From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0585AC4332F for ; Thu, 8 Dec 2022 14:36:42 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5EF5F8E0005; Thu, 8 Dec 2022 09:36:42 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 59F848E0001; Thu, 8 Dec 2022 09:36:42 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 466F98E0005; Thu, 8 Dec 2022 09:36:42 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 33BB48E0001 for ; Thu, 8 Dec 2022 09:36:42 -0500 (EST) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id EE7FAAB644 for ; Thu, 8 Dec 2022 14:36:41 +0000 (UTC) X-FDA: 80219390202.23.75F1046 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) by imf20.hostedemail.com (Postfix) with ESMTP id 322C81C001A for ; Thu, 8 Dec 2022 14:36:38 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=cmpxchg-org.20210112.gappssmtp.com header.s=20210112 header.b=yaLVQV2s; spf=pass (imf20.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.218.51 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670510199; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XpT/D9wiadtdd3e4LD/NlNKNROKlLGu0EeO/Y2cMVkU=; b=5V9tMkjdLgVXXcM8SyHQ/Jm5NNLRhML51BlwiLS1Xb0eWbfssy0EhrAI5ycVQbmgd4mMnL MeU1LsauhUrs6IKJ90KCeZlORSv4Nl78uNRe49IxAB9TbIcHl2pkjUZh5hRO70aeKWo4+t zEDBF8PYTms065z9oI4WLAjZnjVRb5s= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=cmpxchg-org.20210112.gappssmtp.com header.s=20210112 header.b=yaLVQV2s; spf=pass (imf20.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.218.51 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670510199; a=rsa-sha256; cv=none; b=4saUchjEy8dUXs676rQNNVgdBw0ummXfBJI/3JmofbAcSCdvk247VKL8tByzgiQMd48BPP VN6Pk0PFmhVHTm0fYi4XKy/pJBvs5dgW+323M/ZIaYSMG1SvTxOH3IAv12zPlJnkY0QSdk tBIYg8mUxdxmB3tcHSaMUeSjtBAmnBk= Received: by mail-ej1-f51.google.com with SMTP id m18so4522620eji.5 for ; Thu, 08 Dec 2022 06:36:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20210112.gappssmtp.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=XpT/D9wiadtdd3e4LD/NlNKNROKlLGu0EeO/Y2cMVkU=; b=yaLVQV2sZvB66nEBKpEDKn1QIIFVfhV06yDQIM+8N2W90AxPc9Vrl/BgiiNABpQZYo w2p4bz4FMdjPz2rhPDLmHgcUK5wfEhpob+2m9bwgMetjD8AUuPdt4/KsnbczW1yU25ZM Te1vHw41kmz6KTwhNxqnrZeUeeuuJC18TCZWuJRIaOmq8wM85+i/9IicaILlnBHalFwQ oagzbVgq6jkXLuezmCsOnnFVTZc0eqHwOIpWYWgI8BlNgC0Tbeo9PXFRolB1/9l2IiVa Sl2a4vyf83n1mIs2h/qlWXgiX8yqbZdwCpFONfyadCGCxoYjpSmzplWq/5XmV2UI31qq 0/MA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XpT/D9wiadtdd3e4LD/NlNKNROKlLGu0EeO/Y2cMVkU=; b=B22iAfcgpUMPCfdkTOMa9Sf1MUPr0YvL6vruwqashi6RN0uZdYrrhH0czlXcv2EGsX jyxN0+8ad+dfdLnNNPYzVwrtYUUeMVffqyvArtYkKKA2+KQFXSPRK5AyEIHgoK8YhaPl WA9UAGWd1RsYlBbwQ0eqwXp5QlAxSpxE9it2p1bB+feE02SHewzCa5/WnVpwjwdlxymR N8Q+rjqMkDUkd+mAoS6eQzA1ZpElj9Qj3JPyW/mcOCzIFxQvwKwv7cq1QB8+qtOPvCJF 2Q/3BWi5/DZmT7uD6W4YffBIZhXz7FtZ0yyTy7vqbhj36MsOMEjJXj1Qo8G/kxiK0TlH F2YA== X-Gm-Message-State: ANoB5pmmuElg+o1P8Kou7pkAs+n5PIU9EJsRLm/QgyIHB6BB5PvcvL7S mmUWci9td04+u2JtTWuAAOw8mA== X-Google-Smtp-Source: AA0mqf5oStqmxj38CinNuMDiiE0ovdTkzdEtA6ey7UvoYb64akzWa6ABnN+e/aaRla/b7iY0LqqUEQ== X-Received: by 2002:a17:907:80c3:b0:7a2:7226:6c39 with SMTP id io3-20020a17090780c300b007a272266c39mr2416897ejc.23.1670510197614; Thu, 08 Dec 2022 06:36:37 -0800 (PST) Received: from localhost (ip-046-005-139-011.um12.pools.vodafone-ip.de. [46.5.139.11]) by smtp.gmail.com with ESMTPSA id gi20-20020a1709070c9400b0077d6f628e14sm9810461ejc.83.2022.12.08.06.36.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Dec 2022 06:36:37 -0800 (PST) Date: Thu, 8 Dec 2022 15:36:34 +0100 From: Johannes Weiner To: Tejun Heo Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn , Linus Torvalds , Michal Hocko , Roman Gushchin , Shakeel Butt , Muchun Song , cgroups@vger.kernel.org Subject: Re: [PATCH for-6.1-fixes] memcg: Fix possible use-after-free in memcg_write_event_control() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 322C81C001A X-Stat-Signature: bmkejktzeo3t6qgfosuqo8jpgahk6r5p X-HE-Tag: 1670510198-874558 X-HE-Meta: U2FsdGVkX18EuQFU7TEsh/Z33nhI0FLakW9jP0tpQwxp3oHG5AB50EMmMAo4Bn3d5HlOqRndYRJOaPU342xcuGCbhzvMol0eSKXg5aMoId6vnn1Q892NYCvH51+RoAtTUlecWqs/2i17A2dUurHVfLDjkaPjhJ9zl5IvFQLiFjMZA2uO769zaAqSKOz3UO9OdOMFWoedebOuoRfKFG11cTlX1w/8h1C8V6u1xTvgRLwwAUY653LHpgRCo7xMUy1//rUu3S+/4kxr2II+o519TqFJ36ZTVvZ0Ql4znVm2nYg9WwLOV1A6zVKILrbEabFery6BC7tJB/mhKRoSFD8c6BEv7lTMaFld6h2IX2Tp9Jd/sz4+fZNELHWutpkHMPzn3qX0VSj1cFUDQFCgmWbxDVU5RyzRONDQjrJRaCCGl2RK593F9KjVM9NLd2vHB/aSvrr2VPaYv5QBWh5EDlu/Xj8A+fqQzEiznrK7rIHsG3GssNIoFQiKyrJ+lpb+sXhWfwN+LRFGdhT9jI4s+9Vb1V+Rz93xQQlqcU+ySkJJD7GgtOlxzWmctj0s4ItcAHewP77YSwup+2If6IYisJ52tCqXXmjbZNET+DPwwJxtpQQOZeocZJlsN2tQIOfUNu5HeyyBTqBwwvyo+OOYJvFY3BtsNtZc4cWCWeZ4fpJ3+VVMhrDJe1DVs7Cx/2qsIaPTY3lg3cdHIOsLwhOZu2iJvrylwR63COfAbyoERHqSKfhMEDgaH+/ju4HCqLvrZnOvFCOOO8KF9GnjOqm3g8HAcnEwHZcASwkfIU0prAxYDdxJ+TJ1YU8SE3gHskCklzN6QPn1B/E65QC+ywJoZhKRhkAGLly8iTMZ7x0RQCQhq2OtxM9fCwAofD4oQu6btiMv7Ql+2XWH50Uu9kGxh4sreD+49ZX94WLUH5Rf3SRaN1MHUfIbUHG48RDu8Pf0VxDzgzHKsxOiGthAp8ngY09 66llsAom DB3ssBs5cbP7GDuxUCUeYiJ+mr/H7G68YMOQBj80kTyq3z9IYybLdz/wBQ/tMEZpLBJ+EBlbsKjRhaxCjTmIgK/+LVASCS6FMS87wxjfMMLgCBabyi18EC31HI0RiW5lKcT4qfw+tXorMxUMjNGn93iJrquHFyvW/91m1feY9OI/NA7qlDLe+fP4UnT6qJeQe2cNiUmfG2jB2nKo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Dec 07, 2022 at 04:53:15PM -1000, Tejun Heo wrote: > memcg_write_event_control() accesses the dentry->d_name of the specified > control fd to route the write call. As a cgroup interface file can't be > renamed, it's safe to access d_name as long as the specified file is a > regular cgroup file. Also, as these cgroup interface files can't be removed > before the directory, it's safe to access the parent too. > > Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call > to __file_cft() which verified that the specified file is a regular cgroupfs > file before further accesses. The cftype pointer returned from __file_cft() > was no longer necessary and the commit inadvertently dropped the file type > check with it allowing any file to slip through. With the invarients broken, > the d_name and parent accesses can now race against renames and removals of > arbitrary files and cause use-after-free's. > > Fix the bug by resurrecting the file type check in __file_cft(). Now that > cgroupfs is implemented through kernfs, checking the file operations needs > to go through a layer of indirection. Instead, let's check the superblock > and dentry type. > > Signed-off-by: Tejun Heo > Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") > Cc: stable@vger.kernel.org # v3.14+ > Reported-by: Jann Horn > Cc: Linus Torvalds Acked-by: Johannes Weiner