Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp4784164rwb; Sat, 21 Jan 2023 19:48:57 -0800 (PST) X-Google-Smtp-Source: AMrXdXsHmNj1NNPZCZxeZ8UmLmWmA9yjChTEq7EIgcmmOkM4jLqEbTnfD3kXMDY7OhOr+NyeT32/ X-Received: by 2002:a05:6402:b9e:b0:472:7c75:832 with SMTP id cf30-20020a0564020b9e00b004727c750832mr19338860edb.16.1674359336837; Sat, 21 Jan 2023 19:48:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674359336; cv=none; d=google.com; s=arc-20160816; b=o7rYlZpPcCeqDY7OzNUWhIfCNhEz2HVvLWF+0nSGP6JdNZIW0UMVU2vg8mcLUBVU4z ygdE/HgpeCWOR8Kwb8R3mG4a34ooWUwW1+aWXgZUgmHNx/dOXD/UWMwtLiQ4xHIyeHr5 AtPdK5Hy6JwqOjZjJ6jWAWkFAqDxI2gcf93Ifeny+shX7nrxyQG/yT75CORWJGNNGfwM 4bCb9M5/OLa1hEY85P2U672WLDrX3FfukjM+NZApbmKG0hgmWYJVlGxCa1irGAo4KONG wJtw/Yw9yFq55fsA1pov3N4w9oINSKC8c8dJJaVSs/N1fDseipQqXypb8kyhgAynMtDP HKwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=ynWdKR/O0SLcCsHEMGyR8V2ZOO5jAvyV+IYnfAK/7qCl/Cq1bM9q9r8ubr44UphAhD WKZt7sEQX3sCPlzg5aipgS+s+ZBkScmN3huJ2FBMItR00vj0PVmH5RhQO3jGfWKJqLSc Dnj03Bpc7poBs5HLJ+CEmPO5/CLRV1r3KtQ2gHL5ONJkTE24L3kAX4Yw2x3V1GhroOBC ZvVvLymOqbaG1njThZqZl+eV2TETjY2wuNFQEVMXwGpXTIMIqY6cvdZzE8Jl70xAxyhQ Eu1kXmDfxPfPMgUv3M+3D2YRtBdknNX2NmLeoW/c5RNuwVTlHW22/YY6TI2iFrO9EkAV g5XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qPXfA7zu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id eo11-20020a056402530b00b00499a62e85afsi22733639edb.74.2023.01.21.19.48.44; Sat, 21 Jan 2023 19:48:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qPXfA7zu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229735AbjAVDBc (ORCPT + 51 others); Sat, 21 Jan 2023 22:01:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229744AbjAVDBa (ORCPT ); Sat, 21 Jan 2023 22:01:30 -0500 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DECA223DB7 for ; Sat, 21 Jan 2023 19:01:25 -0800 (PST) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-4a263c4ddbaso127681647b3.0 for ; Sat, 21 Jan 2023 19:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=qPXfA7zuuF7h+5B3sMdAgOrhEWDHPkMy4WvRUWUO+PIG6n2ZGkQuqP00BdG2BrL5wo 68D5MlNGA+tow+zAllzQxxAr7eOQqxM8beX8K7EojYpsMoUEa7klBXXgJ0AmuwDGQKFn vSZo3pgSR+hfszPe4HV30F6oJ3ObqzrJ2qCHacSk6eRAOsmWVUo6Wr9+NJqO3aiv/fmd wlxB/VCwnVST84wmoOtVscKNqLUTleoQFhinZ7q/9Skhxv6scNOWBGFZ4eaC+azQ8hrw REXoHqSq6Cmh4MEyx0I+5myj9leBvd9+QoL8xnMZrajv99TUQtx7Ro0rgOvhvGqViufG fEEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7ne6qQGUuq72y7Dfk6gWGSHwmrqqO2LzbmO36IfFBAE=; b=bcCQWiEWPk19wHQoXwjC1CcGgPytJ7Ek72cz92tJ8YQkiHjNMJ/SwLUcRfvVCga3wh ZMcn/lmxS4vI9M+XpQE1g2+9MYcnoeVB61Op8ePsnFsSSITZfIheD8bHXChSEVaWP9ev +8FkbayzwKiN/f0Pz63BSIixn/QT0iHexeowz3GmB0egytj/xh7ftRX+XN7pjxyHnXW4 63/FQ+0ED+WjTtZmdLrTdPKHnqyMSRPzgvqlGVQlJSuhn9JnsfMuz39D9IT23uqkSJDh c3hdot26Za0VCK0ptSUTDIKCehPJ/95u58TaPG9g2xVnvKpfsnnuUem00T0ODOLNS4Rs 5d2g== X-Gm-Message-State: AFqh2krCUz3bbmM8CMEwUH0rCqtTJovrqSnMHzxypoGzzNPDvghH+QKJ 1KET9lrSpnydCKVL9VF/XlTpaMbcpUo839jXjm6FXw== X-Received: by 2002:a81:1b8b:0:b0:4ff:774b:7ffb with SMTP id b133-20020a811b8b000000b004ff774b7ffbmr1068529ywb.218.1674356484788; Sat, 21 Jan 2023 19:01:24 -0800 (PST) MIME-Version: 1.0 References: <20230113022555.2467724-1-kamatam@amazon.com> <20230120013055.3628-1-hdanton@sina.com> <20230120090001.3807-1-hdanton@sina.com> <20230121051746.4100-1-hdanton@sina.com> In-Reply-To: <20230121051746.4100-1-hdanton@sina.com> From: Suren Baghdasaryan Date: Sat, 21 Jan 2023 19:01:13 -0800 Message-ID: Subject: Re: another use-after-free in ep_remove_wait_queue() To: Hillf Danton Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 20, 2023 at 9:18 PM Hillf Danton wrote: > > On Fri, 20 Jan 2023 08:28:25 -0800 Suren Baghdasaryan > > On Fri, Jan 20, 2023 at 1:00 AM Hillf Danton wrote: > > > +++ b/kernel/sched/psi.c > > > @@ -1529,6 +1529,7 @@ static int psi_fop_release(struct inode > > > { > > > struct seq_file *seq = file->private_data; > > > > > > + eventpoll_release_file(file); > > > > Be careful here and see the comment in > > https://elixir.bootlin.com/linux/latest/source/fs/eventpoll.c#L912. > > eventpoll_release_file() assumes that the last fput() was called and > > nobody other than ep_free() will race with us. So, this will not be > > that simple. > > The epmutex serializes eventpoll_release_file() and ep_free(). And this > is in psi_fop_release(), so no chance is likely left for another release. > > > Besides if we really need to fix the order here, the fix > > should be somewhere at the level of cgroup_file_release() or even > > kernfs to work for other similar situations. > > Good point but cgroup and kernfs have no idea of psi trigger. Yes, that's why I think if we really need to fix the order here and do it properly, it won't be straightforward. IMHO wake_up_pollfree() is an appropriate and simple fix for this. > > The bonus of the uaf is check polled file upon release in scenarios like > the psi trigger. >