Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp2762913img; Sun, 24 Mar 2019 18:24:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqwPnTH0pw+3vluq/0ZnZas+72fVTdogUpj3TgnUwhQE5nTh4fnbuJCUqwncNWozqPkshU0t X-Received: by 2002:a63:9752:: with SMTP id d18mr21316738pgo.0.1553477088798; Sun, 24 Mar 2019 18:24:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553477088; cv=none; d=google.com; s=arc-20160816; b=lHA3Wx+u6dnKmCA9NT+mNlB8afJC+lVhig0nByvgeyTI8r0qDLQzb+JoX4/MPnYtBI hZHPv8U+QdXhw9srwlFchu46jv1nTXkEw7QnT+mZ/M7be1RecR1S22DgJlFRhnniE9Nv cY8qobs4YNV2SyAalq23k+ZB/SmlUWgxFR3PNxSF9iAdQJ6mSaP4AtgNiebolYZFHnT/ +uY8B2OOPx0NWBg/VhsA0YsyNxj8f1V8v/MZNszWyM8kl96BIgI2KoTvbye57HUtSPcM y/gNhqLiOwG5RmO17BEkE8yhfSr1c/eBv9GNzQj58h+MG882JuLoDMpko7o9iosrffL/ ft2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Wf9yYyFx5XQycNPtTrNCRc9C90M0oW6GSIu1pC1YItI=; b=mIQNmPF6Q+USzZoEo1KdhT22lMZlrxertJ2TtEhuRZSqNjznVi/Nu78/B3gmXGWWdR bxmNp+TkmlvkkeE6GxzbKrdgLmqGa1sOrQhfRhA1MQ8Q+AkH08UUYhVWIj+VcSzEBvwQ YWHykSocEIhk9Hm+AXeDFKW5V6G14POk9Pee1g5PH86x8njPVGpH5LU3HZFZZaQJqH32 +ePzbzeN0COVRDpZYpqFdOjhoI51+wNWEzhrHSRX/noP/bE9H8loWEgVQn/E89MwS6jp X1kZEvzbvhm7zMPXlI87KRgBmYS8z5UzsHgutDnyJuUT3qqpdki1n+h3NuQoOgF2bKpL tvsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=e7jdEUyW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j11si12054496pfh.47.2019.03.24.18.24.33; Sun, 24 Mar 2019 18:24:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=e7jdEUyW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729198AbfCYBXq (ORCPT + 99 others); Sun, 24 Mar 2019 21:23:46 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:45299 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729127AbfCYBXp (ORCPT ); Sun, 24 Mar 2019 21:23:45 -0400 Received: by mail-lj1-f194.google.com with SMTP id y6so6284561ljd.12 for ; Sun, 24 Mar 2019 18:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Wf9yYyFx5XQycNPtTrNCRc9C90M0oW6GSIu1pC1YItI=; b=e7jdEUyW3sYQ481V5uCwd0nHFZrOLlPdAmWu2ViiO7nkllP8t8muZrXYkTqJzUTTJX EXfrZiDE/2CbKNS/1W1CU56XDBYV7+t0NaQJ6K02ZTiWYXa/JgAXwDv+5p2oSIBgzKfr 3HSdu1dDi/ZMK7h69Ghn4ZtJ37EaKRqtoYQ9M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Wf9yYyFx5XQycNPtTrNCRc9C90M0oW6GSIu1pC1YItI=; b=fLC40H6+zF5lNhxeOYqoWo+6H04L3I8gB4JGDPRUz3nBz86w6pEX2OapY5y58uLceO XV/eb5FcC4DCPcHz0l9eBFm4yyP/egxuIheZPaaK+IEXXhBarUTUBKfS6iKw2OpbxEMr mj2blcfnE8RbTCmq15vPV57eKhWReAgAqLXE6B/nocDdjlCsEP8Nv9rSuIBRKp8ZAzoH 7U3UkKcElr+4aU2S7ONHc30LMvCWzndB5zDv0jDyKEgfSzefZ8Zb+W2KTVjryPAARpkL WBoznoQ6UHYIKWPuKFL0AotCEuonloG70YEkO7zDvWGWm0imi1C4Oc3ejNiIhtEwzsEc w9Xw== X-Gm-Message-State: APjAAAWLrwRLGNV522aYjOIg4u8JOO0EVvJ73cwr74kUtzBu2S8eg1b+ EHVgr/6FNZwOLhdcNxN95BBL3hQLQeI= X-Received: by 2002:a2e:1510:: with SMTP id s16mr11481023ljd.62.1553477022453; Sun, 24 Mar 2019 18:23:42 -0700 (PDT) Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com. [209.85.208.177]) by smtp.gmail.com with ESMTPSA id t18sm3072356ljg.64.2019.03.24.18.23.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Mar 2019 18:23:41 -0700 (PDT) Received: by mail-lj1-f177.google.com with SMTP id h16so1821567ljg.11 for ; Sun, 24 Mar 2019 18:23:40 -0700 (PDT) X-Received: by 2002:a2e:22c4:: with SMTP id i187mr2863776lji.94.1553477020489; Sun, 24 Mar 2019 18:23:40 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006946d2057bbd0eef@google.com> In-Reply-To: <0000000000006946d2057bbd0eef@google.com> From: Linus Torvalds Date: Sun, 24 Mar 2019 18:23:24 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: KASAN: use-after-free Read in path_lookupat To: syzbot , Alexei Starovoitov , Daniel Borkmann Cc: linux-fsdevel , Linux List Kernel Mailing , syzkaller-bugs , Al Viro Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hmm. Al, this one seems real and also seems pretty nasty from a vfs interface standpoint. On Wed, Nov 28, 2018 at 9:40 AM syzbot wrote: > > BUG: KASAN: use-after-free in lookup_last fs/namei.c:2269 [inline] > BUG: KASAN: use-after-free in path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318 > ... > lookup_last fs/namei.c:2269 [inline] > path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318 Ok, path lookup using RCU. > Allocated by task 9424: > kstrdup+0x39/0x70 mm/util.c:49 > bpf_symlink+0x26/0x140 kernel/bpf/inode.c:356 It's the symlink data for the bpf filesystem. Fair enough. > Freed by task 9425: > kfree+0xcf/0x230 mm/slab.c:3817 > bpf_evict_inode+0x11f/0x150 kernel/bpf/inode.c:565 > evict+0x4b9/0x980 fs/inode.c:558 > iput_final fs/inode.c:1550 [inline] > iput+0x674/0xa90 fs/inode.c:1576 > do_unlinkat+0x733/0xa30 fs/namei.c:4069 .. and the path lookup is racing with the final unlink. We actually RCU-delay the inode freeing itself, but when we do the final iput(), the "evict()" function is called synchronously. Now, the simple fix would seem to just RCU-delay the kfree() of the symlink data in bpf_evict_inode(). Maybe that's the right thing to do. I'd call it trivial, except you'd need to have that rcu head to attach it to, making it slightly less trivial. I guess the kmalloc could just malloc that too. But it does strike me that this might be a generic issue. I wonder how many other filesystems do this? Alexei, Daniel - the "proper" fix right is probably one of four cases: (a) rcu-delay the freeing, and use simple_symlink_inode_operations(). No set_delayed_call() needed, because it stays around for the inode lifetime, but the RCU-delaying is still needed for lookup. or (b) put the symlink in a page, and use page_symlink_inode_operations for that inode, where we have a "struct delayed_call" and get a page ref or (c) put the symlink in the inode itself, and then use that simple_symlink_inode_operations (and now the RCU-delaying of the inode protects it). of (d) make a special getlink() that does "copy symlink, set_delayed_call(done, kfree_link, copy)" but I do wonder if we should perhaps just make simple_symlink_inode_operations do that (d) case for people. Al, comments? At the very least, if we don't make simple_symlink_inode_operations() do that, we should have a *big* comment that if it's not part of the inode data, it needs to be RCU-delayed. Or maybe we could add a final inode callback function for "rcu_free" that is called as the RCU-delayed freeing of the inode itself happens? And then people could hook into that for freeing the inode->i_link data. So many choices.. But the current situation seems unnecessarily complex for the filesystem, and isn't really documented. Our documentation currently says for get_link(): "If the body won't go away until the inode is gone, nothing else is needed", which is wrong (or at least very misleading, since the last "inode is gone" callback we have is that evict() function). Linus