From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EEAEC004D4 for ; Thu, 19 Jan 2023 22:25:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9B02C6B0074; Thu, 19 Jan 2023 17:25:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 960146B0075; Thu, 19 Jan 2023 17:25:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7DB066B0078; Thu, 19 Jan 2023 17:25:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 650446B0074 for ; Thu, 19 Jan 2023 17:25:00 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 3B62C120806 for ; Thu, 19 Jan 2023 22:25:00 +0000 (UTC) X-FDA: 80372979960.10.DE14A05 Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176]) by imf15.hostedemail.com (Postfix) with ESMTP id 429F8A0015 for ; Thu, 19 Jan 2023 22:24:58 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=cmpxchg-org.20210112.gappssmtp.com header.s=20210112 header.b=l1A0s8xj; spf=pass (imf15.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.160.176 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674167098; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ctnu63K1vpKs3li1zDRBlfCvzilGPBU0TfW6l2R0lmM=; b=v+FhWh5iogmXRjYRe9OQLawrJbXkQ5+Vrc5ORUr8qtg+nwop51CQVcgD5Gw3eeHorKE8GC LKkfWr9nEsfky6wg/65bLPp9MN2cZs+w7WX/0YfSdTos42sBJv4Co1CRUa1TPUWIblJDB8 uR3qD4HVJqEeTXEbbbFIMAv33ThmRDc= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=cmpxchg-org.20210112.gappssmtp.com header.s=20210112 header.b=l1A0s8xj; spf=pass (imf15.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.160.176 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674167098; a=rsa-sha256; cv=none; b=3odM4qzACUkL25j3DUfXg5P+mUapWXGI6Uo+vLcIOQKkvGMF24tNrfi39Phcu7BGP6vdYF ovfe5GG02abOoqbQ81CIT0i4jOpzMghY+2Q1dSrfcxtz/V3msUwvSC8ksmQN8kabvP7gf8 Y/lTtqb+Z60Thky0PVIX0Qm4LDTp6VY= Received: by mail-qt1-f176.google.com with SMTP id d16so2793585qtw.8 for ; Thu, 19 Jan 2023 14:24:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20210112.gappssmtp.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ctnu63K1vpKs3li1zDRBlfCvzilGPBU0TfW6l2R0lmM=; b=l1A0s8xjLqdrWQb2OPBFli7rYKSUuTSQFfsJiLchd3T3547ogsK5hc3B33YLmBHC/F 1rZuF+BMO23NF9NKXmpfvAixBEpYRAPi3tgYJ5YIcSpA52jKBzOtUY1rXXCnnMabwQ6m ior4UcOvFQcMPwdc2D8s6aHXmV5tdsiNLPSRdWdwn7ZaHqWY8yRM62bp4lGTwoJzOMkQ RDqxGgdk1WxNEhv/H6ZV9RBxpFJ8Hsm516QRnMGXNyQyNIt6f9powaCB7EXUZS0ypc+/ xcdJ6V58xfYqLflhlIlLvHreQwNgOqy5XbAoGj8Nrc1XuuVG2NTv/NvW2yChSKvFFes7 dyGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ctnu63K1vpKs3li1zDRBlfCvzilGPBU0TfW6l2R0lmM=; b=X1b/c0tj2VaIpc37XF7F33cplbxgi3P8JECcx6Cm2nn8jsBFk6j/RUMRaZpSxzbPmZ dUnZ5jpaW+IeaUtm/38joWTXNOYXAKbfNythq3s81QTusj7uA/ljDN5/E+YHGUsRNclS N5+ULK0h5WeBTQXgwRt+MDFC0dqFzO8Zib9VfsNdqL2QusAnuzTB+8JnzTpUvvQKCvUW 8X91a/yWp2Fly0UuQg57oZ9SiYBuB4cNEUb9k8j782XeJDX308OcNxuUVah13E5/F+Db z9gaUMnB1NAAhz9KETBVwc9rM+EKwAkgMPhvj9KYE1dObmxQrvYmoMlflu3cFFw6/F0j jB2A== X-Gm-Message-State: AFqh2kqdlBCGsUKhZCafNpoRY3kbJFF1GQQgxp7gbgIcxTQRpxHO9k7S l3WbHrFuV3/wevWwDFu2Kg3pNQ== X-Google-Smtp-Source: AMrXdXu0twd0zjnaY/qCkc9qQ8Lz3ReKzVM3+2YEmANrJnL/ixSIiit1XYV0GR9YjcwY9Vda1UPaoQ== X-Received: by 2002:ac8:7450:0:b0:3b6:320f:7580 with SMTP id h16-20020ac87450000000b003b6320f7580mr22393495qtr.17.1674167097200; Thu, 19 Jan 2023 14:24:57 -0800 (PST) Received: from localhost ([2620:10d:c091:480::1:bbe8]) by smtp.gmail.com with ESMTPSA id ez11-20020a05622a4c8b00b003afbf704c7csm3228529qtb.24.2023.01.19.14.24.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jan 2023 14:24:56 -0800 (PST) Date: Thu, 19 Jan 2023 17:25:53 -0500 From: Johannes Weiner To: Suren Baghdasaryan Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hdanton@sina.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Subject: Re: another use-after-free in ep_remove_wait_queue() Message-ID: References: <20230113022555.2467724-1-kamatam@amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: bj7h9uec8xta3ghp5npqca373niccxb3 X-Rspamd-Queue-Id: 429F8A0015 X-HE-Tag: 1674167098-226309 X-HE-Meta: U2FsdGVkX1/2+Qae2mTRSfTKokmbHv7JiUt0Ej1XXMcRdP42RbidrSGSCBs/NCnosfc4XPBnxmy++FRlx4Ns8epwIBaNhhagVKLgxsbNvXcYmPNmhAEGnS76HWizUOJ/1Sl/069VhoxsyoRhGX4YNy7NQ6FAT9U2N5IsIXkukmQ/+SGs0J1ji1lCiSFKgFoJqQHQaydyaY3OFlrdc+WYhdKnsHsLGZJhRzUq88g/ErEpaFj9Xv6PI/eROvhV9p9EbUEC3FEOLj+xoBsfthULtr1mwNnS3C2abmUo+7UaPWfUs7zv+IPqBpqzlt4Pwm0l9MrOO2Vmbob4yJ0bB7lPgEogdK87wvdooo625F07AbNtt35C4tjDFQ/PtLDc2VneKrIT6B8POsvmccC6TBzMrvN908Jx/qIGXVJCQmDUyWcPBNKkvQjGbDRJI4zKUpDEkrLC3zgyg7C0TU83RGubOboEXr9Hp1rZXyLoI2oiWtH8csM3kQpxNlCnVOx/oDJ50og0mmPVhWhiT59XNg5GHJJzzXfYvVNFQbWI78LP3/sGz4Fa6R6W7AB84/sRnGBkh9GZKmQLLMcwMAZT/s8cykJWfMQPXcZUPpurZy71/G4817b/ljZUd5K/B89mLQPLRDtNWxZBeuSRTaQqd9KJIuVmMSim4ytidfka2bi6Lho6Ii354+Tpaw4YCntXhOiPjt1x2/JRcLWLlc989fKjboViTwz+jP7UFgw+fUSq1nzdgPZ8QoXF6Uc+TJD7uuWRqhBHIp/Gj4u39hFEaIdcBSN/7M6SlV5wnWxLkbryU9/tS4brkAvBJPVV3bCSpknb8CL7UCa1UEPTOIwXj693lFRgNksPSNUqdUuu+Np03XFDvzsWy1b768qUsnKdCzF5trLr/QplcQLMPtqq20VMlmdwYzAZ36+LBeZwxel2UB30bx2Y95QtyeBqTegkXgf32f/p61VLa6vu1zv14xC 14QNqHFz zqPBmWqtRPHwu0mI+aSJAZE06HBI8ihWiuvHVX2bkg+fDbilhjfZl3ze6caAzoHkAxMPkD3/ZFaBYMWS7OsuyadRWdJJyRhT0WHgwRET+sZV8nZrtAZSeUnwmHwcWEMn/pSySZ/NPjT94RD3pvuD64b6qKqnxloU2B+e1lRdatNPQzkCYxAL5SY3UmDjoTXOPoYLYmRoWS6Shjo/cMBHPsEz61dU+9+umwCUBUVgT6AA0Qrny46txwERxOqIKh7fFUwpf51ZFqP9Bt4IaJtrGkaQvSl+1PCBK3IcpQzk8wx89K9/9HxWeZQkL7K0eah1Z5+hcCURfMPM7egOeHZ658yAf0hfx6Kqk00WhyqP2IWLr+KcGFZVlVGSJECzrV5Rt0Y8l6a5NhteCM9llLuoBejdoGozw2sV4C58W7ImuwAzKOdXDL2/ccFGSlfGUl3668zDrg9ONn/sh1/UD+XjTo7LABJa2G7vdz6YRWmX5tHbhf1XPkLN3ratvWmeDlhR5SMVu/Qt85GlDH0U= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000042, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 19, 2023 at 01:01:42PM -0800, Suren Baghdasaryan wrote: > I spent some more time digging into the details and this is what's > happening. When we call rmdir to delete the cgroup with the pressure > file being epoll'ed, roughly the following call chain happens in the > context of the shell process: > > do_rmdir > cgroup_rmdir > kernfs_drain_open_files > cgroup_file_release > cgroup_pressure_release > psi_trigger_destroy > > Later on in the context of our reproducer, the last fput() is called > causing wait queue removal: > > fput > ep_eventpoll_release > ep_free > ep_remove_wait_queue > remove_wait_queue > > By this time psi_trigger_destroy() already destroyed the trigger's > waitqueue head and we hit UAF. > I think the conceptual problem here (or maybe that's by design?) is > that cgroup_file_release() is not really tied to the file's real > lifetime (when the last fput() is issued). Otherwise fput() would call > eventpoll_release() before f_op->release() and the order would be fine > (we would remove the wait queue first in eventpoll_release() and then > f_op->release() would cause trigger's destruction). > Considering these findings, I think we can use the wake_up_pollfree() > without contradicting the comment at > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > because indeed, cgroup_file_release() and therefore > psi_trigger_destroy() are not tied to the file's lifetime. > > I'm CC'ing Tejun to check if this makes sense to him and > cgroup_file_release() is working as expected in this case. > > Munehisha, if Tejun confirms this is all valid, could you please post > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > don't need to worry about wake_up_all() because we have a limitation > of one trigger per file descriptor: Solid analysis! Indeed, wake_up_pollfree() should fix it.