| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Sep 2023 22:25:15 +0100 From: Al Viro <viro@...iv.linux.org.uk> To: Christoph Hellwig <hch@....de> Cc: Christian Brauner <brauner@...nel.org>, Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, Fenghua Yu <fenghua.yu@...el.com>, Reinette Chatre <reinette.chatre@...el.com>, Miquel Raynal <miquel.raynal@...tlin.com>, Richard Weinberger <richard@....at>, Vignesh Raghavendra <vigneshr@...com>, Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>, Tejun Heo <tj@...nel.org>, Trond Myklebust <trond.myklebust@...merspace.com>, Anna Schumaker <anna@...nel.org>, Kees Cook <keescook@...omium.org>, Damien Le Moal <dlemoal@...nel.org>, Naohiro Aota <naohiro.aota@....com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org, linux-rdma@...r.kernel.org, linux-nfs@...r.kernel.org, linux-hardening@...r.kernel.org, cgroups@...r.kernel.org Subject: Re: [PATCH 03/19] fs: release anon dev_t in deactivate_locked_super On Tue, Sep 26, 2023 at 11:38:34AM +0200, Christoph Hellwig wrote: > How? > > Old sequence before his patch: > > deactivate_locked_super() > -> kill_anon_super() > -> generic_shutdown_super() > -> kill_super_notify() > -> free_anon_bdev() > -> kill_super_notify() > > New sequence with this patch: > > deactivate_locked_super() > -> generic_shutdown_super() > -> kill_super_notify() > -> free_anon_bdev() > Before your patch: foo_kill_super() calls kill_anon_super(), which calls kill_super_notify(), which removes the sucker from the list, then frees ->s_fs_info. After your patch: removal from the lists happens via the call of kill_super_notify() *after* both of your methods had been called, while freeing ->s_fs_info happens from the method call. IOW, you've restored the situation prior to "super: ensure valid info". The whole point of that commit had been to make sure that we have nothing in the lists with ->s_fs_info pointing to a freed object. It's not about free_anon_bdev(); that part is fine - it's the "we can drop the weird second call site of kill_super_notify()" thing that is broken. Al, still slogging through the rcu pathwalk races in the methods... The latest catch: nfs_set_verifier() can get called on a dentry that had just been seen to have positive parent, but is not pinned down. grab ->d_lock; OK, we know that dentry won't get freed under us fetch ->d_parent->d_inode pass that to nfs_verify_change_attribute() ... which assumes that inode it's been given is not NULL. Normally it would've been - ->d_lock stabilizes ->d_parent, and negative dentries obviously have no children. Except that we might've been just hit by dentry_kill() due to eviction on memory pressure, got ->d_lock right after that and proceeded to play with ->d_parent, just as that parent is going through dentry_kill() from the same eviction on memory pressure... If it gets to dentry_unlink_inode() before we get to fetching ->d_parent->d_inode, nfs_verify_change_attribute(NULL, whatever) is going to oops...
Powered by blists - more mailing lists