Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp3162206rwb; Fri, 20 Jan 2023 12:05:23 -0800 (PST) X-Google-Smtp-Source: AMrXdXsqvd35bmVcBMY5hNA0o0xGpFi1KHNydLLfO4KTnJYzvrS+GtSSXLsW5jIbzdy4Vh7RunTV X-Received: by 2002:a05:6402:4305:b0:46c:e558:ce60 with SMTP id m5-20020a056402430500b0046ce558ce60mr21090896edc.22.1674245123094; Fri, 20 Jan 2023 12:05:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674245123; cv=none; d=google.com; s=arc-20160816; b=p9dm7SK4aRzciF0YWeBMfLIJAOTiGu+G1io25mMhFwQJHWt0uATx8HzJAgAeJmvfyn Eafp5yhC7lPnSF1KAb9ePKDBodnXjDsZdLkzg6st20sowtoAxf+8vtARuUoZl1Fhu4hC Vxj65UCtYgMxC00NVkvy1GHOrPqizglpvcgSmP7eE4nmbRft7HiZ5Fu2m9c5pDGzDpMG 2tjfYDOi+3bxCIPdru9Yo9YKyd6mU7ufK6O+AcubzqU52z/FTV4XD3NKM6wjJK3ldlF9 xHsbHpy9zglVNMoDJ8CAsbuf5mMOE4A20RFt2TFWqVjJI1yha1f+ySHTPFuUujNdVbve xdXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Td0mi+U0BZCVxHQ/XBdhPODqu2Kj6BMWrM+UBczhFEs=; b=apaBookwz+Y7uputbq/IDnmLDkjH/LkvyAEee1nK9yCddfg35+mysY3SyvIGtjNZE0 /tQvHnRJYKkrcUsVUHrpBnBRgd7CwvIjLukfHE6t6Li8QO2NzcnSo4qONh6X2QgGuEVo rvUpXLu370HP03gI4GNTGZ1QtUWK1s3+pgk5/1+pLJWq3ttsBRv7awZ/iaxJnvgz/aLm XjlkPJqxOQ/2LhZi0RVSTmAEHyHcyuHnJjm6r/7i56fYtnAGyjImXdXGwu8tUqLsJ/Hr QNZzrL7eI4ed2Srg+F5yWtg0xnBkSupBwN0aeEVLij3knJVLEkmdYnOQ4PBKR14VTf3E cLig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z3-20020a05640240c300b0049e0677f436si24347566edb.280.2023.01.20.12.05.10; Fri, 20 Jan 2023 12:05:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230259AbjATTST (ORCPT + 50 others); Fri, 20 Jan 2023 14:18:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230137AbjATTSR (ORCPT ); Fri, 20 Jan 2023 14:18:17 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FDA1A2979 for ; Fri, 20 Jan 2023 11:18:05 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2A9EC6206B for ; Fri, 20 Jan 2023 19:18:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 567A2C433EF; Fri, 20 Jan 2023 19:18:03 +0000 (UTC) Date: Fri, 20 Jan 2023 19:18:00 +0000 From: Catalin Marinas To: Waiman Long Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song Subject: Re: [RESEND PATCH v2 2/2] mm/kmemleak: Fix UAF bug in kmemleak_scan() Message-ID: References: <20230119040111.350923-1-longman@redhat.com> <20230119040111.350923-3-longman@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230119040111.350923-3-longman@redhat.com> X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Waiman, Thanks for your effort on trying to fix this. On Wed, Jan 18, 2023 at 11:01:11PM -0500, Waiman Long wrote: > @@ -567,7 +574,9 @@ static void __remove_object(struct kmemleak_object *object) > rb_erase(&object->rb_node, object->flags & OBJECT_PHYS ? > &object_phys_tree_root : > &object_tree_root); > - list_del_rcu(&object->object_list); > + if (!(object->del_state & DELSTATE_NO_DELETE)) > + list_del_rcu(&object->object_list); > + object->del_state |= DELSTATE_REMOVED; > } So IIUC, this prevents the current object being scanned from being removed from the list during the kmemleak_cond_resched() call. > /* > @@ -633,6 +642,7 @@ static void __create_object(unsigned long ptr, size_t size, > object->count = 0; /* white color initially */ > object->jiffies = jiffies; > object->checksum = 0; > + object->del_state = 0; > > /* task information */ > if (in_hardirq()) { > @@ -1470,9 +1480,22 @@ static void kmemleak_cond_resched(struct kmemleak_object *object) > if (!get_object(object)) > return; /* Try next object */ > > + raw_spin_lock_irq(&kmemleak_lock); > + if (object->del_state & DELSTATE_REMOVED) > + goto unlock_put; /* Object removed */ > + object->del_state |= DELSTATE_NO_DELETE; > + raw_spin_unlock_irq(&kmemleak_lock); > + > rcu_read_unlock(); > cond_resched(); > rcu_read_lock(); > + > + raw_spin_lock_irq(&kmemleak_lock); > + if (object->del_state & DELSTATE_REMOVED) > + list_del_rcu(&object->object_list); > + object->del_state &= ~DELSTATE_NO_DELETE; > +unlock_put: > + raw_spin_unlock_irq(&kmemleak_lock); > put_object(object); > } I'm not sure this was the only problem. We do have the problem that the current object may be removed from the list, solved above, but another scenario I had in mind is the next object being released during this brief resched period. The RCU relies on object->next->next being valid but, with a brief rcu_read_unlock(), the object->next could be freed, reallocated, so object->next->next invalid. -- Catalin