Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp576155pxk; Wed, 16 Sep 2020 11:11:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwDnhsPes/q5vVvERCImN9Xx7zyuOrHz0E7YA10VHNFD0qQDwbd/RfQA7IHHYBfcin3HYMK X-Received: by 2002:a17:906:e103:: with SMTP id gj3mr26300986ejb.153.1600279902801; Wed, 16 Sep 2020 11:11:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600279902; cv=none; d=google.com; s=arc-20160816; b=AZ6wn8Vq5T9MvMbIuVJh2a7KG89VF9nRU300+fJtDsvxNNl8nuoN3NI1Go3LSWtKP5 eAhadBNHCgHMbs+BvsgLdhU5f13lzYj5nIH6kaABJDTEZN6DZcaxPh/v5/eOI/mAd51e u05JLLffwkCmHK9IQ8EmofSuNiI9/WGwF0xUup0x3xSXFSOiqjpuSGHuT4OC5l6dbPUp TkEfHKW9pbMOJwU8buria9eVAN+uQd9mC3+AqC21qYQHUlopSKsU7hpM9TZoJvTq9ORk UT4Uq91cXT6GGPuMEa7KhjLVSR3Fgs0dl5pBhvWBTOz4P3DQMRwgJpuCevsUsLTF6oSf IBbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=a5agFf1siRXinJ5YV6W+BponZG61lFw1RLtgF8Vvpbo=; b=bNVi9Jumw+mLnTPWDWKxFYycxo22OXj9bdFMoM9gr8vmByKVzXqJTTJRYbX5i9sC+k FpHXa/5OTr4QCNsb8SPm/rIapDnBdfDE8ASJW+h6NjvmCHtSBu0XdzL5/joE2mKKV0hc iiNHihOLa4Itu2zpP+YaBlwASh71z5JFEEZ8gVk4jq3vt/EiXHvawAJZZO3qpGDXEb20 c86mqUqT6pM5MKOr5/jwxp41VhajCElIWRhPPPXFCbulPOn7BD8Uu27LYFHnG/S1/qY6 yrD+a5UNKBf8RdownnlMMAQLH3fAZ3kECSorbotHwDszi33lAGGhGXLXiYyhoI5akWiS xlKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=SUxsvz78; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id da18si11688683edb.466.2020.09.16.11.11.19; Wed, 16 Sep 2020 11:11:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=SUxsvz78; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727329AbgIPR7y (ORCPT + 99 others); Wed, 16 Sep 2020 13:59:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727660AbgIPR6d (ORCPT ); Wed, 16 Sep 2020 13:58:33 -0400 Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51CCAC0073E0 for ; Wed, 16 Sep 2020 06:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=a5agFf1siRXinJ5YV6W+BponZG61lFw1RLtgF8Vvpbo=; b=SUxsvz78dRQgTh0/EhunUL12vG mUAZ7g2lDG3yghk0HrGEt2bBRSn9Vj2+kgz0eB0s0wgNU2D1zykJiIIEzNlYkMmOQfEu1TVY5TKuh YCmYIU1OsKoS1oR2CgAb7efXQxlh8wHcu1n7tMbhKKUW2jsb2xSgmteITZyKDVCLRqpP7RkwImsvo 4e66wSYpa9xrEn7gh4SWQ2H0vrwS2MDtw340Fbnv8/vvMHEcuW5d38gefWqM2kfiPcMgMT+omGVnr HsurVMWqi+TSZKQ14zOxNjMGrMGjtc+8rOcDwVNRnfWUYQxiKz89AoJn4t67e39/231/wMUb5KXFc iWpOAPrA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1kIXss-0000MU-Od; Wed, 16 Sep 2020 13:54:06 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 0844B3011FE; Wed, 16 Sep 2020 15:54:03 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id EFD852B9285F7; Wed, 16 Sep 2020 15:54:02 +0200 (CEST) Date: Wed, 16 Sep 2020 15:54:02 +0200 From: peterz@infradead.org To: Jiri Olsa Cc: Namhyung Kim , Jiri Olsa , Arnaldo Carvalho de Melo , lkml , Ingo Molnar , Alexander Shishkin , Wade Mealing Subject: Re: [PATCHv2] perf: Fix race in perf_mmap_close function Message-ID: <20200916135402.GZ1362448@hirez.programming.kicks-ass.net> References: <20200910104153.1672460-1-jolsa@kernel.org> <20200910144744.GA1663813@krava> <20200911074931.GA1714160@krava> <20200914205936.GD1714160@krava> <20200916115311.GE2301783@krava> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200916115311.GE2301783@krava> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 16, 2020 at 01:53:11PM +0200, Jiri Olsa wrote: > There's a possible race in perf_mmap_close when checking ring buffer's > mmap_count refcount value. The problem is that the mmap_count check is > not atomic because we call atomic_dec and atomic_read separately. > > perf_mmap_close: > ... > atomic_dec(&rb->mmap_count); > ... > if (atomic_read(&rb->mmap_count)) > goto out_put; > > > free_uid > > out_put: > ring_buffer_put(rb); /* could be last */ > > The race can happen when we have two (or more) events sharing same ring > buffer and they go through atomic_dec and then they both see 0 as refcount > value later in atomic_read. Then both will go on and execute code which > is meant to be run just once. > > The code that detaches ring buffer is probably fine to be executed more > than once, but the problem is in calling free_uid, which will later on > demonstrate in related crashes and refcount warnings, like: > > refcount_t: addition on 0; use-after-free. > ... > RIP: 0010:refcount_warn_saturate+0x6d/0xf > ... > Call Trace: > prepare_creds+0x190/0x1e0 > copy_creds+0x35/0x172 > copy_process+0x471/0x1a80 > _do_fork+0x83/0x3a0 > __do_sys_wait4+0x83/0x90 > __do_sys_clone+0x85/0xa0 > do_syscall_64+0x5b/0x1e0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > Using atomic decrease and check instead of separated calls. > This fixes CVE-2020-14351. I'm tempted to remove that line; I can never seem to find anything useful in a CVE. Fixes: ? > Acked-by: Namhyung Kim > Tested-by: Michael Petlan > Signed-off-by: Jiri Olsa