Re: [PATCH v2] kernfs: fix use-after-free in __kernfs_remove

From: Tejun Heo
Date: Mon Sep 19 2022 - 13:35:54 EST

Next message: tumic: "[PATCH v2 0/3] Digiteq Automotive MGB4 driver"
Previous message: Keith Busch: "Re: [PATCH] nvme-pci: Make sure to ring doorbell when last request is short-circuited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 13, 2022 at 02:17:23PM +0200, Christian A. Ehrhardt wrote:
> Syzkaller managed to trigger concurrent calls to
> kernfs_remove_by_name_ns() for the same file resulting in
> a KASAN detected use-after-free. The race occurs when the root
> node is freed during kernfs_drain().
>
> To prevent this acquire an additional reference for the root
> of the tree that is removed before calling __kernfs_remove().
...
> cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> cc: Tejun Heo <tj@xxxxxxxxxx>
> Signed-off-by: Christian A. Ehrhardt <lk@xxxxxxx>

Acked-by: Tejun Heo <tj@xxxxxxxxxx>

Thanks.

--
tejun

Next message: tumic: "[PATCH v2 0/3] Digiteq Automotive MGB4 driver"
Previous message: Keith Busch: "Re: [PATCH] nvme-pci: Make sure to ring doorbell when last request is short-circuited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]