Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4014987ybl; Mon, 3 Feb 2020 10:53:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxKJsyMql8dpRbfOgV4Y4NJ39a5IKbNGEkTN73o4c9K83DWLklKUxdfxpWUFph6WxTNg6SO X-Received: by 2002:a05:6830:1bda:: with SMTP id v26mr18203988ota.314.1580755998626; Mon, 03 Feb 2020 10:53:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580755998; cv=none; d=google.com; s=arc-20160816; b=VdgvXvEk1HzCdO1ojXcdoO2V7+lMv+XH3K0SkQfRex43kxADzP06qSyToq70kAvhsL buvboAh7Ug40Y+ts+6nvYceJm4G1aFRVHsoklwW1Bdp7WxYwmoe2PKvm17q+z91FxRaX jUYrX7SXKbU5ZJh4Sp8kVAjMrCCbmeqfToVtcm6dL94oiOCheYbeoRukaEOLBcYfrHb+ 433nLT33st1YUhzPfVnYDy9pDPKratPS8IyfIqsEZiPkTfhNZSpeJPP0n6tUAIGdYr5w lJERMBdQztNf1vTmnn6AQYi0r9aF1G8A061RKbgUnoE8yCrw+jGlzwgKniIPkRTZWvyg dMqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ig7imo1hRimnDuKzrKrZvkJigN6+3fze3wTZufTbajE=; b=b7TywdmiaEXm089BZOZxyG/wGjuYl3rVWPALR1vtZJTEfHkXvKk1D2w1tJztceGPG/ pgmckWbl6vpzWQa98IZTzi83QQKITpK76gbSjLUKsPIyWufGIBvFkI+Pbqr6gbpA0jgX obM3P/8Rb9Z2WURkFt8gBh/9dyRtZg/e2jb6avM2lanfEi1+oKTuQmv1AWC0v4dz+Cly i8KcFyyBzxzRmg8+px0r6lvPAWFrVCjhSCPmZh9SyZxKwdRi7QganDSQr9xbfzrd9HrK efnpYPCZtrHeeP8ZEkY6W8xo9CTcBPib433bkOi0n9SQI/toDk58I5r9a1SLK+JIw2mA 6RFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Rgho43Yu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n186si8369047oig.191.2020.02.03.10.53.07; Mon, 03 Feb 2020 10:53:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Rgho43Yu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731560AbgBCQlx (ORCPT + 99 others); Mon, 3 Feb 2020 11:41:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:48666 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730772AbgBCQeV (ORCPT ); Mon, 3 Feb 2020 11:34:21 -0500 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1622D21927; Mon, 3 Feb 2020 16:34:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580747660; bh=QRu/AKVn0AAOHfG/bix1Ht8U43k9W/oQjtS6X83Z7s0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Rgho43YuSWMmIji90JmtVAhW0yiyfSG/ii24kwE4DQSjlZafBh0ZZA+wwmRaYfbQG 7R2PCtcOX3BfN7VEC9rRjl15AmmfUQazZwjgfla3jvcZVYZdiRu6RykXFWPmY20hnp CEt7tx0LqLRuLNoa2tZXWwi51a0lgpPVofFWFvWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Reinette Chatre , Xiaochen Shen , Borislav Petkov , Tony Luck , Thomas Gleixner , Sasha Levin Subject: [PATCH 5.4 05/90] x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup Date: Mon, 3 Feb 2020 16:19:08 +0000 Message-Id: <20200203161918.304723675@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200203161917.612554987@linuxfoundation.org> References: <20200203161917.612554987@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaochen Shen [ Upstream commit 074fadee59ee7a9d2b216e9854bd4efb5dad679f ] There is a race condition in the following scenario which results in an use-after-free issue when reading a monitoring file and deleting the parent ctrl_mon group concurrently: Thread 1 calls atomic_inc() to take refcount of rdtgrp and then calls kernfs_break_active_protection() to drop the active reference of kernfs node in rdtgroup_kn_lock_live(). In Thread 2, kernfs_remove() is a blocking routine. It waits on all sub kernfs nodes to drop the active reference when removing all subtree kernfs nodes recursively. Thread 2 could block on kernfs_remove() until Thread 1 calls kernfs_break_active_protection(). Only after kernfs_remove() completes the refcount of rdtgrp could be trusted. Before Thread 1 calls atomic_inc() and kernfs_break_active_protection(), Thread 2 could call kfree() when the refcount of rdtgrp (sentry) is 0 instead of 1 due to the race. In Thread 1, in rdtgroup_kn_unlock(), referring to earlier rdtgrp memory (rdtgrp->waitcount) which was already freed in Thread 2 results in use-after-free issue. Thread 1 (rdtgroup_mondata_show) Thread 2 (rdtgroup_rmdir) -------------------------------- ------------------------- rdtgroup_kn_lock_live /* * kn active protection until * kernfs_break_active_protection(kn) */ rdtgrp = kernfs_to_rdtgroup(kn) rdtgroup_kn_lock_live atomic_inc(&rdtgrp->waitcount) mutex_lock rdtgroup_rmdir_ctrl free_all_child_rdtgrp /* * sentry->waitcount should be 1 * but is 0 now due to the race. */ kfree(sentry)*[1] /* * Only after kernfs_remove() * completes, the refcount of * rdtgrp could be trusted. */ atomic_inc(&rdtgrp->waitcount) /* kn->active-- */ kernfs_break_active_protection(kn) rdtgroup_ctrl_remove rdtgrp->flags = RDT_DELETED /* * Blocking routine, wait for * all sub kernfs nodes to drop * active reference in * kernfs_break_active_protection. */ kernfs_remove(rdtgrp->kn) rdtgroup_kn_unlock mutex_unlock atomic_dec_and_test( &rdtgrp->waitcount) && (flags & RDT_DELETED) kernfs_unbreak_active_protection(kn) kfree(rdtgrp) mutex_lock mon_event_read rdtgroup_kn_unlock mutex_unlock /* * Use-after-free: refer to earlier rdtgrp * memory which was freed in [1]. */ atomic_dec_and_test(&rdtgrp->waitcount) && (flags & RDT_DELETED) /* kn->active++ */ kernfs_unbreak_active_protection(kn) kfree(rdtgrp) Fix it by moving free_all_child_rdtgrp() to after kernfs_remove() in rdtgroup_rmdir_ctrl() to ensure it has the accurate refcount of rdtgrp. Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") Suggested-by: Reinette Chatre Signed-off-by: Xiaochen Shen Signed-off-by: Borislav Petkov Reviewed-by: Reinette Chatre Reviewed-by: Tony Luck Acked-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1578500886-21771-3-git-send-email-xiaochen.shen@intel.com Signed-off-by: Sasha Levin --- arch/x86/kernel/cpu/resctrl/rdtgroup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c index c7564294a12a8..954fd048ad9bd 100644 --- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c +++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c @@ -2960,13 +2960,13 @@ static int rdtgroup_rmdir_ctrl(struct kernfs_node *kn, struct rdtgroup *rdtgrp, closid_free(rdtgrp->closid); free_rmid(rdtgrp->mon.rmid); + rdtgroup_ctrl_remove(kn, rdtgrp); + /* * Free all the child monitor group rmids. */ free_all_child_rdtgrp(rdtgrp); - rdtgroup_ctrl_remove(kn, rdtgrp); - return 0; } -- 2.20.1