Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp32137lqh; Fri, 3 May 2024 12:22:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXJnRws/onOQsSj+lsBQcYLc/DYOlw0sMYrMbU93MlTqXZE7jRioBKEgNJ2oKL8maPx5FRJum7r9G07ziFLOWm9yT2yf5UQwlmONO3sOA== X-Google-Smtp-Source: AGHT+IHsJ6U2+8fNcR7NqXqRo2eq9bDQN87Nr9XxiYjRmv7qAvbV6kDAOPAENibakBkIrLvNUYuh X-Received: by 2002:a17:903:2306:b0:1eb:1af8:309f with SMTP id d6-20020a170903230600b001eb1af8309fmr5133726plh.4.1714764166289; Fri, 03 May 2024 12:22:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714764166; cv=pass; d=google.com; s=arc-20160816; b=wrz2w0RTWP8QqaXbohPQHqKikL5SWixorKZlhXXYZKACPk4tYcBVynfAfbFKEYxZgT qXJ9n0LYYYgEFvW+4Fni3T44ft+sA86RUba2Q0z1wJnFUDraxPBZUPm8Fzdl9U5c0TxU CcfcIdol1apJJKCP8uEC6luTDh3lrPYMAfBZqNJFGlCosvQqBeprY7L+Xesb6YgQk4sN LIEoXKDL1npJEV/1qhlyw+rLapsqMqHhYqFQEDIDIerz7ubZA9g+Flyu7V3P4YmcRJUJ 2J5sA/r56DTzKf4qgVZisVg+x7/uY2bys48nEhZfa147Q1DO0SECz1c2IGlkEgHjCsHB ENig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=; fh=Imp5a2X9y8AdvD6uSuJujO/VY9Ko7YdoL9EltZeNjiI=; b=lkJt5xodYFQQBiUGf3Q4ENfc87MI/aFkt1azVone3uO1KH+KjfyAN8kMnEapxrjWto CK3LU87iI5UouKDKsGg/8VSlK5RiBmniuz9ktu9/8NsHsyEQXEiTiVKr+q3u8Y4dw2Ev 2Frla2lKaPRYkM1T9urSVqesph2sLvFmuYx6LEeLASy7YM8XCKIW/AlInL+dOkeDv5xw 1/9PmNo46ShruhRsm5aUlaHvUxs/4gUSMjrlOdiuJ3/T8tR6CmHvCSkmkO1U2WeTVQ/Z lwxvp56Bfxs01aBBGLx6JwDTMNc0F6qY/Dy2KEaFi6IdjSwIWPGTqvN5KR8ZyYIX/U65 sQSQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L4+VQHRb; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id l5-20020a170903244500b001e431e864ebsi3618392pls.342.2024.05.03.12.22.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 12:22:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=L4+VQHRb; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168112-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CFB812813CF for ; Fri, 3 May 2024 19:22:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AD5FD15887C; Fri, 3 May 2024 19:22:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="L4+VQHRb" Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E241158219 for ; Fri, 3 May 2024 19:22:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714764156; cv=none; b=XxWNRWXfhpyy6SYIDq8uwHelsA3/HJvr9zeVRl6bAIEeOskszrtXahZNCWfVjS4fOtC+K6tuLcVxZX6qTPwMafAA7RUqDnCb0D/7Q/x8MUnL7LwLgEJ6+gPWY+jgbVBi9mG8WzYihh3pE+ZUSLE3xrBtD/gHo2gjFQxNw0hCG2s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714764156; c=relaxed/simple; bh=/vhkagdjY1ur0Ij8uFGW0Gbs4Yu9/HEVdIAwb5ROFig=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=YHFs/tCmUKm1Kj3zdnaYksWo78qCBo8NCpczqx9IDXiN4DamL0GmkYrhshIDm6eUgTrxXaNfp4rImNpq/2kx7c2Y0ZmqOALXcBSLv4W1tDiUZV16dXlgb0BxsXvpNe+/XPTYKxTbi+Yyac4R9wvA6TTxxouVWUIrb2TJEYM21Tg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=L4+VQHRb; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6f4551f2725so68197b3a.1 for ; Fri, 03 May 2024 12:22:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1714764155; x=1715368955; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=; b=L4+VQHRbi6irUEuHU3BtzQcHQAmioZnF00U6e1WONksvN7jXusfeSuc9HUwBjmWR8X sEpKR9R9Lfhyi6fgG8KcgAwoX6oE7KO94XWAVEDiCBzPNqEqGS0g9EOj607eFYCHaON4 vBQ3x50+ZKkbTFk5w2N19Ct4/I2TCf5QvGfjQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714764155; x=1715368955; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wZE9sdMty9EFGzepC01irLfs4hOfSOdCceQaPVz49U0=; b=W5LHEAG32+bIhL43p3oQwt534orcN/HlfdWPCpwerwVFGkomRVAupEu0ydQRBPUHbd XCPXmnTeRoD8UZ2jiIBHKsZneitwNq/6ZiLg0bBpAR8AsEZH8S+ksIQ99HaKgSFixKwP kJ6c2xtYE4kYFwS4wOCgeVyVg4fhpk/t8YqmYXnbS6G9D+OYlnkmsbao2CDj03su0/2V zLTMYmX4UjS5IEDSOWfJgBlls1BbBArFXyBcgiGmtgDS1oDrg7AHrPNET15E/2MoO24+ Lrc5p0a5QtYEt0zi7GUWX7+9iyYrZkJcD5t7CA6fiWwRD+ySNJAd0OxEzw7E8MILYax8 bMEw== X-Forwarded-Encrypted: i=1; AJvYcCVQnh7OVj8DYYc5r8rhKGgRPp8G4BgjBrrHJKB7e+ssMO4QUsAkgVd5NIKGx1CIaoZ94TmS2NALBKeem1oqOCuo/XdS2Edae1vylwyc X-Gm-Message-State: AOJu0Ywl+HD1zCmSm7szkrkIhot2ZTCYcC2nS0M433NzL2yEIvneRkTz wkPgVATXMGamgZ2HPZYRI9SrxalQzbVs7XuppoU1K6JvfapVceeSgkVHxM9ekw== X-Received: by 2002:a05:6a00:801:b0:6ed:21d5:fc2c with SMTP id m1-20020a056a00080100b006ed21d5fc2cmr4136967pfk.26.1714764154703; Fri, 03 May 2024 12:22:34 -0700 (PDT) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id y29-20020aa79e1d000000b006ed59172d2fsm3415250pfq.87.2024.05.03.12.22.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 12:22:33 -0700 (PDT) Date: Fri, 3 May 2024 12:22:33 -0700 From: Kees Cook To: Jens Axboe Cc: Bui Quang Minh , Al Viro , Christian Brauner , syzbot , io-uring@vger.kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Sumit Semwal , Christian =?iso-8859-1?Q?K=F6nig?= , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Laura Abbott Subject: Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove) Message-ID: <202405031207.9D62DA4973@keescook> References: <0000000000002d631f0615918f1e@google.com> <7c41cf3c-2a71-4dbb-8f34-0337890906fc@gmail.com> <202405031110.6F47982593@keescook> <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk> On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote: > On 5/3/24 12:26 PM, Kees Cook wrote: > > Thanks for doing this analysis! I suspect at least a start of a fix > > would be this: > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index 8fe5aa67b167..15e8f74ee0f2 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -267,9 +267,8 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll) > > > > if (events & EPOLLOUT) { > > /* Paired with fput in dma_buf_poll_cb */ > > - get_file(dmabuf->file); > > - > > - if (!dma_buf_poll_add_cb(resv, true, dcb)) > > + if (!atomic_long_inc_not_zero(&dmabuf->file) && > > + !dma_buf_poll_add_cb(resv, true, dcb)) > > /* No callback queued, wake up any other waiters */ > > Don't think this is sane at all. I'm assuming you meant: > > atomic_long_inc_not_zero(&dmabuf->file->f_count); Oops, yes, sorry. I was typed from memory instead of copy/paste. > but won't fly as you're not under RCU in the first place. And what > protects it from being long gone before you attempt this anyway? This is > sane way to attempt to fix it, it's completely opposite of what sane ref > handling should look like. > > Not sure what the best fix is here, seems like dma-buf should hold an > actual reference to the file upfront rather than just stash a pointer > and then later _hope_ that it can just grab a reference. That seems > pretty horrible, and the real source of the issue. AFAICT, epoll just doesn't hold any references at all. It depends, I think, on eventpoll_release() (really eventpoll_release_file()) synchronizing with epoll_wait() (but I don't see how this happens, and the race seems to be against ep_item_poll() ...?) I'm really confused about how eventpoll manages the lifetime of polled fds. > > Due to this issue I've proposed fixing get_file() to detect pathological states: > > https://lore.kernel.org/lkml/20240502222252.work.690-kees@kernel.org/ > > I don't think this would catch this case, as the memory could just be > garbage at this point. It catches it just fine! :) I tested it against the published PoC. And for cases where further allocations have progressed far enough to corrupt the freed struct file and render the check pointless, nothing different has happened than what happens today. At least now we have a window to catch the situation across the time frame before it is both reallocated _and_ the contents at the f_count offset gets changed to non-zero. -- Kees Cook