Received: by 2002:a05:7412:a9a2:b0:e2:908c:2ebd with SMTP id o34csp1062379rdh;
        Fri, 27 Oct 2023 03:51:00 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF7laBDG3B8Qn9QTamaNKLWG3o3GXR5QCj2zuSloVPCAa0nmLoTy5wz19SlvFu2Pd39gl5s
X-Received: by 2002:a05:6870:20c:b0:1e9:f06f:b25 with SMTP id j12-20020a056870020c00b001e9f06f0b25mr2381230oad.8.1698403860025;
        Fri, 27 Oct 2023 03:51:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698403860; cv=none;
        d=google.com; s=arc-20160816;
        b=uAjMqZz1jA651XoFAhFryrg0eIZ3/YzKU+hL3S+SWne2LstW9yabCH82k5WC7OCGXx
         sWyHOtjDFbcJk5U5A9qcs08a2wM0NRLtf43YGf1Wb0j2uks7FvMGdmFkjJWgwJdhdIbt
         YRFIS3Goj6B7Druh+rC6CwZM4VSAeUu1rZTVvSggEf0lkgdYp08jFQonGjQWRcQGzfrz
         D6uYlh0aPponwejg3jzWN1R6TuykUimO+lMSsNpnxQfLTxto3Nr5GNJc+mfYSQjknlUn
         BUXST6b9fi+//i+uMD0A5bIt74koWPYoF+guC4RaIRrM8tXAnnNIr3bfPUch217TLEyY
         tMXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :message-id:subject:cc:to:from:date;
        bh=oTohBuIEn+w3EgxPMxfMyy7gUDUJIGiWWvIIg/om3jo=;
        fh=LV7C6x2veebs3/piXFylReciWurIZX/w7a3U90800CE=;
        b=O5La+LIOdc5JYq9pLFDKpGogqVpHP+mgif1VqBpKBUXNnANa+2AOFXM28iT3jp+xgK
         SjB8vpZ9bXVrdYEWT18kuq2RRwW2AQ1nTF3fGWte0JisFh3LacC7ZF0c6EF7cxjjgGOF
         WIF+xdLtKlDP/XSe8Px+v42CsLt4WbUKTkvLJoMydJFqsA7g4pHrEK4FJpah33ohzEzD
         5eGV72XD7lQ+AuL62YtXfeaQJEys1DHfJfboqk8NzkS9eFNLRa7XudN9OL+c2buLL3nm
         J7/+6WVe2a6MufLjwCjUCCtPycBr1CEbX87rFOBuRfa6Y/7GqaPriJq4kXk5ooVET64m
         j95w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
        by mx.google.com with ESMTPS id x16-20020a25e010000000b00da0cd92f926si2406422ybg.292.2023.10.27.03.50.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Oct 2023 03:50:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 7EC7D8314439;
	Fri, 27 Oct 2023 03:50:52 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230101AbjJ0Kuw (ORCPT <rfc822;pbyt029@gmail.com> + 99 others);
        Fri, 27 Oct 2023 06:50:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50860 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231302AbjJ0Kuv (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 27 Oct 2023 06:50:51 -0400
Received: from abb.hmeau.com (abb.hmeau.com [144.6.53.87])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F47A1A6;
        Fri, 27 Oct 2023 03:50:49 -0700 (PDT)
Received: from loth.rohan.me.apana.org.au ([192.168.167.2])
        by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian))
        id 1qwKQI-00BeP2-A7; Fri, 27 Oct 2023 18:50:39 +0800
Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Fri, 27 Oct 2023 18:50:44 +0800
Date:   Fri, 27 Oct 2023 18:50:44 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     WangJinchao <wangjinchao@xfusion.com>
Cc:     steffen.klassert@secunet.com, daniel.m.jordan@oracle.com,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        stone.xulei@xfusion.com
Subject: Re: [PATCH v4] padata: Fix refcnt handling in padata_free_shell()
Message-ID: <ZTuWBHYUKzsBkX6S@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202310160854+0800-wangjinchao@xfusion.com>
X-Newsgroups: apana.lists.os.linux.cryptoapi,apana.lists.os.linux.kernel
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 27 Oct 2023 03:50:53 -0700 (PDT)

WangJinchao <wangjinchao@xfusion.com> wrote:
> In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
> to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
> the pcrypt_aead01 function call, I'll describe the problem scenario
> using a simplified model:
> 
> Suppose there's a user of padata named `user_function` that adheres to
> the padata requirement of calling `padata_free_shell` after `serial()`
> has been invoked, as demonstrated in the following code:
> 
> ```c
> struct request {
>    struct padata_priv padata;
>    struct completion *done;
> };
> 
> void parallel(struct padata_priv *padata) {
>    do_something();
> }
> 
> void serial(struct padata_priv *padata) {
>    struct request *request = container_of(padata,
>                                struct request,
>                                padata);
>    complete(request->done);
> }
> 
> void user_function() {
>    DECLARE_COMPLETION(done)
>    padata->parallel = parallel;
>    padata->serial = serial;
>    padata_do_parallel();
>    wait_for_completion(&done);
>    padata_free_shell();
> }
> ```
> 
> In the corresponding padata.c file, there's the following code:
> 
> ```c
> static void padata_serial_worker(struct work_struct *serial_work) {
>    ...
>    cnt = 0;
> 
>    while (!list_empty(&local_list)) {
>        ...
>        padata->serial(padata);
>        cnt++;
>    }
> 
>    local_bh_enable();
> 
>    if (refcount_sub_and_test(cnt, &pd->refcnt))
>        padata_free_pd(pd);
> }
> ```
> 
> Because of the high system load and the accumulation of unexecuted
> softirq at this moment, `local_bh_enable()` in padata takes longer
> to execute than usual. Subsequently, when accessing `pd->refcnt`,
> `pd` has already been released by `padata_free_shell()`, resulting
> in a UAF issue with `pd->refcnt`.
> 
> The fix is straightforward: add `refcount_dec_and_test` before calling
> `padata_free_pd` in `padata_free_shell`.
> 
> Fixes: 07928d9bfc81 ("padata: Remove broken queue flushing")
> 
> Signed-off-by: WangJinchao <wangjinchao@xfusion.com>
> Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
> ---
> V4:
>    Included Daniel's ack
>    Included Herbert's ack
> V3: https://lore.kernel.org/all/ZSDWAcUxXcwD4YUZ@fedora/
>    Included Daniel's ack
>    introduced wrong patch 
> V2: https://lore.kernel.org/all/ZRTLHY5A+VqIKhA2@fedora/
>    To satisfy Sparse, use rcu_dereference_protected.
>    Reported-by: kernel test robot <lkp@intel.com>
>    Closes: https://lore.kernel.org/oe-kbuild-all/202309270829.xHgTOMKw-lkp@intel.com/
> 
> V1: https://lore.kernel.org/all/ZRE4XvOOhz4HSOgR@fedora/
> kernel/padata.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt