On Tue, Mar 26, 2013 at 10:03 PM, Ming Lei <ming.lei@xxxxxxxxxxxxx> wrote: > > If you mean the test code on link[1], I can't reproduce the > warning with the two sysfs fix patches in 4 hours's test. > > [1], https://patchwork.kernel.org/patch/2160771/ You are right, looks it is not a problem just in theory, and I can reproduce it now with your test code by the following steps: - load all modules - run your test code on the directory of '/sys/module' - then can observe the use after free after minutes(a bit easier to add below debug code[1]) Previously, I can't reproduce because I just test on one specific unused module directory. [1], debug code --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -280,6 +280,11 @@ void release_sysfs_dirent(struct sysfs_dirent * sd) * sd->s_parent won't change beneath us. */ parent_sd = sd->s_parent; + if(!(sd->s_flags & SYSFS_FLAG_REMOVED)) { + printk("%s-%d sysfs_dirent use after free: %s-%s\n", + __func__, __LINE__, parent_sd->s_name, sd->s_name); + dump_stack(); + } The below patch(also attached) can fix the issue. -- diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index 79a0fd2..484f25e 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -1022,6 +1022,7 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir) enum kobj_ns_type type; const void *ns; ino_t ino; + loff_t off; type = sysfs_ns_type(parent_sd); ns = sysfs_info(dentry->d_sb)->ns[type]; @@ -1044,6 +1045,7 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir) return 0; } mutex_lock(&sysfs_mutex); + off = filp->f_pos; for (pos = sysfs_dir_pos(ns, parent_sd, filp->f_pos, pos); pos; pos = sysfs_dir_next_pos(ns, parent_sd, filp->f_pos, pos)) { @@ -1055,19 +1057,24 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir) len = strlen(name); ino = pos->s_ino; type = dt_type(pos); - filp->f_pos = pos->s_hash; + off = filp->f_pos = pos->s_hash; filp->private_data = sysfs_get(pos); mutex_unlock(&sysfs_mutex); - ret = filldir(dirent, name, len, filp->f_pos, ino, type); + ret = filldir(dirent, name, len, off, ino, type); mutex_lock(&sysfs_mutex); if (ret < 0) break; } mutex_unlock(&sysfs_mutex); - if ((filp->f_pos > 1) && !pos) { /* EOF */ - filp->f_pos = INT_MAX; + + /* don't reference last entry if its refcount is dropped */ + if (!pos) { filp->private_data = NULL; + + /* EOF and not changed as 0 or 1 in read/write path */ + if (off == filp->f_pos && off > 1) + filp->f_pos = INT_MAX; } return 0; } Thanks, -- Ming Lei
Attachment:
sysfs-fix-readdir-v5.patch
Description: Binary data