Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1917094rwb; Thu, 19 Jan 2023 17:48:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXs/QomVtppWFgZhnQO24ltcVecBNLhaFPCZDQtvVsKDa5um/R94h0WC2SR39sfw9cnxAmvh X-Received: by 2002:a17:902:e810:b0:189:e577:c83d with SMTP id u16-20020a170902e81000b00189e577c83dmr17680349plg.66.1674179287600; Thu, 19 Jan 2023 17:48:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674179287; cv=none; d=google.com; s=arc-20160816; b=mD3pZRADUsLKi6eFId6u1ejzH8k84iRS9FESLAb3OomN8qn/FNJlEI3uKju4DYKBG9 qTllpUtNZpeXW8KP0IOqVua4/zehzK4XTHv10ZxVkvWTQImhcCKdx7tGORwmVoSTVUnT ln7P+5UZznuXxGtbxTA4vY+BbUzcBkyHrh7nzF0z2H2qPRURVGF3E3AtaZfsTpMj8K/x 2Kj5b2GcL/eJb0vc8t200cPCsKiQS681NjHwvvfHV4Ap9MqFbWc6Zunq0GfURxJziOfG +qJ3K3KTy09AFP85CPa7avdTURReGcQ71QlkP3T3U4eXVxjdS+Rn2A+h1CJ6QLu8lX7u a0nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=TIBdlvS7j4vW/OHnppDchX7qDlw21yfnfn34ljZmXxbdgI44snZ066T/wdUpUFEcVq 7jfrsN7+PuQt6zyTaMHheH7TVnFknnYoHpkLhUqTrF2GmW81o3csYNggs/VJUrde/OpO Fx/FugU5ygto3sfqNKukLGJ4jZ2DFn414l+Da167UJnGn/QlbaNcnQi4sgI6Hbfjnwzl z/7nlSW84pBL10nnwJJbnOtMCbMSpKTzYd0OTEYmdlgypSQbIwI6Wrdi62PcS8ImizJQ r9oBzfdlepYMD2d7JDfVR7f4Ue4+r7XBXKWV+iyrd5J6X9F/ae3IXjAox+73L3uW17K8 5nYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=iWApCseU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o5-20020a1709026b0500b00189c47baf1esi17631250plk.26.2023.01.19.17.48.01; Thu, 19 Jan 2023 17:48:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=iWApCseU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229762AbjATBh0 (ORCPT + 46 others); Thu, 19 Jan 2023 20:37:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229447AbjATBhY (ORCPT ); Thu, 19 Jan 2023 20:37:24 -0500 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A341894C91 for ; Thu, 19 Jan 2023 17:37:23 -0800 (PST) Received: by mail-yb1-xb2d.google.com with SMTP id x4so3250825ybp.1 for ; Thu, 19 Jan 2023 17:37:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=iWApCseUTsXD5MRO/z3i55jT3h70+EmHxm1sO6k11M3p2ZMmidJ2ZUuttrNWuvLqf5 ofjfNu7+Qv6suGeTBF+JvcZKdJJIXkj5Z+HM+3BR/6JjFo10/I8egCnCQHyMnewX8IAa 2Ei7lIfjs7R6lKOzV8KHz9eKMcT9qNVCy2f7Ffxy3oJOd7xIKMwksYDeJLxECv26dxzu YFxwy4dGl0urpFnjsiXT8CV2OKnfThR1rUQupKgpQoDAdSZnkY1UINjW/UKYllwJpSP+ TARTreiAqlIEth8++kNzsDQVkPKaKmbenCjvbx7VyjKyH0X6jSz1W4s7C1n6B4aX/bTF /0MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3qW0ZqDU1SxsOMEJ7uzCROunJKY+/aMuLDY89GBJPCw=; b=QBdqEnlaUG9HY+9rnOQ3oqvIwLKKQITM0Rg3YSsHkr88ljKjy0VlGtNfeV/2tcx+/U 19J1NR5MekPwix7zHI5IRNoJsBzHJBbi+QlyrXciGgPCOsCNpjzqQcOCPkrZJpho0zch 2YSlNtU7Pp62LlEdwCQfXozHn/D535XYdqjFwQhl/1VghnLczfn6pcXTOvOGxS4z6uKv gaCNVwAcU1w2ef54J3a8UZvIAP7lhEojX7P5Sux6z8eEOlkcCodkxh4JYquQy2BMCtK7 /0g2jCo3Imz94JXVoK2ANZrXH1mLacCdNndm8yi1kKXMF+7nicQyg8pBqnYn250eLcmc sHKQ== X-Gm-Message-State: AFqh2krHcQIp2zsKBf86iIyBtVbFgz1HWRQEGrwrQo9klkON369JPJ3J e/7vQm2Ag029I4mJl3QHPH5e8tAh7t217dTnn1tmeQ== X-Received: by 2002:a25:f305:0:b0:7b8:6d00:ef23 with SMTP id c5-20020a25f305000000b007b86d00ef23mr1576376ybs.119.1674178642658; Thu, 19 Jan 2023 17:37:22 -0800 (PST) MIME-Version: 1.0 References: <20230113022555.2467724-1-kamatam@amazon.com> <20230120013055.3628-1-hdanton@sina.com> In-Reply-To: <20230120013055.3628-1-hdanton@sina.com> From: Suren Baghdasaryan Date: Thu, 19 Jan 2023 17:37:11 -0800 Message-ID: Subject: Re: another use-after-free in ep_remove_wait_queue() To: Hillf Danton Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 19, 2023 at 5:31 PM Hillf Danton wrote: > > On Thu, 19 Jan 2023 13:01:42 -0800 Suren Baghdasaryan wrote: > > > > Hi Folks, > > I spent some more time digging into the details and this is what's > > happening. When we call rmdir to delete the cgroup with the pressure > > file being epoll'ed, roughly the following call chain happens in the > > context of the shell process: > > > > do_rmdir > > cgroup_rmdir > > kernfs_drain_open_files > > cgroup_file_release > > cgroup_pressure_release > > psi_trigger_destroy > > > > Later on in the context of our reproducer, the last fput() is called > > causing wait queue removal: > > > > fput > > ep_eventpoll_release > > ep_free > > ep_remove_wait_queue > > remove_wait_queue > > > > By this time psi_trigger_destroy() already destroyed the trigger's > > waitqueue head and we hit UAF. > > I think the conceptual problem here (or maybe that's by design?) is > > that cgroup_file_release() is not really tied to the file's real > > lifetime (when the last fput() is issued). Otherwise fput() would call > > eventpoll_release() before f_op->release() and the order would be fine > > (we would remove the wait queue first in eventpoll_release() and then > > f_op->release() would cause trigger's destruction). > > eventpoll_release > eventpoll_release_file > ep_remove > ep_unregister_pollwait > ep_remove_wait_queue > Yes but fput() calls eventpoll_release() *before* f_op->release(), so waitqueue_head would be removed before trigger destruction. > Different roads run into the same Roma city. You butchered the phrase :) > > > Considering these findings, I think we can use the wake_up_pollfree() > > without contradicting the comment at > > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > > because indeed, cgroup_file_release() and therefore > > psi_trigger_destroy() are not tied to the file's lifetime. > > > > I'm CC'ing Tejun to check if this makes sense to him and > > cgroup_file_release() is working as expected in this case. > > > > Munehisha, if Tejun confirms this is all valid, could you please post > > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > > don't need to worry about wake_up_all() because we have a limitation > > of one trigger per file descriptor: > > https://elixir.bootlin.com/linux/latest/source/kernel/sched/psi.c#L1419, > > so there can be only one waiter. > > Thanks, > > Suren. >