@@ -179,14 +179,14 @@ static ssize_t raw_attr_read(struct file *filep, struct kobject *kobj,
return count;
}
-static struct elog_obj *create_elog_obj(uint64_t id, size_t size, uint64_t type)
+static void create_elog_obj(uint64_t id, size_t size, uint64_t type)
{
struct elog_obj *elog;
int rc;
elog = kzalloc(sizeof(*elog), GFP_KERNEL);
if (!elog)
- return NULL;
+ return;
elog->kobj.kset = elog_kset;
@@ -219,18 +219,42 @@ static struct elog_obj *create_elog_obj(uint64_t id, size_t size, uint64_t type)
rc = kobject_add(&elog->kobj, NULL, "0x%llx", id);
if (rc) {
kobject_put(&elog->kobj);
- return NULL;
+ return;
}
+ /*
+ * As soon as sysfs file for this elog is created/activated there is
+ * chance opal_errd daemon might read and acknowledge this elog before
+ * kobject_uevent() is called. If that happens then we have a potential
+ * race between elog_ack_store->kobject_put() and kobject_uevent which
+ * leads to use-after-free issue of a kernfs object resulting into
+ * kernel crash.
+ *
+ * We already have one reference count on kobject and is been used for
+ * sysfs_create_bin_file() function. This initial one reference count
+ * is valid until it is dropped by elog_ack_store() function.
+ *
+ * However if userspace acknowledges the elog before this code reaches
+ * to kobject_uevent(), the reference count on kobject drops to zero
+ * and no longer stay valid for kobject_uevent() invocation. To avoid
+ * this race take reference count on kobject for bin file creation and
+ * drop it after kobject_uevent() is sent.
+ */
+
+ kobject_get(&elog->kobj); /* take a reference for the bin file. */
rc = sysfs_create_bin_file(&elog->kobj, &elog->raw_attr);
if (rc) {
kobject_put(&elog->kobj);
- return NULL;
+ /* Drop reference count taken for bin file. */
+ kobject_put(&elog->kobj);
+ return;
}
kobject_uevent(&elog->kobj, KOBJ_ADD);
+ /* Drop reference count taken for bin file. */
+ kobject_put(&elog->kobj);
- return elog;
+ return;
}
static irqreturn_t elog_event(int irq, void *data)
Every error log reported by OPAL is exported to userspace through a sysfs interface and notified using kobject_uevent(). The userspace daemon (opal_errd) then reads the error log and acknowledges it error log is saved safely to disk. Once acknowledged the kernel removes the respective sysfs file entry causing respective resources getting released including kobject. However there are chances where user daemon may already be scanning elog entries while new sysfs elog entry is being created by kernel. User daemon may read this new entry and ack it even before kernel can notify userspace about it through kobject_uevent() call. If that happens then we have a potential race between elog_ack_store->kobject_put() and kobject_uevent which can lead to use-after-free issue of a kernfs object resulting into a kernel crash. This patch fixes this race by protecting a sysfs file creation/notification by holding a reference count on kobject until we safely send kobject_uevent(). The function create_elog_obj() returns the elog object which if used by caller function will end up in use-after-free problem again. However, the return value of create_elog_obj() function isn't being used today and there is need as well. Hence change it to return void to make this fix complete. Fixes: 774fea1a38c6 ("powerpc/powernv: Read OPAL error log and export it through sysfs") Cc: <stable@vger.kernel.org> # v3.15+ Reported-by: Oliver O'Halloran <oohall@gmail.com> Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> Reviewed-by: Oliver O'Halloran <oohall@gmail.com> Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com> --- Chnage in v4: - Re-worded comments. No code change. Change in v3: - Change create_elog_obj function signature to return void. Change in v2: - Instead of mutex and use extra reference count on kobject to avoid the race. --- arch/powerpc/platforms/powernv/opal-elog.c | 34 ++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-)