From: libaokun@huaweicloud.com
To: netfs@lists.linux.dev, dhowells@redhat.com, jlayton@kernel.org
Cc: hsiangkao@linux.alibaba.com, jefflexu@linux.alibaba.com,
zhujia.zj@bytedance.com, linux-erofs@lists.ozlabs.org,
brauner@kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, libaokun@huaweicloud.com,
yangerkun@huawei.com, houtao1@huawei.com, yukuai3@huawei.com,
wozizhi@huawei.com, Baokun Li <libaokun1@huawei.com>
Subject: [PATCH v3 8/9] cachefiles: cyclic allocation of msg_id to avoid reuse
Date: Fri, 28 Jun 2024 14:29:29 +0800 [thread overview]
Message-ID: <20240628062930.2467993-9-libaokun@huaweicloud.com> (raw)
In-Reply-To: <20240628062930.2467993-1-libaokun@huaweicloud.com>
From: Baokun Li <libaokun1@huawei.com>
Reusing the msg_id after a maliciously completed reopen request may cause
a read request to remain unprocessed and result in a hung, as shown below:
t1 | t2 | t3
-------------------------------------------------
cachefiles_ondemand_select_req
cachefiles_ondemand_object_is_close(A)
cachefiles_ondemand_set_object_reopening(A)
queue_work(fscache_object_wq, &info->work)
ondemand_object_worker
cachefiles_ondemand_init_object(A)
cachefiles_ondemand_send_req(OPEN)
// get msg_id 6
wait_for_completion(&req_A->done)
cachefiles_ondemand_daemon_read
// read msg_id 6 req_A
cachefiles_ondemand_get_fd
copy_to_user
// Malicious completion msg_id 6
copen 6,-1
cachefiles_ondemand_copen
complete(&req_A->done)
// will not set the object to close
// because ondemand_id && fd is valid.
// ondemand_object_worker() is done
// but the object is still reopening.
// new open req_B
cachefiles_ondemand_init_object(B)
cachefiles_ondemand_send_req(OPEN)
// reuse msg_id 6
process_open_req
copen 6,A.size
// The expected failed copen was executed successfully
Expect copen to fail, and when it does, it closes fd, which sets the
object to close, and then close triggers reopen again. However, due to
msg_id reuse resulting in a successful copen, the anonymous fd is not
closed until the daemon exits. Therefore read requests waiting for reopen
to complete may trigger hung task.
To avoid this issue, allocate the msg_id cyclically to avoid reusing the
msg_id for a very short duration of time.
Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
fs/cachefiles/internal.h | 1 +
fs/cachefiles/ondemand.c | 20 ++++++++++++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
index a1a1d25e9514..7b99bd98de75 100644
--- a/fs/cachefiles/internal.h
+++ b/fs/cachefiles/internal.h
@@ -129,6 +129,7 @@ struct cachefiles_cache {
unsigned long req_id_next;
struct xarray ondemand_ids; /* xarray for ondemand_id allocation */
u32 ondemand_id_next;
+ u32 msg_id_next;
};
static inline bool cachefiles_in_ondemand_mode(struct cachefiles_cache *cache)
diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c
index 1d5b970206d0..470c96658385 100644
--- a/fs/cachefiles/ondemand.c
+++ b/fs/cachefiles/ondemand.c
@@ -528,20 +528,32 @@ static int cachefiles_ondemand_send_req(struct cachefiles_object *object,
smp_mb();
if (opcode == CACHEFILES_OP_CLOSE &&
- !cachefiles_ondemand_object_is_open(object)) {
+ !cachefiles_ondemand_object_is_open(object)) {
WARN_ON_ONCE(object->ondemand->ondemand_id == 0);
xas_unlock(&xas);
ret = -EIO;
goto out;
}
- xas.xa_index = 0;
+ /*
+ * Cyclically find a free xas to avoid msg_id reuse that would
+ * cause the daemon to successfully copen a stale msg_id.
+ */
+ xas.xa_index = cache->msg_id_next;
xas_find_marked(&xas, UINT_MAX, XA_FREE_MARK);
+ if (xas.xa_node == XAS_RESTART) {
+ xas.xa_index = 0;
+ xas_find_marked(&xas, cache->msg_id_next - 1, XA_FREE_MARK);
+ }
if (xas.xa_node == XAS_RESTART)
xas_set_err(&xas, -EBUSY);
+
xas_store(&xas, req);
- xas_clear_mark(&xas, XA_FREE_MARK);
- xas_set_mark(&xas, CACHEFILES_REQ_NEW);
+ if (xas_valid(&xas)) {
+ cache->msg_id_next = xas.xa_index + 1;
+ xas_clear_mark(&xas, XA_FREE_MARK);
+ xas_set_mark(&xas, CACHEFILES_REQ_NEW);
+ }
xas_unlock(&xas);
} while (xas_nomem(&xas, GFP_KERNEL));
--
2.39.2
next prev parent reply other threads:[~2024-06-28 6:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-28 6:29 [PATCH v3 0/9] cachefiles: random bugfixes libaokun
2024-06-28 6:29 ` [PATCH v3 1/9] netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume() libaokun
2024-06-28 6:29 ` [PATCH v3 2/9] cachefiles: fix slab-use-after-free in fscache_withdraw_volume() libaokun
2024-06-28 6:29 ` [PATCH v3 3/9] cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() libaokun
2024-06-28 6:29 ` [PATCH v3 4/9] cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop libaokun
2024-06-28 7:30 ` Gao Xiang
2024-06-28 6:29 ` [PATCH v3 5/9] cachefiles: stop sending new request when dropping object libaokun
2024-06-28 6:51 ` Gao Xiang
2024-07-02 12:29 ` [External] " Jia Zhu
2024-06-28 6:29 ` [PATCH v3 6/9] cachefiles: cancel all requests for the object that is being dropped libaokun
2024-06-28 7:21 ` Gao Xiang
2024-07-02 12:31 ` [External] " Jia Zhu
2024-06-28 6:29 ` [PATCH v3 7/9] cachefiles: wait for ondemand_object_worker to finish when dropping object libaokun
2024-06-28 7:22 ` Gao Xiang
2024-06-28 6:29 ` libaokun [this message]
2024-07-02 12:34 ` [External] [PATCH v3 8/9] cachefiles: cyclic allocation of msg_id to avoid reuse Jia Zhu
2024-06-28 6:29 ` [PATCH v3 9/9] cachefiles: add missing lock protection when polling libaokun
2024-06-28 7:39 ` [PATCH v3 0/9] cachefiles: random bugfixes Gao Xiang
2024-06-28 11:37 ` Baokun Li
2024-07-02 12:25 ` Baokun Li
2024-07-03 8:30 ` (subset) " Christian Brauner
2024-07-03 8:37 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240628062930.2467993-9-libaokun@huaweicloud.com \
--to=libaokun@huaweicloud.com \
--cc=brauner@kernel.org \
--cc=dhowells@redhat.com \
--cc=houtao1@huawei.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=jefflexu@linux.alibaba.com \
--cc=jlayton@kernel.org \
--cc=libaokun1@huawei.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfs@lists.linux.dev \
--cc=wozizhi@huawei.com \
--cc=yangerkun@huawei.com \
--cc=yukuai3@huawei.com \
--cc=zhujia.zj@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).