Skip to content

Commit a3f6cf1

Browse files
author
Herton R. Krzesinski
committed
Merge: kernfs: fix use-after-free in __kernfs_remove
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2020 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2143947 Upstream status: Linus Syzkaller triggered concurrent calls to kernfs_remove_by_name_ns() for the same file resulting in a KASAN detected use-after-free. The race occurs when the root node is freed during kernfs_drain(). The change prevents this by acquiring an additional reference for the root of the sub-tree of kernfs nodes that is being removed before calling __kernfs_remove(). Signed-off-by: Ian Kent <ikent@redhat.com> Approved-by: Bill O'Donnell <bodonnel@redhat.com> Approved-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
2 parents c9afa88 + e297760 commit a3f6cf1

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

fs/kernfs/dir.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1569,8 +1569,11 @@ int kernfs_remove_by_name_ns(struct kernfs_node *parent, const char *name,
15691569
down_write(&root->kernfs_rwsem);
15701570

15711571
kn = kernfs_find_ns(parent, name, ns);
1572-
if (kn)
1572+
if (kn) {
1573+
kernfs_get(kn);
15731574
__kernfs_remove(kn);
1575+
kernfs_put(kn);
1576+
}
15741577

15751578
up_write(&root->kernfs_rwsem);
15761579

0 commit comments

Comments
 (0)