Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp32137lqh;
        Fri, 3 May 2024 12:22:46 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXJnRws/onOQsSj+lsBQcYLc/DYOlw0sMYrMbU93MlTqXZE7jRioBKEgNJ2oKL8maPx5FRJum7r9G07ziFLOWm9yT2yf5UQwlmONO3sOA==
X-Google-Smtp-Source: AGHT+IHsJ6U2+8fNcR7NqXqRo2eq9bDQN87Nr9XxiYjRmv7qAvbV6kDAOPAENibakBkIrLvNUYuh
X-Received: by 2002:a17:903:2306:b0:1eb:1af8:309f with SMTP id d6-20020a170903230600b001eb1af8309fmr5133726plh.4.1714764166289;
        Fri, 03 May 2024 12:22:46 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714764166; cv=pass;
        d=google.com; s=arc-20160816;
        b=wrz2w0RTWP8QqaXbohPQHqKikL5SWixorKZlhXXYZKACPk4tYcBVynfAfbFKEYxZgT
         qXJ9n0LYYYgEFvW+4Fni3T44ft+sA86RUba2Q0z1wJnFUDraxPBZUPm8Fzdl9U5c0TxU
         CcfcIdol1apJJKCP8uEC6luTDh3lrPYMAfBZqNJFGlCosvQqBeprY7L+Xesb6YgQk4sN
         LIEoXKDL1npJEV/1qhlyw+rLapsqMqHhYqFQEDIDIerz7ubZA9g+Flyu7V3P4YmcRJUJ
         2J5sA/r56DTzKf4qgVZisVg+x7/uY2bys48nEhZfa147Q1DO0SECz1c2IGlkEgHjCsHB
         ENig==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=;
        fh=Imp5a2X9y8AdvD6uSuJujO/VY9Ko7YdoL9EltZeNjiI=;
        b=lkJt5xodYFQQBiUGf3Q4ENfc87MI/aFkt1azVone3uO1KH+KjfyAN8kMnEapxrjWto
         CK3LU87iI5UouKDKsGg/8VSlK5RiBmniuz9ktu9/8NsHsyEQXEiTiVKr+q3u8Y4dw2Ev
         2Frla2lKaPRYkM1T9urSVqesph2sLvFmuYx6LEeLASy7YM8XCKIW/AlInL+dOkeDv5xw
         1/9PmNo46ShruhRsm5aUlaHvUxs/4gUSMjrlOdiuJ3/T8tR6CmHvCSkmkO1U2WeTVQ/Z
         lwxvp56Bfxs01aBBGLx6JwDTMNc0F6qY/Dy2KEaFi6IdjSwIWPGTqvN5KR8ZyYIX/U65
         sQSQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=L4+VQHRb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id l5-20020a170903244500b001e431e864ebsi3618392pls.342.2024.05.03.12.22.46
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 May 2024 12:22:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=L4+VQHRb;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id CFB812813CF
	for <linux.lists.archive@gmail.com>; Fri,  3 May 2024 19:22:45 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AD5FD15887C;
	Fri,  3 May 2024 19:22:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="L4+VQHRb"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E241158219
	for <linux-kernel@vger.kernel.org>; Fri,  3 May 2024 19:22:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714764156; cv=none; b=XxWNRWXfhpyy6SYIDq8uwHelsA3/HJvr9zeVRl6bAIEeOskszrtXahZNCWfVjS4fOtC+K6tuLcVxZX6qTPwMafAA7RUqDnCb0D/7Q/x8MUnL7LwLgEJ6+gPWY+jgbVBi9mG8WzYihh3pE+ZUSLE3xrBtD/gHo2gjFQxNw0hCG2s=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714764156; c=relaxed/simple;
	bh=/vhkagdjY1ur0Ij8uFGW0Gbs4Yu9/HEVdIAwb5ROFig=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=YHFs/tCmUKm1Kj3zdnaYksWo78qCBo8NCpczqx9IDXiN4DamL0GmkYrhshIDm6eUgTrxXaNfp4rImNpq/2kx7c2Y0ZmqOALXcBSLv4W1tDiUZV16dXlgb0BxsXvpNe+/XPTYKxTbi+Yyac4R9wvA6TTxxouVWUIrb2TJEYM21Tg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=L4+VQHRb; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org
Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6f4551f2725so68197b3a.1
        for <linux-kernel@vger.kernel.org>; Fri, 03 May 2024 12:22:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1714764155; x=1715368955; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=;
        b=L4+VQHRbi6irUEuHU3BtzQcHQAmioZnF00U6e1WONksvN7jXusfeSuc9HUwBjmWR8X
         sEpKR9R9Lfhyi6fgG8KcgAwoX6oE7KO94XWAVEDiCBzPNqEqGS0g9EOj607eFYCHaON4
         vBQ3x50+ZKkbTFk5w2N19Ct4/I2TCf5QvGfjQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714764155; x=1715368955;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=;
        b=W5LHEAG32+bIhL43p3oQwt534orcN/HlfdWPCpwerwVFGkomRVAupEu0ydQRBPUHbd
         XCPXmnTeRoD8UZ2jiIBHKsZneitwNq/6ZiLg0bBpAR8AsEZH8S+ksIQ99HaKgSFixKwP
         kJ6c2xtYE4kYFwS4wOCgeVyVg4fhpk/t8YqmYXnbS6G9D+OYlnkmsbao2CDj03su0/2V
         zLTMYmX4UjS5IEDSOWfJgBlls1BbBArFXyBcgiGmtgDS1oDrg7AHrPNET15E/2MoO24+
         Lrc5p0a5QtYEt0zi7GUWX7+9iyYrZkJcD5t7CA6fiWwRD+ySNJAd0OxEzw7E8MILYax8
         bMEw==
X-Forwarded-Encrypted: i=1; AJvYcCVQnh7OVj8DYYc5r8rhKGgRPp8G4BgjBrrHJKB7e+ssMO4QUsAkgVd5NIKGx1CIaoZ94TmS2NALBKeem1oqOCuo/XdS2Edae1vylwyc
X-Gm-Message-State: AOJu0Ywl+HD1zCmSm7szkrkIhot2ZTCYcC2nS0M433NzL2yEIvneRkTz
	wkPgVATXMGamgZ2HPZYRI9SrxalQzbVs7XuppoU1K6JvfapVceeSgkVHxM9ekw==
X-Received: by 2002:a05:6a00:801:b0:6ed:21d5:fc2c with SMTP id m1-20020a056a00080100b006ed21d5fc2cmr4136967pfk.26.1714764154703;
        Fri, 03 May 2024 12:22:34 -0700 (PDT)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id y29-20020aa79e1d000000b006ed59172d2fsm3415250pfq.87.2024.05.03.12.22.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 May 2024 12:22:33 -0700 (PDT)
Date: Fri, 3 May 2024 12:22:33 -0700
From: Kees Cook <keescook@chromium.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: Bui Quang Minh <minhquangbui99@gmail.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	syzbot <syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com>,
	io-uring@vger.kernel.org, jack@suse.cz,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com,
	Sumit Semwal <sumit.semwal@linaro.org>,
	Christian =?iso-8859-1?Q?K=F6nig?= <christian.koenig@amd.com>,
	linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org,
	linaro-mm-sig@lists.linaro.org, Laura Abbott <laura@labbott.name>
Subject: Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?]
 [io-uring?] general protection fault in __ep_remove)
Message-ID: <202405031207.9D62DA4973@keescook>
References: <0000000000002d631f0615918f1e@google.com>
 <7c41cf3c-2a71-4dbb-8f34-0337890906fc@gmail.com>
 <202405031110.6F47982593@keescook>
 <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk>

On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote:
> On 5/3/24 12:26 PM, Kees Cook wrote:
> > Thanks for doing this analysis! I suspect at least a start of a fix
> > would be this:
> > 
> > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> > index 8fe5aa67b167..15e8f74ee0f2 100644
> > --- a/drivers/dma-buf/dma-buf.c
> > +++ b/drivers/dma-buf/dma-buf.c
> > @@ -267,9 +267,8 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
> >  
> >  		if (events & EPOLLOUT) {
> >  			/* Paired with fput in dma_buf_poll_cb */
> > -			get_file(dmabuf->file);
> > -
> > -			if (!dma_buf_poll_add_cb(resv, true, dcb))
> > +			if (!atomic_long_inc_not_zero(&dmabuf->file) &&
> > +			    !dma_buf_poll_add_cb(resv, true, dcb))
> >  				/* No callback queued, wake up any other waiters */
> 
> Don't think this is sane at all. I'm assuming you meant:
> 
> 	atomic_long_inc_not_zero(&dmabuf->file->f_count);

Oops, yes, sorry. I was typed from memory instead of copy/paste.

> but won't fly as you're not under RCU in the first place. And what
> protects it from being long gone before you attempt this anyway? This is
> sane way to attempt to fix it, it's completely opposite of what sane ref
> handling should look like.
> 
> Not sure what the best fix is here, seems like dma-buf should hold an
> actual reference to the file upfront rather than just stash a pointer
> and then later _hope_ that it can just grab a reference. That seems
> pretty horrible, and the real source of the issue.

AFAICT, epoll just doesn't hold any references at all. It depends,
I think, on eventpoll_release() (really eventpoll_release_file())
synchronizing with epoll_wait() (but I don't see how this happens, and
the race seems to be against ep_item_poll() ...?)

I'm really confused about how eventpoll manages the lifetime of polled
fds.

> > Due to this issue I've proposed fixing get_file() to detect pathological states:
> > https://lore.kernel.org/lkml/20240502222252.work.690-kees@kernel.org/
> 
> I don't think this would catch this case, as the memory could just be
> garbage at this point.

It catches it just fine! :) I tested it against the published PoC.

And for cases where further allocations have progressed far enough to
corrupt the freed struct file and render the check pointless, nothing
different has happened than what happens today. At least now we have a
window to catch the situation across the time frame before it is both
reallocated _and_ the contents at the f_count offset gets changed to
non-zero.

-- 
Kees Cook