Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp410314rwb; Wed, 9 Nov 2022 04:17:42 -0800 (PST) X-Google-Smtp-Source: AMsMyM5+/gOpKRwpbKSjwrXscjeBRjszEfc3w9ztf6JgYvoY61ZEmqdLOIcdIScCDgY+ctRI7EI1 X-Received: by 2002:a63:854a:0:b0:46f:45ab:31a with SMTP id u71-20020a63854a000000b0046f45ab031amr51854792pgd.190.1667996262264; Wed, 09 Nov 2022 04:17:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667996262; cv=none; d=google.com; s=arc-20160816; b=WlObhz18q4APgFZOAJw9nK4JBcvLOBWdpeZ2Zjw1EFlevBouoV4ELZ6bbAlQamuPpk E9rA6sgbsaa5G8FuZ+FVL9wrWNVGdCt2o8ashaLzQ3HmjKAwc521Gp9h9vKznZLQx5Du 2o1r2Z/YDAUwEdX5nAWKSS5Q7d6DOEVswMGG70HiE9OcGfY0I2SOvuteIw211yLqQD7y TaeLksv+LCgVjjhqzhrJleXz1SRGcbN8wCjVxWrUVJf8DRLqY+C7y2wbTmIRIFcaqbF9 A9QVm2s7tF/HULEVHP2ExjkTeP/KDwoj7TeLGeTKvoxW+klqVoZKk4cn3FTnY+PLxE2F HuoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=r4vtgBkJ9+Vy+9EhJU5rTGh1H78MM04EIshNvBaitw8=; b=qGT/NOSbfNISJw5w+cpLC63ERsk+W/Ltj0ZWBrI7+278JDR2MdQ5xa603yCBIadcxX spcy+j3SqfKWDpdwpeESiUXAoRbynebviZG66lV1raOwPtaJzknHyvBn4HQ6f3u67Ip1 ODNJ09aPieVQWzAUVSR3VnWkAHJmIIy/Db68KNDOtXI5xkglKdu5gqVJcI76F+bcFGJS hczUEmimtt6VpWZOGNpnkg3y5bhqBCxuVVrtuK4PD88BAhWI/geYCkDh4Y4j9whC+qPz S7XyRX2a/PgUt3TVGRMzbxH3nTCud3ozHx9RWcKR9Ul1ZJKOEMi7wG9Xud9q2ez5O4I8 qLxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JDFYBWQR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u25-20020a056a00099900b0056301324a24si20049488pfg.133.2022.11.09.04.17.29; Wed, 09 Nov 2022 04:17:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JDFYBWQR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229640AbiKIMET (ORCPT + 93 others); Wed, 9 Nov 2022 07:04:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229447AbiKIMER (ORCPT ); Wed, 9 Nov 2022 07:04:17 -0500 Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F2242A726 for ; Wed, 9 Nov 2022 04:04:17 -0800 (PST) Received: by mail-ot1-x329.google.com with SMTP id br15-20020a056830390f00b0061c9d73b8bdso9971879otb.6 for ; Wed, 09 Nov 2022 04:04:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=r4vtgBkJ9+Vy+9EhJU5rTGh1H78MM04EIshNvBaitw8=; b=JDFYBWQRFva9aIbtyICwb140cRFYk760yFTxuR3lybcx0dhvV/OliBD8FwhH8Azb1i JZNCxfK5Jn8neGkg27K6xwigo+d0BQfaiqafPTsljC/VbJYWr87l5FlFyGmewWsX5+hM P7J39MUn+OsHoXLNDVFMPMSXkj7pSbU/UYGgRSkupMedGYix55F0VjSv0Qn0knUJW+/V 6Z+JMmh6uLumM6uKCE3vMJHEPHTBe45732GY97LNuk4v5VcnjkmpycrrNHnTEi1g3uxs LCTdfpCXUtgyXl4i2jsF4ztG/m3CbtKU7MLVhzzsBHCu/VPsEohfFyoUY8R2YkVeVQe4 pvyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r4vtgBkJ9+Vy+9EhJU5rTGh1H78MM04EIshNvBaitw8=; b=4Cb4GHV/RTm1PEcPFwC491eOYDrcPyUi+9DwXlnDx6/X7gy7ftiTtKZZS/iRgftU/y vSgSYZRHX6gDOjosAYF1d0Vm3wZfxnOsrNJXN4vp/Q/XM6HE23IhuKgCNnJ1ySsalQpN xbGRIY6lSwV0svDnrbbxpyUAfO0HTCEi7BQoOhYagQJc3kgEpg4DA8GGPj9NM5p8IeYj oYzvCyNNwZRMrmCGiS5rXjJ7Ufz0W3747FUDna0cMPasPRZeKKB4tNvQwdvF+7gi6Mka XcnuCaUjHpfBIwHfpSDNmV/STuNe6X861MT3X7/oeGBU5KZYsVk5SI9c7g3u0nGV/QiW rRoQ== X-Gm-Message-State: ACrzQf0mgCWOXXl9/zG5n3G0ZOZ3cvTgxJW9b7X3heKcDHm5K7m4trcC ai7HfBeHf6ZJoK4FwEq3GzcNTy7oiXPetye0250= X-Received: by 2002:a05:6830:628b:b0:660:d639:f380 with SMTP id ce11-20020a056830628b00b00660d639f380mr28592000otb.181.1667995456321; Wed, 09 Nov 2022 04:04:16 -0800 (PST) MIME-Version: 1.0 References: <20221109105158.230081-1-zyytlz.wz@163.com> In-Reply-To: From: Zheng Hacker Date: Wed, 9 Nov 2022 20:04:04 +0800 Message-ID: Subject: Re: [PATCH v8] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os To: Greg KH Cc: Zheng Wang , zhengyejian1@huawei.com, dimitri.sivanich@hpe.com, arnd@arndb.de, linux-kernel@vger.kernel.org, alex000young@gmail.com, security@kernel.org, sivanich@hpe.com, lkp@intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg KH =E4=BA=8E2022=E5=B9=B411=E6=9C=889=E6= =97=A5=E5=91=A8=E4=B8=89 19:12=E5=86=99=E9=81=93=EF=BC=9A > > On Wed, Nov 09, 2022 at 06:51:58PM +0800, Zheng Wang wrote: > > Gts may be freed in gru_check_chiplet_assignment. > > The caller still use it after that, UAF happens. > > I do not understand what this text means, sorry. Can you try to make it > more descriptive? > Sorry for my unclear description. The new candidate is as follows: In some bad situation, the gts may be freed gru_check_chiplet_assignment. The call chain can be gru_unload_context->gru_free_gru_context->gts_drop and kfree finally. However, the caller didn't know if the gts is freed or not and use it afterwards. This will trigger a Use after Free bug. > > > > Fix it by introducing a return value to see if it's in error path or no= t. > > Free the gts in caller if gru_check_chiplet_assignment check failed. > > Please wrap all of your changelog text at 72 columns, you have 2 > paragraphs with different wrappings. > Get it, sorry for that. > > /* > > * If the current task is the context owner, verify that the > > @@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_threa= d_state *gts) > > */ > > gru =3D gts->ts_gru; > > if (!gru || gts->ts_tgid_owner !=3D current->tgid) > > - return; > > + return ret; > > Why does this check return "all is good!" ? > > Shouldn't that be an error? > This check is something like "if the gts has been initiiazed properly". If it's not, I thinks we shouldn't treat the gts like something very bad happend. Because in the later request, the gts can still have a chance to be configed/updated properly. This is different from "it's too bad so we have to unload gts right now". This is just my personal point of view. Besides, the caller of this function have token it into consider. In gru_fault, it will try again and in gru_handle_user_call_os, it will return -EAGAIN. In gru_set_context_option, it will be fine because there won't be any operation on gts->ts_gru or gts->ts_tgid_owner Best regards, Zheng Wang