Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp620848pxa; Tue, 4 Aug 2020 13:46:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzcqDTVgyhYyaVj/NtHvvYqM4ItjBd1niI+QqM7Lo2yE8jOuncQ21KAgLj/ykUW9qtjUHd X-Received: by 2002:a50:e047:: with SMTP id g7mr21695316edl.290.1596573975862; Tue, 04 Aug 2020 13:46:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596573975; cv=none; d=google.com; s=arc-20160816; b=QoP+JaS3hW+zGNkD5QjpDM40OXOlAXFDwbbimme6zqo5fH99Zjt6tZztpTWRFy7PJo Y3gCOQA+C8Ptv7XlShAfoNQhYvgVPxWtWcxRglrjn7rFDUAZpNnB7CWJEmokoOxjzRP6 giE5rMvvFudzGBza3ebTHpwWyBgUBhmgkID+cidm5z7c9q+GMFAwTE96YrHgSd3hC9z7 y3NnvgGF1m1HMAcpNZoBuGP6RBMGOORNCGybsJgekl8mb/nerOCPoyIqzGBbNRvm/Or/ D7b2cWOgn1AbDnjW9pGGyB6obnmTf+ylrWHLELWGg30Cjyr2H2sOgVGqsnuG3ew0aIpq IE5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Gqy/vdwaD/eVrbJD5BV3hcpMQsmfgCd4z57v0E/ZYGo=; b=hjlMcYvBjSiKnn+mgcKyMIi0NhbbJl9AVeDLjAq2tX/TTSKnI2cFYlS7jYjplQh5SR I2SYRQYZm2Oe5f27VYczEPrrMx2/LAWvH7F2qxP70kID26ZhE01qCXaBrUv5W3msIKhj KRK4n4Gy/tm67H86QM6NyfpxwKzp0XgHo0ZSqMe9yiRvwTcaoAU38vj98Kg9/3Vk+/Oo 3SeZaVMdKmqU0UvXTyZmCAPk4vuu0VAD5MW9RDF2B/y7U5x7GpIC+ze3jlbB1ZKIyvH4 Om4rVKdP5adKNioYk1f6zdTyCxANlKT/venf1YVEh0HhIs8ZEmaraeTxkgIYmkJq+7nq +vWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=k2RYgdBK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l16si12852030edw.172.2020.08.04.13.45.53; Tue, 04 Aug 2020 13:46:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=k2RYgdBK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727103AbgHDUpq (ORCPT + 99 others); Tue, 4 Aug 2020 16:45:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:36342 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726545AbgHDUpp (ORCPT ); Tue, 4 Aug 2020 16:45:45 -0400 Received: from gmail.com (unknown [104.132.1.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10B7920842; Tue, 4 Aug 2020 20:45:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596573945; bh=IsGGbZDqwVSdrx08mN8MiNfmLHPAXTc8CpjLyRYm0PY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=k2RYgdBKRUZvYgyXaVkxI8tIV9M60Ul5vpeFSWkbA6mYNzNXbdFZe+/fRj/AcZNdn Oc+boojGMwh1YfBWUsY2MnjY9quPxdG9/jl7c7lhkNXKUyVtVMayworct1WUEyMmVK vXEszlOdY79qUbEtjI3wfBf7j1/A5vn32NCZKPBY= Date: Tue, 4 Aug 2020 13:45:43 -0700 From: Eric Biggers To: Lokesh Gidra Cc: viro@zeniv.linux.org.uk, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, jmorris@namei.org, kaleshsingh@google.com, dancol@dancol.org, surenb@google.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, nnk@google.com, jeffv@google.com, calin@google.com, kernel-team@android.com, yanfei.xu@windriver.com, syzbot+75867c44841cb6373570@syzkaller.appspotmail.com Subject: Re: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC Message-ID: <20200804204543.GA1992048@gmail.com> References: <20200804203155.2181099-1-lokeshgidra@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200804203155.2181099-1-lokeshgidra@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 04, 2020 at 01:31:55PM -0700, Lokesh Gidra wrote: > when get_unused_fd_flags returns error, ctx will be freed by > userfaultfd's release function, which is indirectly called by fput(). > Also, if anon_inode_getfile_secure() returns an error, then > userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx. > > Also, the O_CLOEXEC was inadvertently added to the call to > get_unused_fd_flags() [1]. > > Adding Al Viro's suggested-by, based on [2]. > > [1] https://lore.kernel.org/lkml/1f69c0ab-5791-974f-8bc0-3997ab1d61ea@dancol.org/ > [2] https://lore.kernel.org/lkml/20200719165746.GJ2786714@ZenIV.linux.org.uk/ > > Fixes: d08ac70b1e0d (Wire UFFD up to SELinux) > Suggested-by: Al Viro > Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com > Signed-off-by: Lokesh Gidra What branch does this patch apply to? Neither mainline nor linux-next works. - Eric