From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57B02C004D4 for ; Sat, 21 Jan 2023 05:18:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B288A6B0072; Sat, 21 Jan 2023 00:18:05 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AD83C6B0073; Sat, 21 Jan 2023 00:18:05 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 99FAC6B0074; Sat, 21 Jan 2023 00:18:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 8807F6B0072 for ; Sat, 21 Jan 2023 00:18:05 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 3D4F0C08B3 for ; Sat, 21 Jan 2023 05:18:05 +0000 (UTC) X-FDA: 80377649730.10.52CD12B Received: from r3-18.sinamail.sina.com.cn (r3-18.sinamail.sina.com.cn [202.108.3.18]) by imf15.hostedemail.com (Postfix) with ESMTP id C30A2A000B for ; Sat, 21 Jan 2023 05:18:01 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.18 as permitted sender) smtp.mailfrom=hdanton@sina.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674278283; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JYEGbsU2sCNCUNAzDTXHvZEMQoYCpIIsch01y+C3z8Q=; b=tNQrl+L8q+WNJrKDc5mbmhr1rgpl83Rs6BtKdMpY1wkyIjryGcR3JMAq29c3yFZmJS1P2g S7lu2USPH44Jql/8UxgZEpkKRYg81QXyob30fYgABE2LTaq3j7XWr2q5FNmeiDFH8vPNuw XDVK0Ys321DtoA4LNUHSZhBmYJlpVjw= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.18 as permitted sender) smtp.mailfrom=hdanton@sina.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674278283; a=rsa-sha256; cv=none; b=50KMclR8Zfq6+ULjrShZysC8/KcmfgOGO9pvLEgbYJc9x40WGyXL45yVzWOTII477Yr7HA V9CqrDxOxY92miX8xqDIKhfE4CgtBCCr4ztPlmm6Dx59cFXOLghWZa/A6jeVTnIvMM/4ab b1sSu8l/JdSB8LEC9erfKec0E1myDcc= Received: from unknown (HELO localhost.localdomain)([114.249.61.130]) by sina.com (172.16.97.35) with ESMTP id 63CB74AF0001F607; Sat, 21 Jan 2023 13:14:24 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com X-SMAIL-MID: 38197815073524 From: Hillf Danton To: Suren Baghdasaryan Cc: Munehisa Kamata , Tejun Heo , ebiggers@kernel.org, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mengcc@amazon.com Subject: Re: another use-after-free in ep_remove_wait_queue() Date: Sat, 21 Jan 2023 13:17:46 +0800 Message-Id: <20230121051746.4100-1-hdanton@sina.com> In-Reply-To: References: <20230113022555.2467724-1-kamatam@amazon.com> <20230120013055.3628-1-hdanton@sina.com> <20230120090001.3807-1-hdanton@sina.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Stat-Signature: c7eb169trid74qsy67ixgzxs6gp57855 X-Rspam-User: X-Rspamd-Queue-Id: C30A2A000B X-Rspamd-Server: rspam06 X-HE-Tag: 1674278281-530268 X-HE-Meta: U2FsdGVkX18jaiH6d+TvW+71GpQ3cOYBf7rkUjBp/Xk1297Qp0dxGoNlS8vaeYk7B6niGVd8vw2bOCVs2cVcqD8mzeXYOAEXPtY7FO46ndRaMa6pD5as9euVvNahUyUOsSjxgnP2WtJIf2j70jf/ubFF7h9qvd8cpN5A3Nn5IZX3YkgJPpoJ1oCwrR/CEPM4cGyhQT+OkICKN1/xPXe0f566Jdvoj3e9aVg34FnQqEMkw4exHgMneBOkr9MfB859YXdO41wdDb+vjHMXw5FQ6DjI15tDYL0UDxP4rEhLz0hSZMtIWSjezxvf2RR62xfEGQl8xvcquLiooVLpuUZt4Nnb2DS7IcIMg7/YNhDxoempt55MaWbG41bKrWMUloccTNHXa0C5PbfI5XqCZBYJOZk3tcRLBpI2TP+wlTVR1m45p+O3U5Nklhw5bDcMaPb7rB2zYRYLGfgt3Qjfk9Hd6DZfXpvu+VIcTTfC45TIiSQt78yM6B3EZz9jsxfW0/skQ0uJfW59HiLhfoZMsl/p/LoZumdE6hJb0OjxctmEkPIu7WkFTEWlG2uIpoDaxbLul/LjE5vWnAbZBmjO0optOD0vuyXdGQbfQvbDwoZ4yt+wU0kxXudCWG/bs8crGVzV/zJeFAjfD8K4Id9ETuwvmUJ+yrmmUh8WHTNdQJol2gVs6VCPNkUZYJ+qEF45/KXqFCha6V/BoxxT+M+KyzD+vUaTeWeti8NiQTGyBPKi9zJwVIzkU5hcsRWwrrnkraDiLzzjC00wzKzHVrLNHXyoo75yPFlmfHpQv4Lg0FM2N4VojsjX8evGmhrnbJ7sEq9tnw5nPdK7lABdXHr4O7BGUG/vMI4DXn36S0rGqNUl3+H35avZx3KvaMVMUkK0+mnHQoapNpZlzH2meaHJ/DbWWMtYpWhPVTFOKEm2Nh244QL9wAD2YEkBIlSuJmklZlb5E/u8Jq9RJ4gyo4PjmYA /7o0iJ5y sq9J5f0PunH/iOFgQiOib1PLvoHvRLMOYbtZhTSr9QIHxlHf8qb8Non+6QAIrQplRL3AZIPlbsk1UsAGwJifekMSVQClBxNeZhNkaTqWOjqffDGSo1o3bIteoKPjxNtmRbrkIDz4ypismgL2KcmGGHsIvRmWOXaf1/rI1NYhr/mrbNqtXt/TdtZZKa7FDeYddnsL1uIPw5qNR+eivDcDTFaNmqpw6d9Ds+0zdJNANSKBILkMKdS8AYMPYSeonSU7Y1dBOqi74hOHF2u+LlHCaM1xP+xKQ3eF8YXaW X-Bogosity: Ham, tests=bogofilter, spamicity=0.035589, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 20 Jan 2023 08:28:25 -0800 Suren Baghdasaryan > On Fri, Jan 20, 2023 at 1:00 AM Hillf Danton wrote: > > +++ b/kernel/sched/psi.c > > @@ -1529,6 +1529,7 @@ static int psi_fop_release(struct inode > > { > > struct seq_file *seq = file->private_data; > > > > + eventpoll_release_file(file); > > Be careful here and see the comment in > https://elixir.bootlin.com/linux/latest/source/fs/eventpoll.c#L912. > eventpoll_release_file() assumes that the last fput() was called and > nobody other than ep_free() will race with us. So, this will not be > that simple. The epmutex serializes eventpoll_release_file() and ep_free(). And this is in psi_fop_release(), so no chance is likely left for another release. > Besides if we really need to fix the order here, the fix > should be somewhere at the level of cgroup_file_release() or even > kernfs to work for other similar situations. Good point but cgroup and kernfs have no idea of psi trigger. The bonus of the uaf is check polled file upon release in scenarios like the psi trigger.