cpu 41:
	debug_object_activate (lib/debugobjects.c:199
			       lib/debugobjects.c:564 lib/debugobjects.c:710)
	call_rcu (kernel/rcu/rcu.h:227
		  kernel/rcu/tree.c:2719 kernel/rcu/tree.c:2838)
	security_inode_free (security/security.c:1626)
	__destroy_inode (./include/linux/fsnotify.h:222 fs/inode.c:287)
	evict (fs/inode.c:310 fs/inode.c:682)
	iput (fs/inode.c:1769)
	dentry_unlink_inode (fs/dcache.c:401)
	__dentry_kill (fs/dcache.c:?)
	dput (fs/dcache.c:846)
	__fput (fs/file_table.c:431)
	____fput (fs/file_table.c:451)
	task_work_run (kernel/task_work.c:181)
	do_exit (kernel/exit.c:879)
	do_group_exit (kernel/exit.c:1027)
	__pfx___ia32_sys_exit_group (kernel/exit.c:1038)
	x64_sys_call (arch/x86/entry/syscall_64.c:33)
	do_syscall_64 (arch/x86/entry/common.c:?)
	entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

	read to 0xffffffff847ccfc8 of 4 bytes by task 384 on cpu 31:
	debug_check_no_obj_freed (lib/debugobjects.c:1000 lib/debugobjects.c:1019)
	kfree (mm/slub.c:2081 mm/slub.c:4280 mm/slub.c:4390)
	percpu_ref_exit (lib/percpu-refcount.c:147)
	css_free_rwork_fn (kernel/cgroup/cgroup.c:5357)
	process_scheduled_works (kernel/workqueue.c:3272 kernel/workqueue.c:3348)
	worker_thread (./include/linux/list.h:373
			kernel/workqueue.c:955 kernel/workqueue.c:3430)
	kthread (kernel/kthread.c:389)
	ret_from_fork (arch/x86/kernel/process.c:153)
	ret_from_fork_asm (arch/x86/entry/entry_64.S:257)

	value changed: 0x00000070 -> 0x00000071

Include READ_ONCE()/WRITE_ONCE() annotations on the accesses to
debug_objects_maxchain to prevent potential data corruption, explicitly
indicating that this data is shared across two parallel data paths.

Signed-off-by: Breno Leitao <leitao@...ian.org>
---
 lib/debugobjects.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index fb12a9bacd2f..fbd262aa6b29 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -195,8 +195,8 @@ static struct debug_obj *lookup_object(void *addr, struct debug_bucket *b)
 		if (obj->object == addr)
 			return obj;
 	}
-	if (cnt > debug_objects_maxchain)
-		debug_objects_maxchain = cnt;
+	if (cnt > READ_ONCE(debug_objects_maxchain))
+		WRITE_ONCE(debug_objects_maxchain, cnt);
 
 	return NULL;
 }
@@ -997,8 +997,8 @@ static void __debug_check_no_obj_freed(const void *address, unsigned long size)
 		}
 		raw_spin_unlock_irqrestore(&db->lock, flags);
 
-		if (cnt > debug_objects_maxchain)
-			debug_objects_maxchain = cnt;
+		if (cnt > READ_ONCE(debug_objects_maxchain))
+			WRITE_ONCE(debug_objects_maxchain, cnt);
 
 		objs_checked += cnt;
 	}
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ