From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45F46C38142 for ; Fri, 20 Jan 2023 02:46:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A74806B0074; Thu, 19 Jan 2023 21:46:47 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9FD6D6B0075; Thu, 19 Jan 2023 21:46:47 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8765F6B0078; Thu, 19 Jan 2023 21:46:47 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 703486B0074 for ; Thu, 19 Jan 2023 21:46:47 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 39C7A1C5B90 for ; Fri, 20 Jan 2023 02:46:47 +0000 (UTC) X-FDA: 80373639654.01.D6C420B Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) by imf24.hostedemail.com (Postfix) with ESMTP id 30121180010 for ; Fri, 20 Jan 2023 02:46:45 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=amazon.com header.s=amazon201209 header.b=SrWnRZHm; spf=pass (imf24.hostedemail.com: domain of "prvs=37723bdf7=kamatam@amazon.com" designates 52.95.48.154 as permitted sender) smtp.mailfrom="prvs=37723bdf7=kamatam@amazon.com"; dmarc=pass (policy=quarantine) header.from=amazon.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674182805; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QeYe0ZhG9sIp23zcy3KS432CRb/wQ3i3P2GxJxTnEHw=; b=EWSJDRRnUacWVKOrRpMsPqtkmbLT1+c0lsDoz9NNHgNW+oInZN1feFylockU0T1CvC6CqR 14no7a5zpYXcM9yp30hETvG93VWGXYHaRUznTm+yCB48POKaXHK0k1EnCYVPZQl7M3wnRS AWx7xsc7+RtkZ6lvAKLyKEARMLx3IEk= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=amazon.com header.s=amazon201209 header.b=SrWnRZHm; spf=pass (imf24.hostedemail.com: domain of "prvs=37723bdf7=kamatam@amazon.com" designates 52.95.48.154 as permitted sender) smtp.mailfrom="prvs=37723bdf7=kamatam@amazon.com"; dmarc=pass (policy=quarantine) header.from=amazon.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674182805; a=rsa-sha256; cv=none; b=gqTvpIP9/8C/A6qEOO+EHMb6/NJOe1lUKYqGW8waLh5baIz6DCAcgqFNyIgUOh6/gDzFpn NDRXXAvIx+iV5SBQhR4ygl93AUNZhoUniz8NGVZZT2E12+upvKovL+5iXXM5cBbF6dcl9P s85TkD73TFFLqDyPp3We0NThqAnUwyw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1674182805; x=1705718805; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=QeYe0ZhG9sIp23zcy3KS432CRb/wQ3i3P2GxJxTnEHw=; b=SrWnRZHmb23s4trZOS5LowqGAdsiPrr+FpfitWODbi8OSkopwvWU8Hqa IYCV9wwEJOCgiMVX3fwk082FJqcSu9igNf5/CAfNaQ7xXE/pBz1RBXlDc yckRGGlBtioKvZT5/mQyl43z9Rh2RKxZMihGWuQy+upt7quUf+3/mPi5x w=; X-IronPort-AV: E=Sophos;i="5.97,230,1669075200"; d="scan'208";a="290275697" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-iad-1box-1dm6-7f722725.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jan 2023 02:46:44 +0000 Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1box-1dm6-7f722725.us-east-1.amazon.com (Postfix) with ESMTPS id BD5A3814FC; Fri, 20 Jan 2023 02:46:42 +0000 (UTC) Received: from EX19D010UWA004.ant.amazon.com (10.13.138.204) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.45; Fri, 20 Jan 2023 02:46:41 +0000 Received: from u9aa42af9e4c55a.ant.amazon.com (10.43.160.120) by EX19D010UWA004.ant.amazon.com (10.13.138.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1118.7; Fri, 20 Jan 2023 02:46:41 +0000 From: Munehisa Kamata To: CC: , , , , , , , Subject: Re: another use-after-free in ep_remove_wait_queue() Date: Thu, 19 Jan 2023 18:46:13 -0800 Message-ID: <20230120024613.840905-1-kamatam@amazon.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.43.160.120] X-ClientProxiedBy: EX13D42UWB002.ant.amazon.com (10.43.161.155) To EX19D010UWA004.ant.amazon.com (10.13.138.204) X-Stat-Signature: y16e3chj9afubxfn6hnxg8c11t9ta5pr X-Rspam-User: X-Rspamd-Queue-Id: 30121180010 X-Rspamd-Server: rspam06 X-HE-Tag: 1674182805-275580 X-HE-Meta: U2FsdGVkX1+XX/LUpkbzD4Gs0QQ+vxB0pkG5ERPyNI8A/pLKHJdaqxab1IhuPK/43tDu5XEtV+XJConDUlGrybAKK1xB8vuj6mf6Q8JHh8dnr8hv7BuMPPV1dRyD41Ml93buYnYhkIZjvi3n5u3np4FazjTTH7SGzjZvFZFBAnPSh/aNAJRa21dZtINFNy+i5bQZkW05Zx/E0hgpPgIeSPsx9tNgbNpxQmqFi5NO1RVpfR9EuWGtxQlk1d4/6ZfY+8pLUFvQmCdKvY2/rcRuyQRvILgvU1Cgb4x7RP3CnxHzMDePYcccKv4nejWUCd/RUkufQbP+6oidtbo+6LW5/gTCIoC/m7blrARptbzAp2o2uJZBzV13My+N5TxPlwkG9nuoPce2u7saL8d8Xkv8SU5UNmNK6R2WjfCnypgWk3ggG8UyDT0QIr/2KAMoIsJhMQcMBFfhTyX3o/AbvBKAt2mFlSbYHBswm0TGPxgdfTymnYeV4pObCZ/tQHM43iEnFulaGVrwB5A2/3Yyjz+NfT1SL+KAYEfqGpxfjFC1VjClj4XdrS3b5RktxNOOrp4i3Y83UQgheuc/GQp32C9ordGfaKGGdHiyI3uworAKe5W/YF1ZBNeC2kR9SunT7ccmkwOrOlrtoK0CWdStzet7ac2YjSjc7rxYUrof1sgIIqmHMWSuFZSIwVHh0u0miCfqdCl7Rp7rHf5mJ0vIhEqxJ8f0I7jWVmQxSniOyR68OVLnXcy6Km3uYwSB9WqGueeL30YHb7Me/TOcVirVaYbAToppSzaCW9RxKcj8MNbF6YOyteupbbrDdSwY7eaOyhLrnQRvM8IY8R0DCTVcfShUewmLfQNyVYfohUtw4REkx9is6r1Top9AYJUvc0FWE7k+xrRmo7Mf5NFBzjf1TVC4fVcXW5OJfE/j6sg0iyMp7uIULAnHT9Zh6UqFUiRSZlyOZc9lRO0d6Db/M0tgr/L 1W+NzJoK qnrbufJypRjF6mqZKauBJrz9w6schf7Tcoe54+NnP4TrPLdDmjR5F3BTiQyW3UsX2NbOm17SfABYSiawaYB7UTCepBtjoi0jzWdJwtE1sVs8BZcTbNQmlM8U65uh12JsriEWX7v/oTmsVZHWPZaTxLdHo17cAp/O7Lrw1MAr7ez+RKfMwPtqO+ELYWUqEaYK6lov3BEAjC7MjuTQWzoeqKwA5vNGyrKCqlgN3vMisNGwtbPt5AQlVMalgTdcd7EwUl6xcV9WTO+NGS4FLS5AU5xERwGok5eC0MP4ymF/aZMtDTN5rrexfqW+1H31TcuW42pKNRirpJJABC37TNdqv2yk0gh9bh5SEDiZyNr/HCb7WK7kaqGRn5veDoQ344JJz1YeJAyJP1x2fQqz4yHTu16aDknX059IdIL/ZgN5XxXJpWZ5gvfFPaH79eGnzK+81IHTrKQUo0E6o/Pjvyzus+Ha19/jOP1SzdMTuw5/aHOMp5pOpG4NrfbO3e+OHBCqtgFwq33lqT2jOi58zPwbaq8Lk2uOJXFoNkfLsNVBexXOMuodPGKL6kKPTCg1zvIdZe0HSER3yLpRL14FIMz000odCAFnm6mWjXFeN5AP7J9K+Gx0WGpivoSM+CMZMGEZTxJdKkng34OVX6LfWxhN1T5KVgVA/PhaWor+3Egw1ZKJEvbSELb4apOJDWhsnJOi3XwMZhfawJzUzR9+aHGIJ9QenBBdRMbpK6squ+mYK/wspiNc7NfLYUPqLxg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.005375, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 2023-01-20 01:37:11 +0000, Suren Baghdasaryan wrote: > > On Thu, Jan 19, 2023 at 5:31 PM Hillf Danton wrote: > > > > On Thu, 19 Jan 2023 13:01:42 -0800 Suren Baghdasaryan wrote: > > > > > > Hi Folks, > > > I spent some more time digging into the details and this is what's > > > happening. When we call rmdir to delete the cgroup with the pressure > > > file being epoll'ed, roughly the following call chain happens in the > > > context of the shell process: > > > > > > do_rmdir > > > cgroup_rmdir > > > kernfs_drain_open_files > > > cgroup_file_release > > > cgroup_pressure_release > > > psi_trigger_destroy > > > > > > Later on in the context of our reproducer, the last fput() is called > > > causing wait queue removal: > > > > > > fput > > > ep_eventpoll_release > > > ep_free > > > ep_remove_wait_queue > > > remove_wait_queue > > > > > > By this time psi_trigger_destroy() already destroyed the trigger's > > > waitqueue head and we hit UAF. > > > I think the conceptual problem here (or maybe that's by design?) is > > > that cgroup_file_release() is not really tied to the file's real > > > lifetime (when the last fput() is issued). Otherwise fput() would call > > > eventpoll_release() before f_op->release() and the order would be fine > > > (we would remove the wait queue first in eventpoll_release() and then > > > f_op->release() would cause trigger's destruction). > > > > eventpoll_release > > eventpoll_release_file > > ep_remove > > ep_unregister_pollwait > > ep_remove_wait_queue > > > > Yes but fput() calls eventpoll_release() *before* f_op->release(), so > waitqueue_head would be removed before trigger destruction. But pwq->whead is still pointing the freed head, then we just hit the same issue earlier? > > Different roads run into the same Roma city. > > You butchered the phrase :) > > > > > > Considering these findings, I think we can use the wake_up_pollfree() > > > without contradicting the comment at > > > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > > > because indeed, cgroup_file_release() and therefore > > > psi_trigger_destroy() are not tied to the file's lifetime. > > > > > > I'm CC'ing Tejun to check if this makes sense to him and > > > cgroup_file_release() is working as expected in this case. > > > > > > Munehisha, if Tejun confirms this is all valid, could you please post > > > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > > > don't need to worry about wake_up_all() because we have a limitation > > > of one trigger per file descriptor: > > > https://elixir.bootlin.com/linux/latest/source/kernel/sched/psi.c#L1419, > > > so there can be only one waiter. > > > Thanks, > > > Suren. > > > >