Every error log reported by OPAL is exported to userspace through a sysfs
interface and notified using kobject_uevent(). The userspace daemon
(opal_errd) then reads the error log and acknowledges it error log is saved
safely to disk. Once acknowledged the kernel removes the respective sysfs
file entry causing respective resources getting released including kobject.

However there are chances where user daemon may already be scanning elog
entries while new sysfs elog entry is being created by kernel. User daemon
may read this new entry and ack it even before kernel can notify userspace
about it through kobject_uevent() call. If that happens then we have a
potential race between elog_ack_store->kobject_put() and kobject_uevent
which can lead to use-after-free issue of a kernfs object resulting into a
kernel crash. This patch fixes this race by protecting a sysfs file
creation/notification by holding an additional reference count on kobject
until we safely send kobject_uevent().

The function create_elog_obj() returns the elog object which if used by
caller function will end up in use-after-free problem again. However, the
return value of create_elog_obj() function isn't being used today and there
is need as well. Hence change it to return void to make this fix complete.

Fixes: 774fea1a38c6 ("powerpc/powernv: Read OPAL error log and export it 
through sysfs")
Cc: <sta...@vger.kernel.org> # v3.15+
Reported-by: Oliver O'Halloran <ooh...@gmail.com>
Signed-off-by: Mahesh Salgaonkar <mah...@linux.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.ku...@linux.ibm.com>
Reviewed-by: Oliver O'Halloran <ooh...@gmail.com>
Reviewed-by: Vasant Hegde <hegdevas...@linux.vnet.ibm.com>
---
Change in v3:
- Change create_elog_obj function signature to return void.
Change in v2:
- Instead of mutex and use extra reference count on kobject to avoid the
  race.
---
 arch/powerpc/platforms/powernv/opal-elog.c |   25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/platforms/powernv/opal-elog.c 
b/arch/powerpc/platforms/powernv/opal-elog.c
index 62ef7ad995da..e61cbf08e17e 100644
--- a/arch/powerpc/platforms/powernv/opal-elog.c
+++ b/arch/powerpc/platforms/powernv/opal-elog.c
@@ -179,14 +179,14 @@ static ssize_t raw_attr_read(struct file *filep, struct 
kobject *kobj,
        return count;
 }
 
-static struct elog_obj *create_elog_obj(uint64_t id, size_t size, uint64_t 
type)
+static void create_elog_obj(uint64_t id, size_t size, uint64_t type)
 {
        struct elog_obj *elog;
        int rc;
 
        elog = kzalloc(sizeof(*elog), GFP_KERNEL);
        if (!elog)
-               return NULL;
+               return;
 
        elog->kobj.kset = elog_kset;
 
@@ -219,18 +219,33 @@ static struct elog_obj *create_elog_obj(uint64_t id, 
size_t size, uint64_t type)
        rc = kobject_add(&elog->kobj, NULL, "0x%llx", id);
        if (rc) {
                kobject_put(&elog->kobj);
-               return NULL;
+               return;
        }
 
+       /*
+        * As soon as sysfs file for this elog is created/activated there is
+        * chance opal_errd daemon might read and acknowledge this elog before
+        * kobject_uevent() is called. If that happens then we have a potential
+        * race between elog_ack_store->kobject_put() and kobject_uevent which
+        * leads to use-after-free issue of a kernfs object resulting into
+        * kernel crash. To avoid this race take an additional reference count
+        * on kobject until we safely send kobject_uevent().
+        */
+
+       kobject_get(&elog->kobj);  /* extra reference count */
        rc = sysfs_create_bin_file(&elog->kobj, &elog->raw_attr);
        if (rc) {
                kobject_put(&elog->kobj);
-               return NULL;
+               /* Drop the extra reference count  */
+               kobject_put(&elog->kobj);
+               return;
        }
 
        kobject_uevent(&elog->kobj, KOBJ_ADD);
+       /* Drop the extra reference count  */
+       kobject_put(&elog->kobj);
 
-       return elog;
+       return;
 }
 
 static irqreturn_t elog_event(int irq, void *data)


Reply via email to