Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp336976lqh;
        Mon, 6 May 2024 23:54:18 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUdQ3EE79x7n7PiaM9ZeMkRDTGsna8aK1n6irgIQJAS5/XRBkV/OaZL4EK7xYIcqqbEQqTXMiCEzGUj1iI5S9qdYU7YkcmaxdfI5MVbCA==
X-Google-Smtp-Source: AGHT+IEI23yAft16QxtYdi8lD4hcy3bFFmhmGCKa0RuBJXUIma79DRQ4LGguxqyrLaevN/+QVLWr
X-Received: by 2002:a05:6a00:189c:b0:6ed:de70:5ef9 with SMTP id x28-20020a056a00189c00b006edde705ef9mr3250601pfh.0.1715064858135;
        Mon, 06 May 2024 23:54:18 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715064858; cv=pass;
        d=google.com; s=arc-20160816;
        b=UwDXHFoV49J/126BfvzNjf6SO7ioPK3bBRfSoDZbiF3G8j4NRu+1hRyeqZpsKOgR/9
         TWf8y+6Fz1uYDOxaM045vegvP2nzq2Jc7TlRWitBxspWfWRCh2fWbzEkmG9XMTT77H+d
         APfKRbKzEzZH+SzmiAYXRW3evzocZ8KmP9yHclucabWvypIXFllHkIzhqzEZdiuolWnx
         Fm2zEZwFYdKR5Y/1f18P0Hv631taBnYp0snZ2D0//oKmTsvzxiWSEQpbgn0UHKX6LVjH
         J1NXak+/QrkJvwxW2suGeFfSjeF50opIHdwCZ92Bdmg3g1bvr44GBhjnMd9VK0byhZVm
         CkbA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=/EVHj+3JGqGBU/+HYHVUBc/D0X4YJqjjey7sh1W4Ao0=;
        fh=O7Xl5tY5XExjv7JMMxLHf+ly3l5pSzTffl3AjAOW1+I=;
        b=mtF9w4fvH50E/eYaeJxun45lvznQ9Dvsq2S5iDhUZL/NAQ/aI6XJ52LTYVP6rhExnp
         h0rfeH0JhmRxvKBet8MC4PRuFitMXThDQN0Vp/NofFIlFWmPw/BEvVrqYjyNcborh9wi
         IJyrd6UkvSrAzffDo1PZOY2l/2ZKdT0LoyAo4HaNYM8dzE+1iyGnz+dtCiF07bUrW95v
         qfMBWMna9lAgjgpi5SVCmzbTqcs90RhlzbeKVwlLV0MnmK7lIjdpA5UVe6rOThnXQFmm
         TXagPODmdMK37ZRvXZ+NpNHrtSYMCLTEAFZd+Vyf5aL7fpSsza+f6MSjGKCNcQchlwKY
         S+8g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=huaweicloud.com);
       spf=pass (google.com: domain of linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id n35-20020a634d63000000b005dc7e78163csi9584288pgl.458.2024.05.06.23.54.17
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 May 2024 23:54:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=huaweicloud.com);
       spf=pass (google.com: domain of linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170778-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id C38E5B228F6
	for <linux.lists.archive@gmail.com>; Tue,  7 May 2024 06:52:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0C3C978C99;
	Tue,  7 May 2024 06:52:28 +0000 (UTC)
Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3396178C7D;
	Tue,  7 May 2024 06:52:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715064747; cv=none; b=hUsv8sqL8Lzb6mcSx+wRDol32/4ULJgejPx07dLDhxCGVifaMJDQux5eBYz025k48sQl4ZhM0EG9QaNPMQABUT0XZcrnZR6MwKFwBYQP86HYnh7igx7yREJssxYYvPQWtNnLBgNnHW81kXMkSDJgaobSdJ62lSXnawn7N5vJ7eE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715064747; c=relaxed/simple;
	bh=NXFA2n7R8fudSZ/3T2nEa5Ke4g54M+TnC5DNvRyOtkA=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=a0FiZz/UKuLaF49GsFcncMEG+7eowegWZXF0jZ0zJtQPIx7ri07FVjOiZXoMX3WQ6M5vvMX1wJkV7vH2CYHBdZ2+p0BsF8W1yuFmV04of8w4npYx2sFDLYjqpwDZov+ye8JWCILDxNWQFuaON27gNthX3H0wbgZYMe17kkcnu60=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com
Received: from mail.maildlp.com (unknown [172.19.93.142])
	by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4VYTV73X47z4f3jkr;
	Tue,  7 May 2024 14:52:15 +0800 (CST)
Received: from mail02.huawei.com (unknown [10.116.40.112])
	by mail.maildlp.com (Postfix) with ESMTP id BEF1B1A0179;
	Tue,  7 May 2024 14:52:20 +0800 (CST)
Received: from [10.174.177.174] (unknown [10.174.177.174])
	by APP1 (Coremail) with SMTP id cCh0CgAn9g6gzzlmdMbyLw--.9131S3;
	Tue, 07 May 2024 14:52:20 +0800 (CST)
Message-ID: <7c5f0e28-100f-621e-61e2-65e5071f6a22@huaweicloud.com>
Date: Tue, 7 May 2024 14:52:16 +0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.1.2
Subject: Re: [PATCH 01/12] cachefiles: remove request from xarry during flush
 requests
To: Jingbo Xu <jefflexu@linux.alibaba.com>, netfs@lists.linux.dev
Cc: dhowells@redhat.com, jlayton@kernel.org, zhujia.zj@bytedance.com,
 linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org,
 linux-kernel@vger.kernel.org, yangerkun <yangerkun@huawei.com>,
 libaokun@huaweicloud.com
References: <20240424033916.2748488-1-libaokun@huaweicloud.com>
 <20240424033916.2748488-2-libaokun@huaweicloud.com>
 <6e4a20f7-263a-46be-81cc-2667353c452d@linux.alibaba.com>
 <ba40eb22-dc28-54b6-a8cb-7a8ba4464c9a@huaweicloud.com>
 <876cd180-6268-4f1a-a3bc-6b7b2aa3279f@linux.alibaba.com>
Content-Language: en-US
From: Baokun Li <libaokun@huaweicloud.com>
In-Reply-To: <876cd180-6268-4f1a-a3bc-6b7b2aa3279f@linux.alibaba.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-CM-TRANSID:cCh0CgAn9g6gzzlmdMbyLw--.9131S3
X-Coremail-Antispam: 1UD129KBjvJXoWxJFW7Ary3ZF4DCr13Xr47Arb_yoWrCr48pr
	ySyFy7Jry8Gr1kJr1UJr1UJryUJr1UJ3WUXr1UJF18Ar1UAr1Yqr4UXr1vgryUJrW8Jr4U
	Jr1UJr17Zr1UJr7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUU9Y14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWUuVWrJwAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
	JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
	CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
	2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
	W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka
	0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x
	kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E
	67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw
	CI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E
	3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCT
	nIWIevJa73UjIFyTuYvjfUoOJ5UUUUU
X-CM-SenderInfo: 5olet0hnxqqx5xdzvxpfor3voofrz/

Hi Jingbo,

Sorry for the late reply.

On 2024/5/6 13:50, Jingbo Xu wrote:
>
> On 5/6/24 11:57 AM, Baokun Li wrote:
>> On 2024/5/6 11:48, Jingbo Xu wrote:
>>> On 4/24/24 11:39 AM, libaokun@huaweicloud.com wrote:
>>>> From: Baokun Li <libaokun1@huawei.com>
>>>>
>>>> This prevents concurrency from causing access to a freed req.
>>> Could you give more details on how the concurrent access will happen?
>>> How could another process access the &cache->reqs xarray after it has
>>> been flushed?
>> Similar logic to restore leading to UAF:
>>
>>       mount  |   daemon_thread1    |    daemon_thread2
>> ------------------------------------------------------------
>>   cachefiles_ondemand_init_object
>>    cachefiles_ondemand_send_req
>>     REQ_A = kzalloc(sizeof(*req) + data_len)
>>     wait_for_completion(&REQ_A->done)
>>
>>              cachefiles_daemon_read
>>               cachefiles_ondemand_daemon_read
>>                REQ_A = cachefiles_ondemand_select_req
>>                cachefiles_ondemand_get_fd
>>                copy_to_user(_buffer, msg, n)
>>              process_open_req(REQ_A)
>>                                    // close dev fd
>>                                    cachefiles_flush_reqs
>>                                     complete(&REQ_A->done)
>>     kfree(REQ_A)
>
>>               cachefiles_ondemand_get_fd(REQ_A)
>>                fd = get_unused_fd_flags
>>                file = anon_inode_getfile
>>                fd_install(fd, file)
>>                load = (void *)REQ_A->msg.data;
>>                load->fd = fd;
>>                // load UAF !!!
> How could the second cachefiles_ondemand_get_fd() get called here, given
> the cache has been flushed and flagged as DEAD?
>
I was in a bit of a rush to reply earlier, and that graph above is
wrong. Please see the one below:

      mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
  cachefiles_ondemand_init_object
   cachefiles_ondemand_send_req
    REQ_A = kzalloc(sizeof(*req) + data_len)
    wait_for_completion(&REQ_A->done)
             cachefiles_daemon_read
              cachefiles_ondemand_daemon_read
                                   // close dev fd
                                   cachefiles_flush_reqs
                                    complete(&REQ_A->done)
    kfree(REQ_A)
               xa_lock(&cache->reqs);
               cachefiles_ondemand_select_req
                 req->msg.opcode != CACHEFILES_OP_READ
                 // req use-after-free !!!
               xa_unlock(&cache->reqs);
                                    xa_destroy(&cache->reqs)

Even with CACHEFILES_DEAD set, we can still read the requests, so
accessing it after the request has been freed will trigger use-after-free.

Thanks,
Baokun
>>>> ---
>>>>    fs/cachefiles/daemon.c | 1 +
>>>>    1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
>>>> index 6465e2574230..ccb7b707ea4b 100644
>>>> --- a/fs/cachefiles/daemon.c
>>>> +++ b/fs/cachefiles/daemon.c
>>>> @@ -159,6 +159,7 @@ static void cachefiles_flush_reqs(struct
>>>> cachefiles_cache *cache)
>>>>        xa_for_each(xa, index, req) {
>>>>            req->error = -EIO;
>>>>            complete(&req->done);
>>>> +        __xa_erase(xa, index);
>>>>        }
>>>>        xa_unlock(xa);
>>>>