* A concurrency bug between configfs_dir_lseek() and configfs_lookup()
@ 2021-04-14 17:18 Gong, Sishuai
0 siblings, 0 replies; only message in thread
From: Gong, Sishuai @ 2021-04-14 17:18 UTC (permalink / raw)
To: jlbec@evilplan.org, hch@lst.de
Cc: zhangdaiyue1@huawei.com, qiuge@huawei.com, chenyi77@huawei.com,
yuchao0@huawei.com, viro@zeniv.linux.org.uk,
christian.brauner@ubuntu.com, linux-fsdevel@vger.kernel.org
Hi,
We found a concurrency bug in linux 5.12-rc3 and we are able to reproduce it under x86. This bug happens when the two configfs functions configfs_dir_lseek() and configfs_lookup() are running in parallel. configfs_dir_lseek() is deleting an entry while configfs_lookup() is accessing that entry, as shown in below.
------------------------------------------
Execution interleaving
Thread 1 Thread 2
configfs_dir_lseek() configfs_lookup()
if (!configfs_dirent_is_ready(parent_sd))
// configfs_dirent_lock is released after configfs_dirent_is_ready()
list_for_each_entry(sd, &parent_sd->s_children, s_sibling)
spin_lock(&configfs_dirent_lock);
list_del(&cursor->s_sibling);
list_for_each_entry(sd, &parent_sd->s_children, s_sibling)
// error happens
------------------------------------------
Impact & fix
Eventually, this bug can cause a kernel NULL pointer dereference error, as attached below. We think a potential fix is to use list_for_each_entry_safe() instead of list_for_each_entry() in configfs_lookup().
------------------------------------------
Console output
[ 809.642609][T10805] BUG: kernel NULL pointer dereference, address: 00000118
[ 810.198062][T10805] #PF: supervisor read access in kernel mode
[ 810.836171][T10805] #PF: error_code(0x0000) - not-present page
[ 811.361680][T10805] *pde = 00000000
[ 811.869905][T10805] Oops: 0000 [#1] PREEMPT SMP
[ 812.386532][T10805] CPU: 1 PID: 10805 Comm: executor Not tainted 5.12.0-rc3 #3
[ 813.377094][T10805] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 813.896812][T10805] EIP: configfs_lookup+0x44/0x1a0
[ 814.431935][T10805] Code: 01 b8 f8 15 2f c4 8b 5f 20 e8 08 fd bb 01 b9 fe ff ff ff 81 e3 00 04 00 00 85 db 75 2f 8b 47 10 83 c7 10 8d 58 f8 39 c7 74 10 <f6> 43 20 0c 75 26 8b 43 08 8d 58 f8 39 c7 75 f0 81 7e 18 ff 00 00
[ 815.925387][T10805] EAX: 00000100 EBX: 000000f8 ECX: fffffffe EDX: c10d1cb0
[ 816.450272][T10805] ESI: cd029900 EDI: c3c50930 EBP: cf54ff04 ESP: cf54fef4
[ 816.986662][T10805] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000286
[ 818.033135][T10805] CR0: 80050033 CR2: 00000118 CR3: 0efd3000 CR4: 00000690
[ 818.567560][T10805] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 819.109192][T10805] DR6: 00000000 DR7: 00000000
[ 819.666769][T10805] Call Trace:
[ 820.179775][T10805] __lookup_hash+0x50/0x80
[ 820.702414][T10805] filename_create+0x70/0x130
[ 821.238903][T10805] do_symlinkat+0x4e/0x100
[ 821.776290][T10805] __ia32_sys_symlinkat+0x10/0x20
[ 822.375670][T10805] __do_fast_syscall_32+0x40/0x70
[ 823.000644][T10805] do_fast_syscall_32+0x29/0x60
[ 823.494806][T10805] do_SYSENTER_32+0x15/0x20
Thanks,
Sishuai
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-14 17:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-14 17:18 A concurrency bug between configfs_dir_lseek() and configfs_lookup() Gong, Sishuai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.