Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp241332imn; Wed, 3 Aug 2022 01:48:19 -0700 (PDT) X-Google-Smtp-Source: AA6agR6LegKAK6aMcGymuLbvYJOY+ZXCIwxCL1NXAmIp+TEkg5B9UkFFAn7DZdXsoNn/9CkEm3nJ X-Received: by 2002:a50:fc85:0:b0:43d:2284:1ea5 with SMTP id f5-20020a50fc85000000b0043d22841ea5mr23364246edq.105.1659516499609; Wed, 03 Aug 2022 01:48:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1659516499; cv=pass; d=google.com; s=arc-20160816; b=XeU2sYsfoZtnNkTD5BSeCnM/2kP/gHkiE72GTBOe15c1aXIogZMrJBO3nfnK2rN+T8 kQRhbh5mEt7a+iMuKXSuXbwY2LxKjVbtOeXZzF5hzfkDo2xB8yT5DrS0iQAc21Fu1P9x UhvELonO6fY+YjqN50qB3Rt8EPeL2vWXrheD3+UqPobrZzbPJst2SeoL3t+OF+8wqVAA r2DsxJ6rkCDhLQ5RsZjp7rL/CPE5v458CfNerubE3jjzgbJQVj91k0wVtM/bAyaXNqzz jui+PqxxLkzijcst6xxq5OMgcCGCeqTZuTSOLySRckbmXu1OlFE5S27kuv/LAG+QFME/ /cuw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:importance:content-transfer-encoding :mime-version:subject:references:in-reply-to:message-id:cc:to:from :date:dkim-signature; bh=+HJj+JToUolbtOl3JgpsAZUz1406bfNqHiQh4CFyvjY=; b=XPzp73Fln6KCpMZ7/6tbXYdoOyiIiwnri4wSS/v2NEVZ/MVftv0c946zHd+z06J4vd 5ZnO9rf4TaALa1L+fSEM4XTV1QKJOO3xMHuYis9AxCK0cJkEhcUzIp9QogyuSSxUDOcK 7OBLGMMP85FiS1sg5EMTgai2mguhu+v0n+ICfoBknJIQNnjWf0auem3oJr14wDG7IJ5a Px2uC31lZgVPvGJ7gu8ub3NAH9VZxE/GZfzZlyi9QXZ1y6pDpBNyNBMUa9OwkFOtHZoM rF5xOCwysr563yoBezoMJBc7nzyfo+ykGVSiW4J22iCEmo6RH18izURirv9JFOCHW3H8 aJ0A== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=aFDqL25Q; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siddh.me Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mf23-20020a170906cb9700b0072e6774827asi13431418ejb.915.2022.08.03.01.47.55; Wed, 03 Aug 2022 01:48:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=aFDqL25Q; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siddh.me Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235540AbiHCIkw (ORCPT + 99 others); Wed, 3 Aug 2022 04:40:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231709AbiHCIku (ORCPT ); Wed, 3 Aug 2022 04:40:50 -0400 Received: from sender-of-o53.zoho.in (sender-of-o53.zoho.in [103.117.158.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB127AE6C; Wed, 3 Aug 2022 01:40:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659516018; cv=none; d=zohomail.in; s=zohoarc; b=EuKLCRaI1LyNZ1ZUVDVeBdcNyp8QVEhNaYtYxPfBAuP4rBplyn9n37+xUVc4YPuoZ9+3ZQecw1rWGF5dCAjpi2aYvUV6PZ4FVEevsX3kSpSxasu/WQ+RT65Yp+b36IjiTTVPXTpcOgv8+sipwZ2AF7tMnUi1prsr/p7DVTMWGYc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in; s=zohoarc; t=1659516018; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=+HJj+JToUolbtOl3JgpsAZUz1406bfNqHiQh4CFyvjY=; b=RnTpx+dsjfOsWOBbQzNq/kOZTfh4EhPprWn3mQnqXJhMF2XCFBs0mh4AdXs46kTUec7TELlagFRQQwY+Vyq95352OC7u8YTtoxfUazB1WxqPt+ak6SCWtxhvSQ+OoR2OOVELbowoWo3Ji+2stMkYB26p8/dd8e//WBNu6617XpA= ARC-Authentication-Results: i=1; mx.zohomail.in; dkim=pass header.i=siddh.me; spf=pass smtp.mailfrom=code@siddh.me; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1659516018; s=zmail; d=siddh.me; i=code@siddh.me; h=Date:Date:From:From:To:To:Cc:Cc:Message-ID:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=+HJj+JToUolbtOl3JgpsAZUz1406bfNqHiQh4CFyvjY=; b=aFDqL25Qak4dJbogXnSrvupuWBgODiVTP/KEHhGmy6QfugNhe65g3Gq7ZLq1HeI4 J+zTiyVjyoz3t1TvNOkQW0//qfpT3T9kYNiNwG9EIUv1Xxn3S8wfyaQKCFkUSqsbWoM HDrv44+EdV5K1KQI7F4qWP4wXG79S1VXWeJBI2IY= Received: from mail.zoho.in by mx.zoho.in with SMTP id 1659516006945210.23588174332167; Wed, 3 Aug 2022 14:10:06 +0530 (IST) Date: Wed, 03 Aug 2022 14:10:06 +0530 From: Siddh Raman Pant To: "Eric Biggers" Cc: "David Howells" , "Christophe JAILLET" , "Eric Dumazet" , "Fabio M. De Francesco" , "linux-security-modules" , "linux-kernel" , "linux-kernel-mentees" , "syzbot+c70d87ac1d001f29a058" Message-ID: <18262dcb20e.4bf31faa421018.1228982721921458740@siddh.me> In-Reply-To: References: <20220728155121.12145-1-code@siddh.me> <18261d8a63a.33799d2a402802.7512018232560408914@siddh.me> <182621f8dca.1e0e6161130907.1470656861897824669@siddh.me> Subject: Re: [PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Importance: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,URIBL_RED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 03 Aug 2022 11:11:31 +0530 Eric Biggers wrote: > I tested the syzbot reproducer > https://syzkaller.appspot.com/text?tag=ReproC&x=174ea97e080000, and it does > *not* trigger the bug on the latest upstream. But, it does trigger the bug if I > recent Linus's recent watch_queue fixes. > > So I don't currently see any evidence of an unfixed bug. If, nevertheless, you > believe that a bug is still unfixed, then please provide a reproducer and a fix > patch that clearly explains what it is fixing. > > > There is a null check in post_one_notification for the pipe, most probably > > because it *expects* the pointer to be NULL'd. Also, there is no reason to have > > a dangling pointer stay, it's just a recipe for further bugs. > > If you want to send a patch or patches to clean up the code, that is fine, but > please make it super clear what is a cleanup and what is a fix. > > - Eric > I honestly feel like I am repeating myself yet again, but okay. Of course, the race condition has been solved by a patch upstream, which I had myself mentioned earlier. But what I am saying is that it did *not* address *what* that race condition had triggered, i.e. the visible cause of the UAF crash, which, among other things, is *because* there is a dangling pointer to the freed pipe, which *caused* the crash in post_one_notification() when it tried to access &pipe->rd.wait_lock as an argument to spin_lock_irq(), a path it reached after checking if wqueue->pipe is NULL and proceeded when it was not the case. And the upstream commit was made *after* I had posted this patch, hence this was a fix for the syzkaller issue. While I am *not* saying to accept it just because this was posted earlier, I am saying this patch addresses a parallel issue, i.e. the *actual use-after-free crash* which was reproduced by those reproducers, i.e., what was attempted to be used after getting freed and detected by KASAN. We don't need to wait for another similar syzbot report to pop up before doing this change, and say let's not fix a dangling pointer reference because now another commit apparately fixes the specific syzkaller issue, causing the given specific reproducer with its specific way of reproducing to fail, when we in fact now know it *can* be a valid problem in practice and doing this change too causes the specific reproducer under consideration to fail reproducing, as was reported by the reproducer itself. I really don't know how to create stress tests / reproducers like how syzkaller makes, so if a similar new reproducer is really required for showing this patch's validity disregarding any earlier reproducers, I unfortunately cannot make it due to skill issue as I just started in kernel dev, and I am deeply sorry for wasting the time of everyone, and I am thankful for your criticism of my patch. Thanks, Siddh