• J
    gfs2: use-after-free in sysfs deregistration · c2a04b02
    Jamie Iles 提交于
    syzkaller found the following splat with CONFIG_DEBUG_KOBJECT_RELEASE=y:
    
      Read of size 1 at addr ffff000028e896b8 by task kworker/1:2/228
    
      CPU: 1 PID: 228 Comm: kworker/1:2 Tainted: G S                5.9.0-rc8+ #101
      Hardware name: linux,dummy-virt (DT)
      Workqueue: events kobject_delayed_cleanup
      Call trace:
       dump_backtrace+0x0/0x4d8
       show_stack+0x34/0x48
       dump_stack+0x174/0x1f8
       print_address_description.constprop.0+0x5c/0x550
       kasan_report+0x13c/0x1c0
       __asan_report_load1_noabort+0x34/0x60
       memcmp+0xd0/0xd8
       gfs2_uevent+0xc4/0x188
       kobject_uevent_env+0x54c/0x1240
       kobject_uevent+0x2c/0x40
       __kobject_del+0x190/0x1d8
       kobject_delayed_cleanup+0x2bc/0x3b8
       process_one_work+0x96c/0x18c0
       worker_thread+0x3f0/0xc30
       kthread+0x390/0x498
       ret_from_fork+0x10/0x18
    
      Allocated by task 1110:
       kasan_save_stack+0x28/0x58
       __kasan_kmalloc.isra.0+0xc8/0xe8
       kasan_kmalloc+0x10/0x20
       kmem_cache_alloc_trace+0x1d8/0x2f0
       alloc_super+0x64/0x8c0
       sget_fc+0x110/0x620
       get_tree_bdev+0x190/0x648
       gfs2_get_tree+0x50/0x228
       vfs_get_tree+0x84/0x2e8
       path_mount+0x1134/0x1da8
       do_mount+0x124/0x138
       __arm64_sys_mount+0x164/0x238
       el0_svc_common.constprop.0+0x15c/0x598
       do_el0_svc+0x60/0x150
       el0_svc+0x34/0xb0
       el0_sync_handler+0xc8/0x5b4
       el0_sync+0x15c/0x180
    
      Freed by task 228:
       kasan_save_stack+0x28/0x58
       kasan_set_track+0x28/0x40
       kasan_set_free_info+0x24/0x48
       __kasan_slab_free+0x118/0x190
       kasan_slab_free+0x14/0x20
       slab_free_freelist_hook+0x6c/0x210
       kfree+0x13c/0x460
    
    Use the same pattern as f2fs + ext4 where the kobject destruction must
    complete before allowing the FS itself to be freed.  This means that we
    need an explicit free_sbd in the callers.
    
    Cc: Bob Peterson <rpeterso@redhat.com>
    Cc: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: NJamie Iles <jamie@nuviainc.com>
    [Also go to fail_free when init_names fails.]
    Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
    c2a04b02
incore.h 23.9 KB