From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A1412CE7AED for ; Fri, 14 Nov 2025 11:42:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EE6A58E0003; Fri, 14 Nov 2025 06:42:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E97768E0002; Fri, 14 Nov 2025 06:42:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D859B8E0003; Fri, 14 Nov 2025 06:42:51 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id C119A8E0002 for ; Fri, 14 Nov 2025 06:42:51 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 4CEA188544 for ; Fri, 14 Nov 2025 11:42:51 +0000 (UTC) X-FDA: 84109025742.16.75518C5 Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf13.hostedemail.com (Postfix) with ESMTP id BB7E620014 for ; Fri, 14 Nov 2025 11:42:49 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=q8fkkteN; spf=pass (imf13.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1763120569; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=pSa4YzVp8h2bYoRAUikxeeiupwQSNFXdKAeGXPBV9Nw=; b=suIQ0DGdyKvNeP61YETC+A5I9pJF8DrICY1ikPfGbCO/KKfA9UEXxuC8OhWr188U0zBnrp E3zI9GKGmDLEJfy8VZZJzLQBB7WyofCilSYvk7hoDBHkOb1Wv/K8zP5J2lMf0OBL3QHgi7 Fdm/oKpJSoQPSSUgaRDT2dmLqr2rzro= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=q8fkkteN; spf=pass (imf13.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1763120569; a=rsa-sha256; cv=none; b=6K2cTP1Nl3xKQjQ2srY9MPN2bHv8rEwMz0BIUTnp2RssnkFiyeh4FqUfq2nbQS6yy2V3b2 rDdsnQ3I0TsO+TVKhaztE57gYIVjPUPMWnrlTQf9H11N8kKmJPP2kcer6aAxo9N+bhu3/q 1p5eHfYVfhfyIPLfFiCv/96TvN9X/Tw= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 198CC60175; Fri, 14 Nov 2025 11:42:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05698C4CEF8; Fri, 14 Nov 2025 11:42:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1763120568; bh=JCJJ+smwYrR2g3QGo7fPrR+zmXOiaWETE6PY6T/Dud0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=q8fkkteNmYzK0uACVLTWx5CVyhemcbPv8ndiusq5y7wxdrRHX+D2H9fcpkAKGbyPx t5aZYId2snhO2ynpmREc1bqI3cU4DdNz17nRX/z5TP+NFY1vcDyPrCXh9/NqUwnFif Z6wTsOzsxOik8RgVJyp7gpXSEh75s+2HrrOGP3ASjN7IzFCA4pRUKqXxnv5YH2pe3M L+vwqRdrmBiLxbWOkkw54+LuM8bcNU97McPS4KwqMsEThRjBXbgOcNftN9EmWedDtj inyCQJSGs2hC3h21FdXNPEG8NpnkR4rLZbURImoTgCWZzgbov37oGW2cpm0piGUfPF 04fJ+m4146kng== Date: Fri, 14 Nov 2025 12:42:39 +0100 From: Christian Brauner To: Al Viro Cc: Greg Kroah-Hartman , bot+bpf-ci@kernel.org, linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org, jack@suse.cz, raven@themaw.net, miklos@szeredi.hu, neil@brown.name, a.hindborg@kernel.org, linux-mm@kvack.org, linux-efi@vger.kernel.org, ocfs2-devel@lists.linux.dev, kees@kernel.org, rostedt@goodmis.org, linux-usb@vger.kernel.org, paul@paul-moore.com, casey@schaufler-ca.com, linuxppc-dev@lists.ozlabs.org, john.johansen@canonical.com, selinux@vger.kernel.org, borntraeger@linux.ibm.com, bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, martin.lau@kernel.org, eddyz87@gmail.com, yonghong.song@linux.dev, ihor.solodrai@linux.dev, Chris Mason Subject: Re: [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) Message-ID: <20251114-abkehr-rasur-b2eae31c4d57@brauner> References: <20251111065520.2847791-37-viro@zeniv.linux.org.uk> <20754dba9be498daeda5fe856e7276c9c91c271999320ae32331adb25a47cd4f@mail.kernel.org> <20251111092244.GS2441659@ZenIV> <20251113092636.GX2441659@ZenIV> <2025111316-cornfield-sphinx-ba89@gregkh> <20251114074614.GY2441659@ZenIV> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20251114074614.GY2441659@ZenIV> X-Rspamd-Queue-Id: BB7E620014 X-Stat-Signature: xh386fj5s4qp6imfcf5qerm6oux35zfp X-Rspamd-Server: rspam02 X-Rspam-User: X-HE-Tag: 1763120569-253524 X-HE-Meta: U2FsdGVkX1+Eg8maCVOrpali1MkWasjh2CcpOtVfbAoHrRifhkiBQn5OceYXZbjGwGfdLpkFM62PONKWcS3O0c5CF8uM7e+0RXZEDoTxsTrkj5ijPbt0u6/FjRM99cLHaT3evK18G4UxTjGUg9lOGd+CAp6PS2dw1CHUYwz8ruAxYJ2XPVvTYdOg7F9xG/AnwVwIHesbrKvMLi/wGF3rLTAg6wN2bp18nBVneHcK6hasJ/diQsqJ7sQtnkSYJ5ZBwR67oguWtagVbeI6TlHS7u9g1jX+A4d4yTsKfqjsAnqwL8ADLxIR/YQEQq63I3riowKrLKmaayzgk0GJ7BK8bNePH+R60jRdA2C0WfkmSwBxTWq262HF7I5gz0j1kJgRQ5lE4bQ/v6DT3UTFABqJ6W55B7GtOU7236xgvs8hhrgyjfl64Aiv0JivP7g4z4FvnfkrXOvp2kEC4LsBBk5lXfSA9ASkcIrQlXtmGAb4PaRe0XFvuDvz8vC2PpZCt8pa7HDSzvlEvwRr5ywGiilr0lLcdzj1pAfEmYeZb1hHe80KCdOlf9ywejaEHDe2IWcmY51Yjs7tbinmKNlO8fNDgqoRtC00wks3nsoF/0xigAE0UUPL1YaPgtLTVRK+yo4imVNF8sJQ0FcukB+d+ABtvMxL0jbbZR2DTp+antYTcDN692OAUhiCxeSw++LQDV1Hh4FuG68nDRKEy6GZJFS0EWCXR0s354zO1481ZuWT3KLDeL7xVd2/zmwRxFhgr8pKBe7TtNYXUcqPP7CbyNbYXNsT9Fad/CDVYMWZ6OsGbzP9IVwI04fH6F8V9XvEjHJ+jboM9ZA6wdsvRmMFvg1ReADJ8m0GgbDW/al4dtqFGRQBh/jaatk84ZmjSbGHWN1i+GGo2x5CNMmUw9KkUFEj+//713hqaeMEwo8UKIWq67/4aXbTtjN94Iq+B7FiSjwh4vwGniWqorckaG5Rqtw hy9dUOE1 wmrvhZ1kP3Ok8rxdJHYG5iFrYAM3aCKoD2rdYSp803Mr0/iW5cD8w75j5B6MiBb6abjrEHkw7X/C4yqJk7ysLwA0e3rjLh2svBgFTl27XnhxCbfvHUME5twMoZbZBOUVLrW3JlSrBAaU7MkFNZ8eOCGoMnFFEMbrV4WpIZBnP+F4E+sxFLzq5t6i4iV2qHpIK/VYYS/G6SqhqPtjpu4XnFkgXhzC/tWJ0cFGXonzY5iyD2kA3sPfN0HnBXpe5hWwCLOvhnNZBLn8N+w6VdaDBMzOrsj1U6phaeZ5lEDgv+rQnitkOweIpVMty/D9Mb6wG8PEKMfLQQeNuvKA5Au4bZ6RilVuLYQ5favlLCeYYnX+87l3COqzSyt5XBKJrOfHjDgVwXTWaVZPSixx8mwLcrOCtPYrJ1qU/XEhcqPqtmUrPJDktXmeLKheEN7nlMQGvw/p50vHB646OfsHir04btIzXqFBvz0mCr37n16eakzD3GJw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Nov 14, 2025 at 07:46:14AM +0000, Al Viro wrote: > On Thu, Nov 13, 2025 at 04:20:08PM -0500, Greg Kroah-Hartman wrote: > > > Sorry for the delay. Yes, we should be grabing the mutex in there, good > > catch. There's been more issues pointed out with the gadget code in the > > past year or so as more people are starting to actually use it and > > stress it more. So if you have a patch for this, I'll gladly take it :) > > How about the following? > > commit 330837c8101578438f64cfaec3fb85521d668e56 > Author: Al Viro > Date: Fri Nov 14 02:18:22 2025 -0500 > > functionfs: fix the open/removal races > > ffs_epfile_open() can race with removal, ending up with file->private_data Very apt prefix though. (Like Paul would say: "Sorry, couldn't resist.") > pointing to freed object. > > There is a total count of opened files on functionfs (both ep0 and > dynamic ones) and when it hits zero, dynamic files get removed. > Unfortunately, that removal can happen while another thread is > in ffs_epfile_open(), but has not incremented the count yet. > In that case open will succeed, leaving us with UAF on any subsequent > read() or write(). > > The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. > atomic_add_return() is not a good idea, when object remains visible all > along. > > To untangle that > * serialize openers on ffs->mutex (both for ep0 and for dynamic files) > * have dynamic ones use atomic_inc_not_zero() and fail if we had > zero ->opened; in that case the file we are opening is doomed. > * have the inodes of dynamic files marked on removal (from the > callback of simple_recursive_removal()) - clear ->i_private there. > * have open of dynamic ones verify they hadn't been already removed, > along with checking that state is FFS_ACTIVE. > > Fix another abuse of ->opened, while we are at it - it starts equal to 0, > is incremented on opens and decremented on ->release()... *and* decremented > (always from 0 to -1) in ->kill_sb(). Handling that case has no business > in ffs_data_closed() (or to ->opened); just have ffs_kill_sb() do what > ffs_data_closed() would in case of decrement to negative rather than > calling ffs_data_closed() there. > > And don't bother with bumping ffs->ref when opening a file - superblock > already holds the reference and it won't go away while there are any opened > files on the filesystem. > > Signed-off-by: Al Viro > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 47cfbe41fdff..ed7fa869ea77 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -640,13 +640,22 @@ static ssize_t ffs_ep0_read(struct file *file, char __user *buf, > > static int ffs_ep0_open(struct inode *inode, struct file *file) > { > - struct ffs_data *ffs = inode->i_private; > + struct ffs_data *ffs = inode->i_sb->s_fs_info; > + int ret; > > - if (ffs->state == FFS_CLOSING) > - return -EBUSY; > + /* Acquire mutex */ > + ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); > + if (ret < 0) > + return ret; > > - file->private_data = ffs; > ffs_data_opened(ffs); > + if (ffs->state == FFS_CLOSING) { > + ffs_data_closed(ffs); > + mutex_unlock(&ffs->mutex); > + return -EBUSY; > + } > + mutex_unlock(&ffs->mutex); > + file->private_data = ffs; > > return stream_open(inode, file); > } > @@ -1193,14 +1202,33 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) > static int > ffs_epfile_open(struct inode *inode, struct file *file) > { > - struct ffs_epfile *epfile = inode->i_private; > + struct ffs_data *ffs = inode->i_sb->s_fs_info; > + struct ffs_epfile *epfile; > + int ret; > > - if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) > + /* Acquire mutex */ > + ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); > + if (ret < 0) > + return ret; > + > + if (!atomic_inc_not_zero(&ffs->opened)) { > + mutex_unlock(&ffs->mutex); > return -ENODEV; > + } > + /* > + * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is > + * not enough, though - we might have been through FFS_CLOSING > + * and back to FFS_ACTIVE, with our file already removed. > + */ > + epfile = smp_load_acquire(&inode->i_private); > + if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) { > + mutex_unlock(&ffs->mutex); > + ffs_data_closed(ffs); > + return -ENODEV; > + } > + mutex_unlock(&ffs->mutex); > > file->private_data = epfile; > - ffs_data_opened(epfile->ffs); > - > return stream_open(inode, file); > } > > @@ -1332,7 +1360,7 @@ static void ffs_dmabuf_put(struct dma_buf_attachment *attach) > static int > ffs_epfile_release(struct inode *inode, struct file *file) > { > - struct ffs_epfile *epfile = inode->i_private; > + struct ffs_epfile *epfile = file->private_data; > struct ffs_dmabuf_priv *priv, *tmp; > struct ffs_data *ffs = epfile->ffs; > > @@ -2071,12 +2099,18 @@ static int ffs_fs_init_fs_context(struct fs_context *fc) > return 0; > } > > +static void ffs_data_reset(struct ffs_data *ffs); > + > static void > ffs_fs_kill_sb(struct super_block *sb) > { > kill_litter_super(sb); > - if (sb->s_fs_info) > - ffs_data_closed(sb->s_fs_info); > + if (sb->s_fs_info) { > + struct ffs_data *ffs = sb->s_fs_info; > + ffs->state = FFS_CLOSING; > + ffs_data_reset(ffs); > + ffs_data_put(ffs); > + } > } > > static struct file_system_type ffs_fs_type = { > @@ -2114,7 +2148,6 @@ static void functionfs_cleanup(void) > /* ffs_data and ffs_function construction and destruction code **************/ > > static void ffs_data_clear(struct ffs_data *ffs); > -static void ffs_data_reset(struct ffs_data *ffs); > > static void ffs_data_get(struct ffs_data *ffs) > { > @@ -2123,7 +2156,6 @@ static void ffs_data_get(struct ffs_data *ffs) > > static void ffs_data_opened(struct ffs_data *ffs) > { > - refcount_inc(&ffs->ref); > if (atomic_add_return(1, &ffs->opened) == 1 && > ffs->state == FFS_DEACTIVATED) { > ffs->state = FFS_CLOSING; > @@ -2148,11 +2180,11 @@ static void ffs_data_put(struct ffs_data *ffs) > > static void ffs_data_closed(struct ffs_data *ffs) > { > - struct ffs_epfile *epfiles; > - unsigned long flags; > - > if (atomic_dec_and_test(&ffs->opened)) { > if (ffs->no_disconnect) { > + struct ffs_epfile *epfiles; > + unsigned long flags; > + > ffs->state = FFS_DEACTIVATED; > spin_lock_irqsave(&ffs->eps_lock, flags); > epfiles = ffs->epfiles; > @@ -2171,12 +2203,6 @@ static void ffs_data_closed(struct ffs_data *ffs) > ffs_data_reset(ffs); > } > } > - if (atomic_read(&ffs->opened) < 0) { > - ffs->state = FFS_CLOSING; > - ffs_data_reset(ffs); > - } > - > - ffs_data_put(ffs); > } > > static struct ffs_data *ffs_data_new(const char *dev_name) > @@ -2352,6 +2378,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs) > return 0; > } > > +static void clear_one(struct dentry *dentry) > +{ > + smp_store_release(&dentry->d_inode->i_private, NULL); > +} > + > static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) > { > struct ffs_epfile *epfile = epfiles; > @@ -2359,7 +2390,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) > for (; count; --count, ++epfile) { > BUG_ON(mutex_is_locked(&epfile->mutex)); > if (epfile->dentry) { > - simple_recursive_removal(epfile->dentry, NULL); > + simple_recursive_removal(epfile->dentry, clear_one); > epfile->dentry = NULL; > } > }