From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D24C0C004D4 for ; Fri, 20 Jan 2023 01:37:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 15CEB6B0072; Thu, 19 Jan 2023 20:37:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0E5976B0073; Thu, 19 Jan 2023 20:37:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EA0F06B0075; Thu, 19 Jan 2023 20:37:25 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D7E6B6B0072 for ; Thu, 19 Jan 2023 20:37:25 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 7A677A07A3 for ; Fri, 20 Jan 2023 01:37:25 +0000 (UTC) X-FDA: 80373464850.20.4CB9BCE Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) by imf12.hostedemail.com (Postfix) with ESMTP id C589E40009 for ; Fri, 20 Jan 2023 01:37:23 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=iWApCseU; spf=pass (imf12.hostedemail.com: domain of surenb@google.com designates 209.85.219.175 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674178643; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=3RzppiLHZbPBKFGImWSnu8V6alFNfWK4/lXrfR1yqiZBlr1zn6OPP6Mgvh4tMtX5F8fyLn +aLDQgTiKL3E8aARa5VYf5Usy6d68UomFmciqNE4AS56dtVBTqwctUpaO1VCFaGjivulf+ q2CMDDSz7dflE4b+/akHeE/bXY+N72s= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=iWApCseU; spf=pass (imf12.hostedemail.com: domain of surenb@google.com designates 209.85.219.175 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674178643; a=rsa-sha256; cv=none; b=2icQ29ByAdLX5SY8G9QPkrRkCV4uGEOWBpv4v9FucvYOWyyEJ5lQmbGyJNyKgIHhAeSe4H AwklHLXk2ZzY1DM56hm5eRLkpdbiQahNl9iMn+xAU+W9UMgmBaNlcyZy1kr+CY0clOv0CJ EpzfPd88UHqmO4e0qxo4EftIsnx5INk= Received: by mail-yb1-f175.google.com with SMTP id t16so343826ybk.2 for ; Thu, 19 Jan 2023 17:37:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=iWApCseUTsXD5MRO/z3i55jT3h70+EmHxm1sO6k11M3p2ZMmidJ2ZUuttrNWuvLqf5 ofjfNu7+Qv6suGeTBF+JvcZKdJJIXkj5Z+HM+3BR/6JjFo10/I8egCnCQHyMnewX8IAa 2Ei7lIfjs7R6lKOzV8KHz9eKMcT9qNVCy2f7Ffxy3oJOd7xIKMwksYDeJLxECv26dxzu YFxwy4dGl0urpFnjsiXT8CV2OKnfThR1rUQupKgpQoDAdSZnkY1UINjW/UKYllwJpSP+ TARTreiAqlIEth8++kNzsDQVkPKaKmbenCjvbx7VyjKyH0X6jSz1W4s7C1n6B4aX/bTF /0MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=qoF5U9TwWxG9ZqqEfp+DIE9gsDAAtm5BAIvb+Jcx/kWkMBhdj4KYBFn46S0DOpe33d 0V0YOs10UocTMB/J2bXp8UC7VmC9/SBfTonnqDbZlVB4ms/9vkEMxVsmMDp3nepn6gkt hjRSTaZso2CMU/W68bKniMgSFh1QAjy6vs3P+QQGuQecCcSRxIl01XOFlnBVgFIei9LW 5Pvti2nWu+2es0MTQ3UL2TcdQqkTQvREzA5zo9BH961WlBJKp87Dcekfo5Mzs/OAQ1iC WVJnrMixKYwMbVPPhf5pbji0iI4ot+pMauh4PsfPl8ndblOeADtpiupRa9LfPFGZUBS7 yOwg== X-Gm-Message-State: AFqh2krQaUp1lMPI6H/K161AagCcUvBxeEKWKBl8nRD7IjqldS+xSR3Q lew3vWDPUdP4pcy6lp5bYkfCsAl/cFImdKr9DJO/dA== X-Google-Smtp-Source: AMrXdXsGl8LWu7yzL1XskHMPBgWuNjhHSJmWFfqS1WzZ/ogEQZtr30WyYU6py7eY48xrvVruauIXphXtCXvEHg9GWFY= X-Received: by 2002:a25:f305:0:b0:7b8:6d00:ef23 with SMTP id c5-20020a25f305000000b007b86d00ef23mr1576376ybs.119.1674178642658; Thu, 19 Jan 2023 17:37:22 -0800 (PST) MIME-Version: 1.0 References: <20230113022555.2467724-1-kamatam@amazon.com> <20230120013055.3628-1-hdanton@sina.com> In-Reply-To: <20230120013055.3628-1-hdanton@sina.com> From: Suren Baghdasaryan Date: Thu, 19 Jan 2023 17:37:11 -0800 Message-ID: Subject: Re: another use-after-free in ep_remove_wait_queue() To: Hillf Danton Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: C589E40009 X-Rspam-User: X-Stat-Signature: kgcskr3e19fx1ru9z5p9i1qdk4dii5uq X-HE-Tag: 1674178643-975764 X-HE-Meta: U2FsdGVkX1+SVFYQPcppfHzplbSocNzSsItKOSAIjCXnCVMfHM+/7ULPkLNkHPMObX/zw6yOuQMbGe0guZKqW6GMVKC68wPHCisQ74K3y4cIw8R6NFT7W36cDnKs4FulPmgovf+6EbHTA9v8ezXIOxtORqLbDAwxS9tlImgGxF0lREifvLASEEnCnUSQcPITyhBOzkhtf8wK3XSoUiuxdNsnJQiUmM/vp/Bl/hXJahLTOmbKAb3oXOTAdpFo+NOHJSPm+/nxqVus43uYI2Gxd6kB8i75sQTY7O7ghGsGb8gNvdtz9cvn4RTHdYOogAmp8856kTOG0VEWbVTvC4/a4pO/uUrH45Z5dX1cWokKVI7xJ6Scly0AOsbRxyGM7XP+woZdBRpu/fycBfq/TrbL9lAE51YeJydtiE4pEFA9cSPE/cm6fKnevk0EXH6goZRxvJ6nQhV1ulFjpxfd/UOhzoF+6n0bfkO83TDQBRTzCftr8PCm1engaYf5kr6d4J+uF9+JFDIZzz2ZUW3Fd5XqnYnDcrfSyw9JHJMcHM876QPBR8REl42EbJC2ymzgUgtBinAjfotSz1Ulad8qiR9RBlgwCsy9ovgOLKJYtm2gnzRJGB8dedxFVy0ht7TyfBrZXQPZFal2+zWWjc4InM3nALF8Cgeo4wd/yZDRYR/pzpkcPHQXf0Io2Z1aVonODPvDaSbXWbx+b0UmpXlCNJSAMjhijE2ooT/DTQV8DIrcUdw4lLUJPcXNuvX0eTfy3m+5TQJE8EbLrfasCggISkx4NH7/sKIyxVwPjSjWya8YFZuWMAIT4+PAmawXLn0mJ0T0K0267XNNns5ui9/UCcFjaHuKukX1AU3TdqPHHonjiwoD3oZgcyUItpXOBzFw512mOnSIYg/Gt5/jWj5L4ysVerCXB4cW7GkJZEcqawsDLDo5BTllw4YxXMi1fUQHbVCSj88M2mQnzACGcXuueuK QN2rhh88 DDL/NwTY+a7syZB5ty78DnyIAd67BwE77cGmbN7L54WTf6czbAsOnPK79TnrDHDjewIs5RL689bJGiMuEivrsGvtnbAEaFFM74GU6fCxSt5jMah0OHjymgjb9fRGQyxxUpGFjK+Xh2H6KXp/rWthdy4RwUJPucAYBrf77nXct5aQvQSpsHJC15CEyZzwGUvKbMlowZdY2vvRs4e2vA2sQ8ad5vQpnv4PRh5HbMYnNwkZQk3RlYlCPW9voqAOthjy6WCK4sZ23+ADKTdcuhA5SWTklmjLvEsCnTQPnkdAaASEqz+UhOgnxxneukhYMl7zz1c1T0KhTsxtLR/WTrLjmU85IlxFz7Znf+qy87a8z1y5ozh/CaJiZTYI+MC+siU3HML/+9k74KtvdOGyDeb9Tm0oCWiSE4JoLgfMBDuln5WwUfW8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.056429, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 19, 2023 at 5:31 PM Hillf Danton wrote: > > On Thu, 19 Jan 2023 13:01:42 -0800 Suren Baghdasaryan wrote: > > > > Hi Folks, > > I spent some more time digging into the details and this is what's > > happening. When we call rmdir to delete the cgroup with the pressure > > file being epoll'ed, roughly the following call chain happens in the > > context of the shell process: > > > > do_rmdir > > cgroup_rmdir > > kernfs_drain_open_files > > cgroup_file_release > > cgroup_pressure_release > > psi_trigger_destroy > > > > Later on in the context of our reproducer, the last fput() is called > > causing wait queue removal: > > > > fput > > ep_eventpoll_release > > ep_free > > ep_remove_wait_queue > > remove_wait_queue > > > > By this time psi_trigger_destroy() already destroyed the trigger's > > waitqueue head and we hit UAF. > > I think the conceptual problem here (or maybe that's by design?) is > > that cgroup_file_release() is not really tied to the file's real > > lifetime (when the last fput() is issued). Otherwise fput() would call > > eventpoll_release() before f_op->release() and the order would be fine > > (we would remove the wait queue first in eventpoll_release() and then > > f_op->release() would cause trigger's destruction). > > eventpoll_release > eventpoll_release_file > ep_remove > ep_unregister_pollwait > ep_remove_wait_queue > Yes but fput() calls eventpoll_release() *before* f_op->release(), so waitqueue_head would be removed before trigger destruction. > Different roads run into the same Roma city. You butchered the phrase :) > > > Considering these findings, I think we can use the wake_up_pollfree() > > without contradicting the comment at > > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > > because indeed, cgroup_file_release() and therefore > > psi_trigger_destroy() are not tied to the file's lifetime. > > > > I'm CC'ing Tejun to check if this makes sense to him and > > cgroup_file_release() is working as expected in this case. > > > > Munehisha, if Tejun confirms this is all valid, could you please post > > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > > don't need to worry about wake_up_all() because we have a limitation > > of one trigger per file descriptor: > > https://elixir.bootlin.com/linux/latest/source/kernel/sched/psi.c#L1419, > > so there can be only one waiter. > > Thanks, > > Suren. >