From: Marco Elver <elver@google.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Andrey Konovalov <andreyknvl@gmail.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
linux-mm@kvack.org, kasan-dev@googlegroups.com,
Andi Kleen <ak@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 2/2] stackdepot: make fast paths lock-less again
Date: Sat, 24 Feb 2024 19:03:44 +0100 [thread overview]
Message-ID: <CANpmjNMY8_Qbh+QS3jR8JBG6QM6mc2rhNUhBtt2ssHNBLT1ttg@mail.gmail.com> (raw)
In-Reply-To: <a1f0ebe6-5199-4c6c-97cb-938327856efe@I-love.SAKURA.ne.jp>
On Sat, 24 Feb 2024 at 12:38, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> Hello, stackdepot developers.
>
> I suspect that commit 4434a56ec209 ("stackdepot: make fast paths
> lock-less again") is not safe, for
> https://syzkaller.appspot.com/x/error.txt?x=1409f29a180000 is reporting
> UAF at list_del() below from stack_depot_save_flags().
>
> ----------
> + /*
> + * We maintain the invariant that the elements in front are least
> + * recently used, and are therefore more likely to be associated with an
> + * RCU grace period in the past. Consequently it is sufficient to only
> + * check the first entry.
> + */
> + stack = list_first_entry(&free_stacks, struct stack_record, free_list);
> + if (stack->size && !poll_state_synchronize_rcu(stack->rcu_state))
> + return NULL;
> +
> + list_del(&stack->free_list);
> + counters[DEPOT_COUNTER_FREELIST_SIZE]--;
> ----------
>
> Commit 4434a56ec209 says that race is handled by refcount_inc_not_zero(), but
> refcount_inc_not_zero() is called only if STACK_DEPOT_FLAG_GET is specified.
Correct. Because it is invalid stackdepot usage to have unbalanced GET
and stack_depot_put().
> ----------
> + list_for_each_entry_rcu(stack, bucket, hash_list) {
> + if (stack->hash != hash || stack->size != size)
> + continue;
>
> - lockdep_assert_held(&pool_rwlock);
> + /*
> + * This may race with depot_free_stack() accessing the freelist
> + * management state unioned with @entries. The refcount is zero
> + * in that case and the below refcount_inc_not_zero() will fail.
> + */
> + if (data_race(stackdepot_memcmp(entries, stack->entries, size)))
> + continue;
>
> - list_for_each(pos, bucket) {
> - found = list_entry(pos, struct stack_record, list);
> - if (found->hash == hash &&
> - found->size == size &&
> - !stackdepot_memcmp(entries, found->entries, size))
> - return found;
> + /*
> + * Try to increment refcount. If this succeeds, the stack record
> + * is valid and has not yet been freed.
> + *
> + * If STACK_DEPOT_FLAG_GET is not used, it is undefined behavior
> + * to then call stack_depot_put() later, and we can assume that
> + * a stack record is never placed back on the freelist.
> + */
> + if ((flags & STACK_DEPOT_FLAG_GET) && !refcount_inc_not_zero(&stack->count))
> + continue;
> +
> + ret = stack;
> + break;
> }
> ----------
>
> I worried that if we race when STACK_DEPOT_FLAG_GET is not specified,
> depot_alloc_stack() by error overwrites stack->free_list via memcpy(stack->entries, ...),
> and invalid memory access happens when stack->free_list.next is read.
> Therefore, I tried https://syzkaller.appspot.com/text?tag=Patch&x=17a12a30180000
> but did not help ( https://syzkaller.appspot.com/x/error.txt?x=1423a4ac180000 ).
>
> Therefore, I started to suspect how stack_depot_save() (which does not set
> STACK_DEPOT_FLAG_GET) can be safe. Don't all callers need to set STACK_DEPOT_FLAG_GET
> when calling stack_depot_save_flags() and need to call stack_depot_put() ?
stackdepot users who do not use STACK_DEPOT_FLAG_GET must never call
stack_depot_put() on such entries.
Violation of this contract will lead to UAF errors.
From the report I see this is a KMSAN error. There is a high chance
this is a false positive. Have you tried it with this patch:
https://lore.kernel.org/all/20240124173134.1165747-1-glider@google.com/T/#u
next prev parent reply other threads:[~2024-02-24 18:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 11:01 [PATCH 1/2] stackdepot: add stats counters exported via debugfs Marco Elver
2024-01-18 11:01 ` [PATCH 2/2] stackdepot: make fast paths lock-less again Marco Elver
2024-02-24 11:38 ` Tetsuo Handa
2024-02-24 18:03 ` Marco Elver [this message]
2024-02-26 9:22 ` Marco Elver
2024-02-26 9:50 ` Tetsuo Handa
2024-02-26 10:02 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANpmjNMY8_Qbh+QS3jR8JBG6QM6mc2rhNUhBtt2ssHNBLT1ttg@mail.gmail.com \
--to=elver@google.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-mm@kvack.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox