Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1991646rwb; Thu, 19 Jan 2023 19:04:44 -0800 (PST) X-Google-Smtp-Source: AMrXdXtVc47n+EsiO3U5YuHXvPrmhJEu+MmPD2U1jcJVRKFyTQkeFYMzjBysaqGU1MdflDnhSNFG X-Received: by 2002:a17:907:76b3:b0:7c1:6fe:f4a2 with SMTP id jw19-20020a17090776b300b007c106fef4a2mr12845420ejc.45.1674183883920; Thu, 19 Jan 2023 19:04:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674183883; cv=none; d=google.com; s=arc-20160816; b=vMld/rxMzw7GTcsRDb1h9dh0ueMxiqxa5CmS7RIxyKObymvsCGngJ8g1LQSGCf7LbG xSFDcJ8IKBvoSXkExz2KLUhPFXHoIqP1M59yIe4caqu7WWiAVRk4cdCOQT3vmGQwRHwH MuLCqH9ujKGSt3gE10ksx5MNSI7faELDuhIOrh8klNvr23uFXSDakmyAtbZmEcC32Ihx qTxejXRH51X8SS7hUua94QzcXmJCQymwsum/IGOPVmyybGmhNrVDTBAPt8xHfBsTxKxu c6sE5nBufKlY9yq9qYoVPRJf/XPgljKOY7tdcjHcPnyxSpKfn9Fiu42K0uxI5FgJ7bwO sy3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=UmpmDQi7bJR8lLmmf/naNO35e+8Lm9tQqbSe2Rv16PQ=; b=mXL5II20JvaKzPhn9I7NPUhqfEiGCoqzTPFfAaXIr3FdoO8RluxUBwrEUeQ91Johsw tTvXWIQEeLpQ+EBFPcRwB1LRmndsscw25cuLpxhuG4LyqofBTDDb58V7MVOXltKhf8+t ByAjsjKLF+UDarzSAScp0UtaB3yaQsxwaiJxuWclGnIroKiECbfeL2e5BtUvppcsVCPh hdXS7LxYQok56slV6vKrGRi291nYf/sjZ52RfvB+WyaFxDswqwml6/n74MBWHUsl9i48 HQDbL5YxBDtBZrVVv9ubzv55NCfk7aVgBC+vhpinW1oOYmwg/CCHJuHf+0PrlhTf11uj aR5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=RDVj8rIT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp14-20020a1709071b0e00b0084d456334c1si38118396ejc.748.2023.01.19.19.04.29; Thu, 19 Jan 2023 19:04:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=RDVj8rIT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229637AbjATCxK (ORCPT + 46 others); Thu, 19 Jan 2023 21:53:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229453AbjATCxI (ORCPT ); Thu, 19 Jan 2023 21:53:08 -0500 Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B17D29B132 for ; Thu, 19 Jan 2023 18:53:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1674183188; x=1705719188; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UmpmDQi7bJR8lLmmf/naNO35e+8Lm9tQqbSe2Rv16PQ=; b=RDVj8rITLGmUIM2uu63zJEFzJ2vqt659ENiyy4mzx5AiWWe5gYI+RpjJ 5X52iKdIDPWtJ6niTm5M5Aa+ElFtWgy4xPEySGVAvXEpPllq1eZzWbkXJ hH2F8vcOOS/cKPN7kCdkVt1BrQlcAMD9rX8eKNVOMGDB4gYpdL0Ik20zl k=; X-IronPort-AV: E=Sophos;i="5.97,230,1669075200"; d="scan'208";a="173026157" Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1d-m6i4x-f05d30a1.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jan 2023 02:53:07 +0000 Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1d-m6i4x-f05d30a1.us-east-1.amazon.com (Postfix) with ESMTPS id 53DE281DF1; Fri, 20 Jan 2023 02:53:04 +0000 (UTC) Received: from EX19D010UWA004.ant.amazon.com (10.13.138.204) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.45; Fri, 20 Jan 2023 02:53:03 +0000 Received: from u9aa42af9e4c55a.ant.amazon.com (10.43.162.56) by EX19D010UWA004.ant.amazon.com (10.13.138.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1118.7; Fri, 20 Jan 2023 02:53:03 +0000 From: Munehisa Kamata To: CC: , , , , , , , Subject: Re: another use-after-free in ep_remove_wait_queue() Date: Thu, 19 Jan 2023 18:52:53 -0800 Message-ID: <20230120025253.843079-1-kamatam@amazon.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230120024613.840905-1-kamatam@amazon.com> References: <20230120024613.840905-1-kamatam@amazon.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.43.162.56] X-ClientProxiedBy: EX13D38UWB001.ant.amazon.com (10.43.161.10) To EX19D010UWA004.ant.amazon.com (10.13.138.204) X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2023-01-20 02:46:13 +0000, Munehisa Kamata wrote: > > On Fri, 2023-01-20 01:37:11 +0000, Suren Baghdasaryan wrote: > > > > On Thu, Jan 19, 2023 at 5:31 PM Hillf Danton wrote: > > > > > > On Thu, 19 Jan 2023 13:01:42 -0800 Suren Baghdasaryan wrote: > > > > > > > > Hi Folks, > > > > I spent some more time digging into the details and this is what's > > > > happening. When we call rmdir to delete the cgroup with the pressure > > > > file being epoll'ed, roughly the following call chain happens in the > > > > context of the shell process: > > > > > > > > do_rmdir > > > > cgroup_rmdir > > > > kernfs_drain_open_files > > > > cgroup_file_release > > > > cgroup_pressure_release > > > > psi_trigger_destroy > > > > > > > > Later on in the context of our reproducer, the last fput() is called > > > > causing wait queue removal: > > > > > > > > fput > > > > ep_eventpoll_release > > > > ep_free > > > > ep_remove_wait_queue > > > > remove_wait_queue > > > > > > > > By this time psi_trigger_destroy() already destroyed the trigger's > > > > waitqueue head and we hit UAF. > > > > I think the conceptual problem here (or maybe that's by design?) is > > > > that cgroup_file_release() is not really tied to the file's real > > > > lifetime (when the last fput() is issued). Otherwise fput() would call > > > > eventpoll_release() before f_op->release() and the order would be fine > > > > (we would remove the wait queue first in eventpoll_release() and then > > > > f_op->release() would cause trigger's destruction). > > > > > > eventpoll_release > > > eventpoll_release_file > > > ep_remove > > > ep_unregister_pollwait > > > ep_remove_wait_queue > > > > > > > Yes but fput() calls eventpoll_release() *before* f_op->release(), so > > waitqueue_head would be removed before trigger destruction. > > But pwq->whead is still pointing the freed head, then we just hit the same > issue earlier? Ah nevermind, that was just a hypothetical case if cgroup_file_release() was tied to file's lifetime and assuming trigger destruction that frees the queue and clears pwq->whead would happen later in f_op->release(); there is no such an implementation today. Sorry for noise. > > > Different roads run into the same Roma city. > > > > You butchered the phrase :) > > > > > > > > > Considering these findings, I think we can use the wake_up_pollfree() > > > > without contradicting the comment at > > > > https://elixir.bootlin.com/linux/latest/source/include/linux/wait.h#L253 > > > > because indeed, cgroup_file_release() and therefore > > > > psi_trigger_destroy() are not tied to the file's lifetime. > > > > > > > > I'm CC'ing Tejun to check if this makes sense to him and > > > > cgroup_file_release() is working as expected in this case. > > > > > > > > Munehisha, if Tejun confirms this is all valid, could you please post > > > > a patch replacing wake_up_interruptible() with wake_up_pollfree()? We > > > > don't need to worry about wake_up_all() because we have a limitation > > > > of one trigger per file descriptor: > > > > https://elixir.bootlin.com/linux/latest/source/kernel/sched/psi.c#L1419, > > > > so there can be only one waiter. > > > > Thanks, > > > > Suren. > > > > > > > > >