Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1794554lqo;
        Sun, 12 May 2024 20:08:57 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUtEQ7WA9Jgr+ldgzROeKKcnVGTnXu1Cj4Drd8C/KA2/L9l6l0/nvGJ6fWV+Ra4KXc/iOvbO2rmkoBE0gf2HmLglUPng5blesa1Z0PnGA==
X-Google-Smtp-Source: AGHT+IGGkHYarMMhk0wbRDNzEXqN0nMUel7RCgUbSuNWgOhz1Rv8E3nEV6WYWkIFCEGYStTsLCno
X-Received: by 2002:ac8:5f96:0:b0:43a:bcd7:9898 with SMTP id d75a77b69052e-43dfdb0713dmr108447911cf.5.1715569737326;
        Sun, 12 May 2024 20:08:57 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715569737; cv=pass;
        d=google.com; s=arc-20160816;
        b=OU3YAIbrDnwOC7I51DIwwJ0pyoSj/1FcQ0E6oZZegMQ8wc9JNPzTbUyHeNYGOPxT9O
         0e2HrQlJ+3g+g0fvMv7WMNLHFQi7mDfgGui3U9IpY1xlYo2vYJdiLCqBkj8r+nu6T0Mx
         wzVCW8lZRAhlriDsSt6/4ITssMz+/VoobjpQK0hvu7QDInJHIYLUPjPjMUe+boTkhldX
         jaBEdhG+YMURE1PwlYdVNePg+9l46gjQBuEcCphu8sbo6Ab0SJa8Q9MCz0oMEgRP+eaN
         Qq1EPqCP41fTWUClGBWgwePhQOa9agGXHrFMtXq8E+0OghvtQEFOXydH1Y+Hd8S3glq5
         vXqg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:message-id:content-transfer-encoding:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:subject:date
         :from:dkim-signature;
        bh=tnZpkKg9cgdujd3Aq4lD9/9/FxuyG285EmfT33GGzAE=;
        fh=992X3xUr/4iO6rGTP8ERf82RIkvBNcLOVSUgEfn2wQs=;
        b=rGEfrcveOwfrHyw8X/Z6r4bybHV5hmoR6j6zP2n73ifR5yA0D8A46sATXEtK9vYdlV
         d7Lb88YdZ4Yzt3FVTlljs6AZIlzhSLfLpzw71AKEdFQmi8BIIHBkL4/d6AX/JvgS5iQs
         w5yQEVwDFiX25hfOHUge6idWg9Q7a1DBn4qgHlrV7uQY3HjYa29ZACmN9EsUTatBW6tb
         Yp70XSlDpHakC339tDM2r8vNaWF5dKiBtnTWqcAI8VZd1JiZ2zD0WZcgMn2xElgpIebD
         /2gbBNa5FKY/xQwtWlEkc3x2r/Owv2kE9wDIK5d9twalPkM3lK4aHOn3BQjOoFLf1FNV
         IbTA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=PmPPUFps;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id d75a77b69052e-43df87cdc3fsi79597551cf.771.2024.05.12.20.08.57
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 12 May 2024 20:08:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=PmPPUFps;
       arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev);
       spf=pass (google.com: domain of linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-177121-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 10F691C20DBE
	for <linux.lists.archive@gmail.com>; Mon, 13 May 2024 03:08:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 349B8145B23;
	Mon, 13 May 2024 03:08:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="PmPPUFps"
Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CA3712AAEA
	for <linux-kernel@vger.kernel.org>; Mon, 13 May 2024 03:08:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.188
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715569727; cv=none; b=rM6EfkKD9WHsLdoV8p3Swdgdt58n92TOeled1dLCYeoLNvGnADwuLr869PWv0T/s6roPNx3sWxAbMd+ODPCZQsyYeUfU12TLeqo4IiAVmubb0k9LMxZlPaleDvjdgIGcNslhMykK1QMQyNYZAnaC+oV4TzL3qaK/RkxnS1Kq5SQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715569727; c=relaxed/simple;
	bh=gA/7lXvyMG7IHm8IrlNnrTBKaBmoPVKDklOfk18TL/A=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=Kahs3VxKBMTz+ol6uQH25+b7LM63VR/v5xisEYeyFwDC3Zy0kPyFj4dAv/vIobJmVGPp2dix5pn3N1HJ5FJe1VFoDIsSVjCYR3rM3iN6vVTJvcsGNnZPycHkWPH2O/rnOcph/Ttw6Z5H5IC6OdqHZwjt/M33Ai9urmxk9w8PeBs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=PmPPUFps; arc=none smtp.client-ip=95.215.58.188
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1715569722;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=tnZpkKg9cgdujd3Aq4lD9/9/FxuyG285EmfT33GGzAE=;
	b=PmPPUFpsmDLdW9nAkuKBKOvQZhhIMr8XxYT78ICVRwJkHxeFtr3iwVxZeKxFfc+l48Hb+U
	qEtyYgQxc6qVfOvr38nbMTX+k8D7q2NQOQYMtI/90IYOLKoL4qsJUSjQ5aToFa+TB10LYA
	K7vD1DH5aJPSMiMe6JRe8ICGml5Hu2E=
From: Chengming Zhou <chengming.zhou@linux.dev>
Date: Mon, 13 May 2024 11:07:56 +0800
Subject: [PATCH] mm/ksm: fix possible UAF of stable_node
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20240513-b4-ksm-stable-node-uaf-v1-1-f687de76f452@linux.dev>
X-B4-Tracking: v=1; b=H4sIAAuEQWYC/x3MzQpCIRBA4VeRWTegZgW9SrTwZ6yh0nDujQviu
 19p+S3O6SDUmASuqkOjHwvXMmEOCuLTlwchp2mw2jp9MkcMDl/yQVl8eBOWmghXnzHGeMlkczq
 HBDP+Nsq8/ce3+xg7I7TMe2gAAAA=
To: Andrew Morton <akpm@linux-foundation.org>, 
 David Hildenbrand <david@redhat.com>, Hugh Dickins <hughd@google.com>, 
 Andrea Arcangeli <aarcange@redhat.com>, Stefan Roesch <shr@devkernel.io>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, 
 zhouchengming@bytedance.com, Chengming Zhou <chengming.zhou@linux.dev>
X-Developer-Signature: v=1; a=ed25519-sha256; t=1715569718; l=1596;
 i=chengming.zhou@linux.dev; s=20240508; h=from:subject:message-id;
 bh=gA/7lXvyMG7IHm8IrlNnrTBKaBmoPVKDklOfk18TL/A=;
 b=B1X1HMHHKXtit/7X6hdcXthfuE0UbCscRgiIoqnVwo40ChWPCoX/sArCTV7ZidHLIxvtW5T7l
 YL7nsjs5gk9Bhu6S6h66FOVNFhh0XGvCuDXijPKZ9B8GBzQtTuj9mRK
X-Developer-Key: i=chengming.zhou@linux.dev; a=ed25519;
 pk=kx40VUetZeR6MuiqrM7kPCcGakk1md0Az5qHwb6gBdU=
X-Migadu-Flow: FLOW_OUT

The commit 2c653d0ee2ae ("ksm: introduce ksm_max_page_sharing per page
deduplication limit") introduced a possible failure case in the
stable_tree_insert(), where we may free the new allocated stable_node_dup
if we fail to prepare the missing chain node.

Then that kfolio return and unlock with a freed stable_node set... And
any MM activities can come in to access kfolio->mapping, so UAF.

Fix it by moving folio_set_stable_node() to the end after stable_node
is inserted successfully.

Fixes: 2c653d0ee2ae ("ksm: introduce ksm_max_page_sharing per page deduplication limit")
Signed-off-by: Chengming Zhou <chengming.zhou@linux.dev>
---
 mm/ksm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/ksm.c b/mm/ksm.c
index e1034bf1c937..a8b76af5cf64 100644
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -2153,7 +2153,6 @@ static struct ksm_stable_node *stable_tree_insert(struct folio *kfolio)
 
 	INIT_HLIST_HEAD(&stable_node_dup->hlist);
 	stable_node_dup->kpfn = kpfn;
-	folio_set_stable_node(kfolio, stable_node_dup);
 	stable_node_dup->rmap_hlist_len = 0;
 	DO_NUMA(stable_node_dup->nid = nid);
 	if (!need_chain) {
@@ -2172,6 +2171,8 @@ static struct ksm_stable_node *stable_tree_insert(struct folio *kfolio)
 		stable_node_chain_add_dup(stable_node_dup, stable_node);
 	}
 
+	folio_set_stable_node(kfolio, stable_node_dup);
+
 	return stable_node_dup;
 }
 

---
base-commit: 7e8aafe0636cdcc5c9699ced05ff1f8ffcb937e2
change-id: 20240513-b4-ksm-stable-node-uaf-ccc7fe2fd6bd

Best regards,
-- 
Chengming Zhou <chengming.zhou@linux.dev>