From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB4BDC27C76 for ; Sun, 22 Jan 2023 03:01:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ED0FF6B0072; Sat, 21 Jan 2023 22:01:28 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E807D6B0073; Sat, 21 Jan 2023 22:01:28 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D481C6B0074; Sat, 21 Jan 2023 22:01:28 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C4A5B6B0072 for ; Sat, 21 Jan 2023 22:01:28 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 8E1C212044B for ; Sun, 22 Jan 2023 03:01:28 +0000 (UTC) X-FDA: 80380934256.26.9B8E6F8 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by imf25.hostedemail.com (Postfix) with ESMTP id D1F8DA000C for ; Sun, 22 Jan 2023 03:01:25 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=qPXfA7zu; spf=pass (imf25.hostedemail.com: domain of surenb@google.com designates 209.85.128.169 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674356485; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=EmqcQUHAHdc566hOa4/ciCo6LnfwkC45HPYhwdWVlUsT8p+v+DPPojtFANiIX+TUky4keF Nmaw9pytviXhVrKET4uT7rkECknO+ckn1oQD9f9laPeIJ24TKTaLpNfygtf6KvF1mE9TGp Zy95zh1jSx8RaVy5TLU8BmlqqpMSrcU= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=qPXfA7zu; spf=pass (imf25.hostedemail.com: domain of surenb@google.com designates 209.85.128.169 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674356485; a=rsa-sha256; cv=none; b=ItBUmWIo97p3otoZGEmpksjhuIoPWWS230kD3xlZwwausM5s0DhylyvhLlG7LrjrY/blEG 1grFlwBtm53QyQlXALeCp5k6yyeM6o8sxOGpOg3C4NSEyZ+Y6mhAZ9Dy1dpO2f2K0O9tB0 8V2ReUV3NRrAfaaYhp5NNxf6FHkPLTk= Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-4a2f8ad29d5so126695427b3.8 for ; Sat, 21 Jan 2023 19:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=qPXfA7zuuF7h+5B3sMdAgOrhEWDHPkMy4WvRUWUO+PIG6n2ZGkQuqP00BdG2BrL5wo 68D5MlNGA+tow+zAllzQxxAr7eOQqxM8beX8K7EojYpsMoUEa7klBXXgJ0AmuwDGQKFn vSZo3pgSR+hfszPe4HV30F6oJ3ObqzrJ2qCHacSk6eRAOsmWVUo6Wr9+NJqO3aiv/fmd wlxB/VCwnVST84wmoOtVscKNqLUTleoQFhinZ7q/9Skhxv6scNOWBGFZ4eaC+azQ8hrw REXoHqSq6Cmh4MEyx0I+5myj9leBvd9+QoL8xnMZrajv99TUQtx7Ro0rgOvhvGqViufG fEEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=Z43+fpEAnOHLb0cNt+aisBRXPGUSxtggFx/CUTGaklPul8LnWLLd703sCOgyShUCxT y6FRP55XfGEjLqjTgRAAiCRtMYSshzluZzvPcVKdIdR0Qpwb4tposFCxBtx60xNyUJIQ G913m6XJgVk5SdBtOP4JdmphxRqfJR3/usOLiUd5SHvkNKKVEy0/ZoRAWE49ZMy+sZIG KcQacAn+rXw4oBHUgZqVEOe3Rr5SLOfWAGuGyDFDJqaDD3uh+KYO7TPPatzSEcJGkP9k nI2oDicNzzxCONlcMyRkJMdDFM4CJi25J+T9aXoHY4SDzwqvxMcDvhTp27ldfjLFlXuL VB1w== X-Gm-Message-State: AFqh2ko5LH1PLfH+kd2ZXjRk76WoXhV/Z4k93CAO2prmINSnpn6YG5Op aGSFUPIx89nnYOF3Iq8sulvjQetiHEknexraVMDlQg== X-Google-Smtp-Source: AMrXdXv/qHeBECVBALHenwwxx1YjVufFnnq+u0AOBgD7yd3K4Rdgbc9H5t37w9N0PQbMbJBqYvnqRkbDlVKktH9eYoE= X-Received: by 2002:a81:1b8b:0:b0:4ff:774b:7ffb with SMTP id b133-20020a811b8b000000b004ff774b7ffbmr1068529ywb.218.1674356484788; Sat, 21 Jan 2023 19:01:24 -0800 (PST) MIME-Version: 1.0 References: <20230113022555.2467724-1-kamatam@amazon.com> <20230120013055.3628-1-hdanton@sina.com> <20230120090001.3807-1-hdanton@sina.com> <20230121051746.4100-1-hdanton@sina.com> In-Reply-To: <20230121051746.4100-1-hdanton@sina.com> From: Suren Baghdasaryan Date: Sat, 21 Jan 2023 19:01:13 -0800 Message-ID: Subject: Re: another use-after-free in ep_remove_wait_queue() To: Hillf Danton Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: D1F8DA000C X-Stat-Signature: xec5ffsp737a9d98nqofu3yd1mie9jgb X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1674356485-423130 X-HE-Meta: U2FsdGVkX1+xN1YSWBDf9RPrUnIpgOcdVqyEyufkuSbIsapExs8KkYblRU7xnqPw9DLO0vuY9Lw5c6j/LTQZAxylv9Z/Dr9LAb+HlH5JG+lOfP+OgicIzk3PZrKljLn25ebh8Z1xHiw/Ecb84NbqqbTKTXcJp9eAvcMBv+cgkJhQ3doispzOAs86/nH1oHV015+8cOgUEOiLygyTkwXgPDWIaEz2xD6uprlLU+2+kNOP9zRjW7rQs7hnEnjJWstjJG1+F7/kYrRQeG3QeSjPREyUCTiHLdQFhZ+iRXO7U5w5g4YHkbOMhRvn+NyiSM0aV4eiWfLt71TaJjXaorInl1aWd7oADOziwVU2+mH3xPS2nH7JDTXJmG2RRQFovFbSyHCCSSo0r4tMu9weITMFNE+UMC51MNLuWcF+RISQsyqEmMVjQE8wgiW3ncmt8XRN6zxIpYm44l8ny59VM0NQ8boQ4qCy5MLyPnPtGZbSTa6R4+Qgs+LtGzOZaiITYNh9ntmeF9UYwsGc7WIE6i9Gw7b8YEVJRcoTIDSd58xc0nrUAKWa7yapVoA66nW9tJtyub+lajJtuDCS1zQLqRfQvWYbBTfa9gJ7KWaZJNexElGzQoVI9pWa4eDpFAwNvR51srmAmos9BbSdp1HLAQK1sjhOgMwftA8vvh4WADiqBDJZLG/v5N9i9ZMgzRcMsFMrlcQdE80rVb4YjDYAEzUGBoU+IjVNpuNHSDUVwNRAQF0UVa8+kwON2NPQ7I0HzBI5TlSppfhWRkYQfgnNDDnHuu/n1K3Qc2XacJa/IGLCw8nwuiXjoUKPDhoCwsZIzlO2a3I2E4VLSxx8vejsKkgIJ7OfHPNki0VV8A7Zh8G3Fn+TZ/HDKxeYwp5cow9+zcp5iYmwRftbtDtdHc8NJQozzWkLEC1B8lCkhopCt+ZssVsr68SEvCkLqN4YdkVojVgvUi4mUrie4LBzJt7WXha zbNRzOqX D6GmXziF6eAATWPIi3Azs6RMYhRvMqueLR624f5icaj/xqxXkW5gnooz0YI5G9ieGx+oeZeinBXvRoV0pc+F+k0ltEVpBfKEVnwzcHvTJ4g3GPiCQANPcfjciV4PatzD1j7Ko+FrlgrTBCC6oyrxFX8Tp/aHHHDdyCo1jRnM+h1kbfUtIecZ358++sSB1k0PQJvoNqp+yMidt1b+3LJ/RzstxGcvFK1P9nXtDP0316ip5d0Od8oK8yYpIDlWUPGDOTWdAOt/x31xuUPOHR45DDeh34BpSvup14SyT/SqzrqhqIF6rmPucuLnAPivC5vJgCksXDRcAFF12iAGLvWL8GW9/mBn/4/QauExIqYUJ8GwO6ErtpRD4x6JNtQTsLw4pNShj4yX1mXzoBmo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.016855, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Jan 20, 2023 at 9:18 PM Hillf Danton wrote: > > On Fri, 20 Jan 2023 08:28:25 -0800 Suren Baghdasaryan > > On Fri, Jan 20, 2023 at 1:00 AM Hillf Danton wrote: > > > +++ b/kernel/sched/psi.c > > > @@ -1529,6 +1529,7 @@ static int psi_fop_release(struct inode > > > { > > > struct seq_file *seq = file->private_data; > > > > > > + eventpoll_release_file(file); > > > > Be careful here and see the comment in > > https://elixir.bootlin.com/linux/latest/source/fs/eventpoll.c#L912. > > eventpoll_release_file() assumes that the last fput() was called and > > nobody other than ep_free() will race with us. So, this will not be > > that simple. > > The epmutex serializes eventpoll_release_file() and ep_free(). And this > is in psi_fop_release(), so no chance is likely left for another release. > > > Besides if we really need to fix the order here, the fix > > should be somewhere at the level of cgroup_file_release() or even > > kernfs to work for other similar situations. > > Good point but cgroup and kernfs have no idea of psi trigger. Yes, that's why I think if we really need to fix the order here and do it properly, it won't be straightforward. IMHO wake_up_pollfree() is an appropriate and simple fix for this. > > The bonus of the uaf is check polled file upon release in scenarios like > the psi trigger. >