linux/fs/erofs/sysfs.c
Dongliang Mu a942da24ab fs: erofs: add sanity check for kobject in erofs_unregister_sysfs
Syzkaller hit 'WARNING: kobject bug in erofs_unregister_sysfs'. This bug
is triggered by injecting fault in kobject_init_and_add of
erofs_unregister_sysfs.

Fix this by adding sanity check for kobject in erofs_unregister_sysfs

Note that I've tested the patch and the crash does not occur any more.

Link: https://lore.kernel.org/r/20220315132814.12332-1-dzm91@hust.edu.cn
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Fixes: 168e9a76200c ("erofs: add sysfs interface")
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2022-03-17 00:09:02 +08:00

259 lines
5.9 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C), 2008-2021, OPPO Mobile Comm Corp., Ltd.
* https://www.oppo.com/
*/
#include <linux/sysfs.h>
#include <linux/kobject.h>
#include "internal.h"
enum {
attr_feature,
attr_pointer_ui,
attr_pointer_bool,
};
enum {
struct_erofs_sb_info,
struct_erofs_mount_opts,
};
struct erofs_attr {
struct attribute attr;
short attr_id;
int struct_type, offset;
};
#define EROFS_ATTR(_name, _mode, _id) \
static struct erofs_attr erofs_attr_##_name = { \
.attr = {.name = __stringify(_name), .mode = _mode }, \
.attr_id = attr_##_id, \
}
#define EROFS_ATTR_FUNC(_name, _mode) EROFS_ATTR(_name, _mode, _name)
#define EROFS_ATTR_FEATURE(_name) EROFS_ATTR(_name, 0444, feature)
#define EROFS_ATTR_OFFSET(_name, _mode, _id, _struct) \
static struct erofs_attr erofs_attr_##_name = { \
.attr = {.name = __stringify(_name), .mode = _mode }, \
.attr_id = attr_##_id, \
.struct_type = struct_##_struct, \
.offset = offsetof(struct _struct, _name),\
}
#define EROFS_ATTR_RW(_name, _id, _struct) \
EROFS_ATTR_OFFSET(_name, 0644, _id, _struct)
#define EROFS_RO_ATTR(_name, _id, _struct) \
EROFS_ATTR_OFFSET(_name, 0444, _id, _struct)
#define EROFS_ATTR_RW_UI(_name, _struct) \
EROFS_ATTR_RW(_name, pointer_ui, _struct)
#define EROFS_ATTR_RW_BOOL(_name, _struct) \
EROFS_ATTR_RW(_name, pointer_bool, _struct)
#define ATTR_LIST(name) (&erofs_attr_##name.attr)
#ifdef CONFIG_EROFS_FS_ZIP
EROFS_ATTR_RW_UI(sync_decompress, erofs_mount_opts);
#endif
static struct attribute *erofs_attrs[] = {
#ifdef CONFIG_EROFS_FS_ZIP
ATTR_LIST(sync_decompress),
#endif
NULL,
};
ATTRIBUTE_GROUPS(erofs);
/* Features this copy of erofs supports */
EROFS_ATTR_FEATURE(zero_padding);
EROFS_ATTR_FEATURE(compr_cfgs);
EROFS_ATTR_FEATURE(big_pcluster);
EROFS_ATTR_FEATURE(chunked_file);
EROFS_ATTR_FEATURE(device_table);
EROFS_ATTR_FEATURE(compr_head2);
EROFS_ATTR_FEATURE(sb_chksum);
EROFS_ATTR_FEATURE(ztailpacking);
static struct attribute *erofs_feat_attrs[] = {
ATTR_LIST(zero_padding),
ATTR_LIST(compr_cfgs),
ATTR_LIST(big_pcluster),
ATTR_LIST(chunked_file),
ATTR_LIST(device_table),
ATTR_LIST(compr_head2),
ATTR_LIST(sb_chksum),
ATTR_LIST(ztailpacking),
NULL,
};
ATTRIBUTE_GROUPS(erofs_feat);
static unsigned char *__struct_ptr(struct erofs_sb_info *sbi,
int struct_type, int offset)
{
if (struct_type == struct_erofs_sb_info)
return (unsigned char *)sbi + offset;
if (struct_type == struct_erofs_mount_opts)
return (unsigned char *)&sbi->opt + offset;
return NULL;
}
static ssize_t erofs_attr_show(struct kobject *kobj,
struct attribute *attr, char *buf)
{
struct erofs_sb_info *sbi = container_of(kobj, struct erofs_sb_info,
s_kobj);
struct erofs_attr *a = container_of(attr, struct erofs_attr, attr);
unsigned char *ptr = __struct_ptr(sbi, a->struct_type, a->offset);
switch (a->attr_id) {
case attr_feature:
return sysfs_emit(buf, "supported\n");
case attr_pointer_ui:
if (!ptr)
return 0;
return sysfs_emit(buf, "%u\n", *(unsigned int *)ptr);
case attr_pointer_bool:
if (!ptr)
return 0;
return sysfs_emit(buf, "%d\n", *(bool *)ptr);
}
return 0;
}
static ssize_t erofs_attr_store(struct kobject *kobj, struct attribute *attr,
const char *buf, size_t len)
{
struct erofs_sb_info *sbi = container_of(kobj, struct erofs_sb_info,
s_kobj);
struct erofs_attr *a = container_of(attr, struct erofs_attr, attr);
unsigned char *ptr = __struct_ptr(sbi, a->struct_type, a->offset);
unsigned long t;
int ret;
switch (a->attr_id) {
case attr_pointer_ui:
if (!ptr)
return 0;
ret = kstrtoul(skip_spaces(buf), 0, &t);
if (ret)
return ret;
if (t != (unsigned int)t)
return -ERANGE;
#ifdef CONFIG_EROFS_FS_ZIP
if (!strcmp(a->attr.name, "sync_decompress") &&
(t > EROFS_SYNC_DECOMPRESS_FORCE_OFF))
return -EINVAL;
#endif
*(unsigned int *)ptr = t;
return len;
case attr_pointer_bool:
if (!ptr)
return 0;
ret = kstrtoul(skip_spaces(buf), 0, &t);
if (ret)
return ret;
if (t != 0 && t != 1)
return -EINVAL;
*(bool *)ptr = !!t;
return len;
}
return 0;
}
static void erofs_sb_release(struct kobject *kobj)
{
struct erofs_sb_info *sbi = container_of(kobj, struct erofs_sb_info,
s_kobj);
complete(&sbi->s_kobj_unregister);
}
static const struct sysfs_ops erofs_attr_ops = {
.show = erofs_attr_show,
.store = erofs_attr_store,
};
static struct kobj_type erofs_sb_ktype = {
.default_groups = erofs_groups,
.sysfs_ops = &erofs_attr_ops,
.release = erofs_sb_release,
};
static struct kobj_type erofs_ktype = {
.sysfs_ops = &erofs_attr_ops,
};
static struct kset erofs_root = {
.kobj = {.ktype = &erofs_ktype},
};
static struct kobj_type erofs_feat_ktype = {
.default_groups = erofs_feat_groups,
.sysfs_ops = &erofs_attr_ops,
};
static struct kobject erofs_feat = {
.kset = &erofs_root,
};
int erofs_register_sysfs(struct super_block *sb)
{
struct erofs_sb_info *sbi = EROFS_SB(sb);
int err;
sbi->s_kobj.kset = &erofs_root;
init_completion(&sbi->s_kobj_unregister);
err = kobject_init_and_add(&sbi->s_kobj, &erofs_sb_ktype, NULL,
"%s", sb->s_id);
if (err)
goto put_sb_kobj;
return 0;
put_sb_kobj:
kobject_put(&sbi->s_kobj);
wait_for_completion(&sbi->s_kobj_unregister);
return err;
}
void erofs_unregister_sysfs(struct super_block *sb)
{
struct erofs_sb_info *sbi = EROFS_SB(sb);
if (sbi->s_kobj.state_in_sysfs) {
kobject_del(&sbi->s_kobj);
kobject_put(&sbi->s_kobj);
wait_for_completion(&sbi->s_kobj_unregister);
}
}
int __init erofs_init_sysfs(void)
{
int ret;
kobject_set_name(&erofs_root.kobj, "erofs");
erofs_root.kobj.parent = fs_kobj;
ret = kset_register(&erofs_root);
if (ret)
goto root_err;
ret = kobject_init_and_add(&erofs_feat, &erofs_feat_ktype,
NULL, "features");
if (ret)
goto feat_err;
return ret;
feat_err:
kobject_put(&erofs_feat);
kset_unregister(&erofs_root);
root_err:
return ret;
}
void erofs_exit_sysfs(void)
{
kobject_put(&erofs_feat);
kset_unregister(&erofs_root);
}