TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d8a27ea2c9
twx-linux/include
History
Steven Rostedt (Google) 1a6edfc7be eventfs: Hold eventfs_mutex when calling callback functions 
commit 44365329f8219fc379097c2c9a75ff53f123764f upstream.

The callback function that is used to create inodes and dentries is not
protected by anything and the data that is passed to it could become
stale. After eventfs_remove_dir() is called by the tracing system, it is
free to remove the events that are associated to that directory.
Unfortunately, that means the callbacks must not be called after that.

     CPU0				CPU1
     ----				----
 eventfs_root_lookup() {
				 eventfs_remove_dir() {
				      mutex_lock(&event_mutex);
				      ei->is_freed = set;
				      mutex_unlock(&event_mutex);
				 }
				 kfree(event_call);

    for (...) {
      entry = &ei->entries[i];
      r = entry->callback() {
          call = data;		// call == event_call above
          if (call->flags ...)

 [ USE AFTER FREE BUG ]

The safest way to protect this is to wrap the callback with:

 mutex_lock(&eventfs_mutex);
 if (!ei->is_freed)
     r = entry->callback();
 else
     r = -1;
 mutex_unlock(&eventfs_mutex);

This will make sure that the callback will not be called after it is
freed. But now it needs to be known that the callback is called while
holding internal eventfs locks, and that it must not call back into the
eventfs / tracefs system. There's no reason it should anyway, but document
that as well.

Link: https://lore.kernel.org/all/CA+G9fYu9GOEbD=rR5eMR-=HJ8H6rMsbzDC2ZY5=Y50WpWAE7_Q@mail.gmail.com/
Link: https://lkml.kernel.org/r/20231101172649.906696613@goodmis.org

Cc: Ajay Kaher <akaher@vmware.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 5790b1fb3d672 ("eventfs: Remove eventfs_file and just use eventfs_inode")
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-02-23 09:25:21 +01:00
..
acpi ACPI: PM: Add acpi_device_fix_up_power_children() function 2023-12-03 07:33:07 +01:00
asm-generic linux/init: remove __memexit* annotations 2024-02-23 09:25:03 +01:00
clocksource
crypto crypto: af_alg - Disallow multiple in-flight AIO requests 2024-01-25 15:35:16 -08:00
drm drm: using mul_u32_u32() requires linux/math64.h 2024-02-05 20:14:34 +00:00
dt-bindings dt-bindings: clock: Update the videocc resets for sm8150 2024-01-25 15:35:37 -08:00
keys
kunit
kvm
linux eventfs: Hold eventfs_mutex when calling callback functions 2024-02-23 09:25:21 +01:00
math-emu
media media: v4l2-cci: Add support for little-endian encoded registers 2024-01-31 16:19:10 -08:00
memory
misc
net tls: fix race between async notify and socket close 2024-02-23 09:24:52 +01:00
pcmcia
ras
rdma RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz 2023-12-13 18:45:16 +01:00
rv
scsi scsi: sd: Fix system start for ATA devices 2023-12-08 08:52:17 +01:00
soc
sound ASoC: tas2781: add module parameter to tascodec_init() 2024-02-23 09:25:14 +01:00
target
trace rxrpc: Fix counting of new acks and nacks 2024-02-16 19:10:50 +01:00
uapi netfilter: nft_compat: reject unused compat flag 2024-02-16 19:10:51 +01:00
ufs
vdso
video
xen