From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9A38C004D4 for ; Fri, 20 Jan 2023 02:53:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 31C6B6B0074; Thu, 19 Jan 2023 21:53:11 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2CCA16B0075; Thu, 19 Jan 2023 21:53:11 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 195976B0078; Thu, 19 Jan 2023 21:53:11 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 0B1B26B0074 for ; Thu, 19 Jan 2023 21:53:11 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id CD90D40C64 for ; Fri, 20 Jan 2023 02:53:10 +0000 (UTC) X-FDA: 80373655740.16.E545E05 Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) by imf14.hostedemail.com (Postfix) with ESMTP id A9B8C10000C for ; Fri, 20 Jan 2023 02:53:08 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=amazon.com header.s=amazon201209 header.b=JddssvY3; spf=pass (imf14.hostedemail.com: domain of "prvs=37723bdf7=kamatam@amazon.com" designates 99.78.197.217 as permitted sender) smtp.mailfrom="prvs=37723bdf7=kamatam@amazon.com"; dmarc=pass (policy=quarantine) header.from=amazon.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674183188; a=rsa-sha256; cv=none; b=puaMNiaM20P8Ze3M/c6Uf4IEpmX5SoEEIkxKNZgDf8Hm2fVR/7GAKkZVJnv2gs6RYKtJq+ kkEcLioI557bKodRzTTY67HRNyT154mut0qtMZg4XJS+f87F+qd9KD3XN1hSVWQe+2J+yP Lowf1w8W7NgTkV/05hmz03Mzjmd/Mt4= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=amazon.com header.s=amazon201209 header.b=JddssvY3; spf=pass (imf14.hostedemail.com: domain of "prvs=37723bdf7=kamatam@amazon.com" designates 99.78.197.217 as permitted sender) smtp.mailfrom="prvs=37723bdf7=kamatam@amazon.com"; dmarc=pass (policy=quarantine) header.from=amazon.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674183188; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UmpmDQi7bJR8lLmmf/naNO35e+8Lm9tQqbSe2Rv16PQ=; b=bV8dSB+atOYU5EdZOl6sGUTzSZZt0cNUmpvJmOXaVn2Al1Z1tQ3uwUJnFDWS+JmzAF0/4Z F+8X2rQsQ3osOJ8ivvEEDKnvBCuK3ipjIZdUoxFtj/kSAe/WRfyyRAnKl1t+qSNpRKefIm 8iMaj094l+f/Q71h3+2s6afLKhsmzKQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1674183189; x=1705719189; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UmpmDQi7bJR8lLmmf/naNO35e+8Lm9tQqbSe2Rv16PQ=; b=JddssvY39xeJIXFgK9r78mB0c2HRs7kPnb0CwA3l5orNpAoZFEDa8X6C P5aUhgf9FjlX/PjwEt9Bqzwk+qhh6oZbT509vwu7YbC1mluDd7U5gix8y V6W29WK/ozYLaeAmcZ9aZtlOJ3Zq6DJkIHdLsJy/W2jXgvncfaXkmDKpb 0=; X-IronPort-AV: E=Sophos;i="5.97,230,1669075200"; d="scan'208";a="173026157" Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1d-m6i4x-f05d30a1.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jan 2023 02:53:07 +0000 Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1d-m6i4x-f05d30a1.us-east-1.amazon.com (Postfix) with ESMTPS id 53DE281DF1; Fri, 20 Jan 2023 02:53:04 +0000 (UTC) Received: from EX19D010UWA004.ant.amazon.com (10.13.138.204) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.45; Fri, 20 Jan 2023 02:53:03 +0000 Received: from u9aa42af9e4c55a.ant.amazon.com (10.43.162.56) by EX19D010UWA004.ant.amazon.com (10.13.138.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1118.7; Fri, 20 Jan 2023 02:53:03 +0000 From: Munehisa Kamata To: CC: , , , , , , , Subject: Re: another use-after-free in ep_remove_wait_queue() Date: Thu, 19 Jan 2023 18:52:53 -0800 Message-ID: <20230120025253.843079-1-kamatam@amazon.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230120024613.840905-1-kamatam@amazon.com> References: <20230120024613.840905-1-kamatam@amazon.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.43.162.56] X-ClientProxiedBy: EX13D38UWB001.ant.amazon.com (10.43.161.10) To EX19D010UWA004.ant.amazon.com (10.13.138.204) X-Rspam-User: X-Rspamd-Queue-Id: A9B8C10000C X-Rspamd-Server: rspam01 X-Stat-Signature: f67yzsxr4ufeqg53aa1o6sjpnnrcu3sd X-HE-Tag: 1674183188-318788 X-HE-Meta: U2FsdGVkX18YhljOeOrtiLDOTBVH/JEgUL8oxedjsqisb/YRWdDRErsNunyLnPtpKsrkPvSWTeWS0xI9jP4Pj0ekphSgittvE88C5IFzRh+gXBsFvxZFMadl6phNxuz/Lqwaxrk+TBuDbJgCO0i+DYRd2AoeYSJqjW17O7mSTtfxE2okQvgr8HOU2lrts9ih4CzDWvLD/oPWHIFZGeVlte8M0UZdgbW0/+7yXUo83hXS6P4UiZp0KfbyGFsASwfOUEXID2m1vlBfbenykJMv91ZAUoEFgnuITs1+JwtyvxSKBPTzVwHi1ZjGCWjxE6WwxTenyz1pVRMxBGAk+1RTpJO2X+cdFQY21b9lMNVJtDosM+iizrKdPBWQskEum5HkAVSnwKWMKfo24p5P/UhnY9y5QKcwDwmU2pNNIJE9KZwnkVGPbeKi7OJn+7yFnNgp83W5ffxdN/2zq/82kE+Tj/gmFU7J2KRIE0Nr3iPqaf/RFljxts7hWk+Q/R3aDWoi15zZxvr7ugnWFvaOAIDd6CjLnUQlb4RrS8QR35tYk/9MMdvMjIp/dU6fMv3PHni/COZuYswiK0IudSYi92IpPTfuPAAjo3WCqDn6duMSYm5d9qR5cuz94ytA93FAkYizmBT0xIEOV4tawW2/ZTo1wev2Rizpb0CytY7TwyRt2ZTZdXEniF9o3YWFZplUBkWPRGIO6THk9i1fOESO+Yn4eAdG9qgWYwgX607LcHiO3zYRfRytTU8WmF01OWOXGh12dLomvBl55tbJZ8IQtE6CZQKm4H1OlrHZl/+IV9UWbfPddNk/20saB20x4P5yiNyrXEf+xwFrM2Ow60TqCHfVGpyoONsGzvMX5P01WfMX2h7OIC4ZxObK8BjtuRtzuyUfaNyCs7WZ9fDli5tGIJe4N7UQELg3oJV6KfvGfGaJEsvfZMo3xj96Xft1uVq4LUq1GqDNU+yqZO8G9U658Ap iOXnE2nn O8Z856l0/f9LYhAn8VmbaeVSoS+lOJ80ZdjMe7j4SnmXwcvVSq1fukPQeSroD8LqzTh7eZdxtVuqJcvIO9OAv2LzQUQQwt5BqiZ3TFCeQqcGei7xOcBEZP+G0c6NGo5eBjzqZpBiGE5DmL33OXNJtkQXAwqyhy7m6wxI1QNMCOF2xqTNkBfS/KLEO96DK3r49xXHkwgYu8nMu9cr/BtJ3dFoJSso6bc43VVKsV6HFfHOJnGRtufFBgmAb4Cstqw3e6ZVRzOvzFPGeuaplxq3ptflaK1LeEMlMVcHofXJK85okgBuk2nr//KR/Yqpy/mqf2hnlqGJ9Xb3LPCKUA7Ff18oG9sGoTPyeeHwKE+hV/53DV67ZsOVqXlXzVyvM97c6eVGhrh7FD+xA1drfbYWNNyMvgPfALT2qwyeDyHDsRyCJoeI+684e1ISX+lJnffJdbqW2JeIc36uCpj6HCQD/c7QWmlPtIb1vYDahtLUusnyz4ILGsu4b2AuxccLDQeiXA6Qdg9LaYAuXf7Y2hnZEUFS1JtbQCAbsODU7YGlwUAJUHozGOebdB8gA+mw8Sp5Ukjs0z+mVF/nJFLnvOPAJrkDatsjWZpx8fGVQJ9Natpp7qx68y0IPfoBUq9NQy5lPAC7Gpwz1anHwW9sF42A6yghnNIvLcs4pwCd/Tw720BS6nBtKS2N23P72yRrzq4U8nvGI X-Bogosity: Ham, tests=bogofilter, spamicity=0.005777, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 2023-01-20 02:46:13 +0000, Munehisa Kamata wrote: > > On Fri, 2023-01-20 01:37:11 +0000, Suren Baghdasaryan wrote: > > > > On Thu, Jan 19, 2023 at 5:31 PM Hillf Danton wrote: > > > > > > On Thu, 19 Jan 2023 13:01:42 -0800 Suren Baghdasaryan wrote: > > > > > > > > Hi Folks, > > > > I spent some more time digging into the details and this is what's > > > > happening. When we call rmdir to delete the cgroup with the pressure > > > > file being epoll'ed, roughly the following call chain happens in the > > > > context of the shell process: > > > > > > > > do_rmdir > > > > cgroup_rmdir > > > > kernfs_drain_open_files > > > > cgroup_file_release > > > > cgroup_pressure_release > > > > psi_trigger_destroy > > > > > > > > Later on in the context of our reproducer, the last fput() is called > > > > causing wait queue removal: > > > > > > > > fput > > > > ep_eventpoll_release > > > > ep_free > > > > ep_remove_wait_queue > > > > remove_wait_queue > > > > > > > > By this time psi_trigger_destroy() already destroyed the trigger's > > > > waitqueue head and we hit UAF. > > > > I think the conceptual problem here (or maybe that's by design?) is > > > > that cgroup_file_release() is not really tied to the file's real > > > > lifetime (when the last fput() is issued). Otherwise fput() would call > > > > eventpoll_release() before f_op->release() and the order would be fine > > > > (we would remove the wait queue first in eventpoll_release() and then > > > > f_op->release() would cause trigger's destruction). > > > > > > eventpoll_release > > > eventpoll_release_file > > > ep_remove > > > ep_unregister_pollwait > > > ep_remove_wait_queue > > > > > > > Yes but fput() calls eventpoll_release() *before* f_op->release(), so > > waitqueue_head would be removed before trigger destruction. > > But pwq->whead is still pointing the freed head, then we just hit the same > issue earlier? Ah nevermind, that was just a hypothetical case if cgroup_file_release() was tied to file's lifetime and assuming trigger destruction that frees the queue and clears pwq->whead would happen later in f_op->release(); there is no such an implementation today. Sorry for noise. > > > Different roads run into the same Roma city. > > > > You butchered the phrase :) > > > > > > > > > Considering these findings, I think we can use the wake_up_pollfree() > > > > without contradicting the comment at > > > > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > > > > because indeed, cgroup_file_release() and therefore > > > > psi_trigger_destroy() are not tied to the file's lifetime. > > > > > > > > I'm CC'ing Tejun to check if this makes sense to him and > > > > cgroup_file_release() is working as expected in this case. > > > > > > > > Munehisha, if Tejun confirms this is all valid, could you please post > > > > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > > > > don't need to worry about wake_up_all() because we have a limitation > > > > of one trigger per file descriptor: > > > > https://elixir.bootlin.com/linux/latest/source/kernel/sched/psi.c#L1419, > > > > so there can be only one waiter. > > > > Thanks, > > > > Suren. > > > > > > > > >