Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3116468img; Mon, 25 Mar 2019 04:12:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqwmnZORkOERZCS0jSOwgzR5eQ8QS+q841qYSp0ZOTh7N1pyNumIeQSDeGCdwAbFo3evFB3P X-Received: by 2002:a62:1c94:: with SMTP id c142mr24001705pfc.54.1553512377062; Mon, 25 Mar 2019 04:12:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553512377; cv=none; d=google.com; s=arc-20160816; b=Z51vDGNdcs9ON7Z562ukpdlh66ftjXegTdQ025TNp/9iZV7RlV+/HWhQyk0B+iRhD9 T9ftPyNvsmw/3A86KcHg1e5k0J3ClMXWSSPE8TnOPvsDsGx16X0Y2ToZAGt06DBpNW6U ONxcWELanVn/kQgVVJKGnKK+oTIeumh0+Ud1Ib3yyZoI91Ogxam+igGrLVFUfkJ3X9CF eHDFNKx+sI2q/saL4gEpQUIcNURvYkQT2z886XWt/FsyTfH+xlm5Aj3aWJtWtEFm8kfo s8gJ9ZUQkOqqt+q11QO45wOTu/P8oekB5442HxPoDhJGYQF+HvEKeTC5vsGhlUCDnb27 +mQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=WAm3uwM/LvjOvs2YGSkKG3WpzCs4+gbTa4xziz8UgT8=; b=CoIoxIBd9D9ciTuU8fv9V11AMvIcEnnff44yEk9VjXL5LgOi94AwrmV0Kry+g6HgV6 w8rwnbE1+PiYddEa9HpMMdPqwHjScV+tzTpsiHjm1WxOXfCCbqaW+wFUH4Ba0CC6ytmX 5vL6w4fcazwMyrVNMLlA+1KSaSw5svSNGPddrvTOp4ASUA8Ch+LpuQKBZ2t25+wtIkal BeaQ6kkvTB6esJQGZlTPwZeFa4SASZzczvDE5+eofb0pLbyfEeR6uMn4DxQKlsWWM4zU BfHhStoZh0ybY/8+u90MQQthRalnRy9m2ta58nLKIOGh/Yf+0e200ld+ifdeAeUz7j3T ADWw== ARC-Authentication-Results: i=1; mx.google.com; spf=temperror (google.com: error in processing during lookup of linux-kernel-owner@vger.kernel.org: DNS error) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org ([209.132.180.67]) by mx.google.com with ESMTP id p10si13505654plk.413.2019.03.25.04.12.41; Mon, 25 Mar 2019 04:12:57 -0700 (PDT) Received-SPF: temperror (google.com: error in processing during lookup of linux-kernel-owner@vger.kernel.org: DNS error) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=temperror (google.com: error in processing during lookup of linux-kernel-owner@vger.kernel.org: DNS error) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730882AbfCYLLb (ORCPT + 99 others); Mon, 25 Mar 2019 07:11:31 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:47840 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729727AbfCYLLb (ORCPT ); Mon, 25 Mar 2019 07:11:31 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux)) id 1h8NVj-00067u-SM; Mon, 25 Mar 2019 11:11:23 +0000 Date: Mon, 25 Mar 2019 11:11:23 +0000 From: Al Viro To: Daniel Borkmann Cc: Linus Torvalds , syzbot , Alexei Starovoitov , linux-fsdevel , Linux List Kernel Mailing , syzkaller-bugs Subject: Re: KASAN: use-after-free Read in path_lookupat Message-ID: <20190325111123.GM2217@ZenIV.linux.org.uk> References: <0000000000006946d2057bbd0eef@google.com> <20190325045744.GK2217@ZenIV.linux.org.uk> <717eaff9-1f49-28f3-bbb6-c8f14ebbe03b@iogearbox.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <717eaff9-1f49-28f3-bbb6-c8f14ebbe03b@iogearbox.net> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 25, 2019 at 10:15:40AM +0100, Daniel Borkmann wrote: > > So we have 5 broken cases, all with the same kind of fix: move freeing > > into the RCU-delayed part of ->destroy_inode(); for debugfs and bpf > > that requires adding ->alloc_inode()/->destroy_inode(), rather than > > relying upon the defaults from fs/inode.c > > I believe I copied that logic from one of the other fs'es back then, sigh. > Thanks for the analysis and hints for fixing. Would the below (only compile > tested for now) look reasonable to you? I believe there is no other way > around than to add our own inode cache, but so be it. The freeing of the > i_link is then RCU-deferred in bpf_destroy_inode_deferred(): It looks like it would suffice, but it's way too much boilerplate for my taste ;-/ Most of your headache here comes from messing with slab setup and the only reason for that is being unable to free stuff into inode_cachep. So grep for inode_cachep would be a good idea, and it digs up the following sucker: void free_inode_nonrcu(struct inode *inode) { kmem_cache_free(inode_cachep, inode); } EXPORT_SYMBOL(free_inode_nonrcu); IOW, you need nothing on ->alloc_inode() side and for ->destroy_inode() just do call_rcu() of a callback, that would kfree(inode->link) if it was a symlink, then call free_inode_nonrcu(inode). Considerably smaller patch that way...