A concurrency bug between configfs_dir_lseek() and configfs_lookup()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

We found a concurrency bug in linux 5.12-rc3 and we are able to reproduce it under x86. This bug happens when the two configfs functions configfs_dir_lseek() and configfs_lookup() are running in parallel. configfs_dir_lseek() is deleting an entry while configfs_lookup() is accessing that entry, as shown in below. 

------------------------------------------
Execution interleaving

Thread 1								Thread 2
configfs_dir_lseek()						configfs_lookup()
									
										if (!configfs_dirent_is_ready(parent_sd))
										// configfs_dirent_lock is released after configfs_dirent_is_ready()
										list_for_each_entry(sd, &parent_sd->s_children, s_sibling)


spin_lock(&configfs_dirent_lock);
list_del(&cursor->s_sibling);
										list_for_each_entry(sd, &parent_sd->s_children, s_sibling)
										// error happens

------------------------------------------
Impact & fix

Eventually, this bug can cause a kernel NULL pointer dereference error, as attached below. We think a potential fix is to use list_for_each_entry_safe() instead of list_for_each_entry() in configfs_lookup().

------------------------------------------
Console output

[ 809.642609][T10805] BUG: kernel NULL pointer dereference, address: 00000118
[  810.198062][T10805] #PF: supervisor read access in kernel mode
[  810.836171][T10805] #PF: error_code(0x0000) - not-present page
[  811.361680][T10805] *pde = 00000000
[  811.869905][T10805] Oops: 0000 [#1] PREEMPT SMP
[  812.386532][T10805] CPU: 1 PID: 10805 Comm: executor Not tainted 5.12.0-rc3 #3
[  813.377094][T10805] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[  813.896812][T10805] EIP: configfs_lookup+0x44/0x1a0
[  814.431935][T10805] Code: 01 b8 f8 15 2f c4 8b 5f 20 e8 08 fd bb 01 b9 fe ff ff ff 81 e3 00 04 00 00 85 db 75 2f 8b 47 10 83 c7 10 8d 58 f8 39 c7 74 10 <f6> 43 20 0c 75 26 8b 43 08 8d 58 f8 39 c7 75 f0 81 7e 18 ff 00 00
[  815.925387][T10805] EAX: 00000100 EBX: 000000f8 ECX: fffffffe EDX: c10d1cb0
[  816.450272][T10805] ESI: cd029900 EDI: c3c50930 EBP: cf54ff04 ESP: cf54fef4
[  816.986662][T10805] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000286
[  818.033135][T10805] CR0: 80050033 CR2: 00000118 CR3: 0efd3000 CR4: 00000690
[  818.567560][T10805] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[  819.109192][T10805] DR6: 00000000 DR7: 00000000
[  819.666769][T10805] Call Trace:
[  820.179775][T10805]  __lookup_hash+0x50/0x80
[  820.702414][T10805]  filename_create+0x70/0x130
[  821.238903][T10805]  do_symlinkat+0x4e/0x100
[  821.776290][T10805]  __ia32_sys_symlinkat+0x10/0x20
[  822.375670][T10805]  __do_fast_syscall_32+0x40/0x70
[  823.000644][T10805]  do_fast_syscall_32+0x29/0x60
[  823.494806][T10805]  do_SYSENTER_32+0x15/0x20



Thanks,
Sishuai





[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux