Re: [PATCH 1/2] sysfs: fix race between readdir and lseek

Tue, 26 Mar 2013 09:12:15 -0700 

On Tue, Mar 26, 2013 at 10:03 PM, Ming Lei <ming....@canonical.com> wrote:
>
> If you mean the test code on link[1], I can't reproduce the
> warning with the two sysfs fix patches in 4 hours's test.
>
> [1], https://patchwork.kernel.org/patch/2160771/

You are right, looks it is not a problem just in theory, and I can
reproduce it now with your test code by the following steps:

- load all modules
- run your test code on the directory of '/sys/module'
- then can observe the use after free after minutes(a bit easier to
add below debug code[1])

Previously, I can't reproduce because I just test on one specific
unused module directory.

[1], debug code
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -280,6 +280,11 @@ void release_sysfs_dirent(struct sysfs_dirent * sd)
         * sd->s_parent won't change beneath us.
         */
        parent_sd = sd->s_parent;
+       if(!(sd->s_flags & SYSFS_FLAG_REMOVED)) {
+               printk("%s-%d sysfs_dirent use after free: %s-%s\n",
+                       __func__, __LINE__, parent_sd->s_name, sd->s_name);
+               dump_stack();
+       }


The below patch(also attached) can fix the issue.
--
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index 79a0fd2..484f25e 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -1022,6 +1022,7 @@ static int sysfs_readdir(struct file * filp,
void * dirent, filldir_t filldir)
        enum kobj_ns_type type;
        const void *ns;
        ino_t ino;
+       loff_t off;

        type = sysfs_ns_type(parent_sd);
        ns = sysfs_info(dentry->d_sb)->ns[type];
@@ -1044,6 +1045,7 @@ static int sysfs_readdir(struct file * filp,
void * dirent, filldir_t filldir)
                        return 0;
        }
        mutex_lock(&sysfs_mutex);
+       off = filp->f_pos;
        for (pos = sysfs_dir_pos(ns, parent_sd, filp->f_pos, pos);
             pos;
             pos = sysfs_dir_next_pos(ns, parent_sd, filp->f_pos, pos)) {
@@ -1055,19 +1057,24 @@ static int sysfs_readdir(struct file * filp,
void * dirent, filldir_t filldir)
                len = strlen(name);
                ino = pos->s_ino;
                type = dt_type(pos);
-               filp->f_pos = pos->s_hash;
+               off = filp->f_pos = pos->s_hash;
                filp->private_data = sysfs_get(pos);

                mutex_unlock(&sysfs_mutex);
-               ret = filldir(dirent, name, len, filp->f_pos, ino, type);
+               ret = filldir(dirent, name, len, off, ino, type);
                mutex_lock(&sysfs_mutex);
                if (ret < 0)
                        break;
        }
        mutex_unlock(&sysfs_mutex);
-       if ((filp->f_pos > 1) && !pos) { /* EOF */
-               filp->f_pos = INT_MAX;
+
+       /* don't reference last entry if its refcount is dropped */
+       if (!pos) {
                filp->private_data = NULL;
+
+               /* EOF and not changed as 0 or 1 in read/write path */
+               if (off == filp->f_pos && off > 1)
+                       filp->f_pos = INT_MAX;
        }
        return 0;
 }



Thanks,
--
Ming Lei

Attachment: sysfs-fix-readdir-v5.patch
Description: Binary data

Reply via email to