From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88612C64E7A for ; Tue, 1 Dec 2020 18:42:48 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B473E208C3 for ; Tue, 1 Dec 2020 18:42:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="oAYolcRU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B473E208C3 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8A91E6B0036; Tue, 1 Dec 2020 13:42:46 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 859776B005D; Tue, 1 Dec 2020 13:42:46 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 797F48D0001; Tue, 1 Dec 2020 13:42:46 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0137.hostedemail.com [216.40.44.137]) by kanga.kvack.org (Postfix) with ESMTP id 64A506B0036 for ; Tue, 1 Dec 2020 13:42:46 -0500 (EST) Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id D6F1782499A8 for ; Tue, 1 Dec 2020 18:42:45 +0000 (UTC) X-FDA: 77545584690.17.ant47_2103704273ac Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin17.hostedemail.com (Postfix) with ESMTP id B929F180D0185 for ; Tue, 1 Dec 2020 18:42:45 +0000 (UTC) X-HE-Tag: ant47_2103704273ac X-Filterd-Recvd-Size: 5996 Received: from mail-lf1-f65.google.com (mail-lf1-f65.google.com [209.85.167.65]) by imf39.hostedemail.com (Postfix) with ESMTP for ; Tue, 1 Dec 2020 18:42:45 +0000 (UTC) Received: by mail-lf1-f65.google.com with SMTP id u18so6305976lfd.9 for ; Tue, 01 Dec 2020 10:42:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rqRLOgSSngXxVOAnfQD6a3wxBRwbRfpA188t/eorU38=; b=oAYolcRUtyNOlu0qSVv9Jzn8JQGLUSsJ03RWOe9OxC2Nzt5xRJaiAXD4o1C0r+vXPk rcAjVmhdD0PYgZ1Yvc8/SPAFJvo8M0zpnADTTXIUgujIEPSI9ozeIxf/ELYL9cnLlJiF VsE899d9HynbBpdG7klJ2iHsY1/eWAoqbQpu7LWYfyYALrbwAhh7TXNF7O9NUviLz6BP /fv6K0jKlZbLk7m4S9gcCmezGFJp1Ib8Ea4y7n1VF7p4SdiMrpIjTNnYJ7xBJT6D46lx DPRgSsb13ZKt+ZJg46xwcl7JwhDbnMNFFddp1WsYhjdYfclJcvvwBtphrMjYFIpOMYWN VHeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rqRLOgSSngXxVOAnfQD6a3wxBRwbRfpA188t/eorU38=; b=l8jF6CqY/P6Ghc5HVarV45G46Yp3rTdmSp7hnwjhn8nvu7mqRJewwHjhQ0DBMYOaF9 9CcmIauF2Zd9dqB0rhOiVWdbQJYKnl0GxeEVAMZ8m2sowJ+PgnJBwfXtdAaM66qhhhKQ lmVTEKQZZRGBLrxPuEIOMYldpPI9ugjSGuvEwOSbrruw71eZOSPeC2xTwdTFOowaq0MF riEPoFRcgI3n/cj54ePw5aK99fwdTJeSoQpPd0ZiCjBsq4X5IQUx5FSO7FfqYRcKC8QK Dvea6NI60YO7uyYkFas4fburibNbyUQ1ZVNNpuZ5DlOpPCCIh5/82xuTCQ86i9/wlPDE rPKA== X-Gm-Message-State: AOAM531HRdX5j5NnQAtIv4Bg22WHz5kxihx7dytjXUtlgac5GZFisI7P cCQtOMyTDeh2HN6Wa4eWnc5jw7ZO0CeHbMvBUGKhOA== X-Google-Smtp-Source: ABdhPJyWVpDI64oBV7dbda0j6ihNwr7zrEY7XH0lQbOlrGGo5/ieutK3kSEwUhNKpELSlEioU8Gl2Pnhfu/q2v/w5W4= X-Received: by 2002:a19:be4a:: with SMTP id o71mr1723950lff.494.1606848163219; Tue, 01 Dec 2020 10:42:43 -0800 (PST) MIME-Version: 1.0 References: <20201130233504.3725241-1-axelrasmussen@google.com> In-Reply-To: From: Shakeel Butt Date: Tue, 1 Dec 2020 10:42:31 -0800 Message-ID: Subject: Re: [PATCH] mm: mmap_lock: fix use-after-free race and css ref leak in tracepoints To: Greg Thelen Cc: Axel Rasmussen , Andrew Morton , Chinwen Chang , Daniel Jordan , David Rientjes , Davidlohr Bueso , Ingo Molnar , Jann Horn , Laurent Dufour , Michel Lespinasse , Stephen Rothwell , Steven Rostedt , Vlastimil Babka , Yafang Shao , "David S . Miller" , dsahern@kernel.org, Greg Kroah-Hartman , Jakub Kicinski , liuhangbin@gmail.com, Tejun Heo , LKML , Linux MM Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Dec 1, 2020 at 9:56 AM Greg Thelen wrote: > > Axel Rasmussen wrote: > > > On Mon, Nov 30, 2020 at 5:34 PM Shakeel Butt wrote: > >> > >> On Mon, Nov 30, 2020 at 3:43 PM Axel Rasmussen wrote: > >> > > >> > syzbot reported[1] a use-after-free introduced in 0f818c4bc1f3. The bug > >> > is that an ongoing trace event might race with the tracepoint being > >> > disabled (and therefore the _unreg() callback being called). Consider > >> > this ordering: > >> > > >> > T1: trace event fires, get_mm_memcg_path() is called > >> > T1: get_memcg_path_buf() returns a buffer pointer > >> > T2: trace_mmap_lock_unreg() is called, buffers are freed > >> > T1: cgroup_path() is called with the now-freed buffer > >> > >> Any reason to use the cgroup_path instead of the cgroup_ino? There are > >> other examples of trace points using cgroup_ino and no need to > >> allocate buffers. Also cgroup namespace might complicate the path > >> usage. > > > > Hmm, so in general I would love to use a numeric identifier instead of a string. > > > > I did some reading, and it looks like the cgroup_ino() mainly has to > > do with writeback, instead of being just a general identifier? > > https://www.kernel.org/doc/Documentation/cgroup-v2.txt I think you are confusing cgroup inodes with real filesystem inodes in that doc. > > > > There is cgroup_id() which I think is almost what I'd want, but there > > are a couple problems with it: > > > > - I don't know of a way for userspace to translate IDs -> paths, to > > make them human readable? > > The id => name map can be built from user space with a tree walk. > Example: > > $ find /sys/fs/cgroup/memory -type d -printf '%i %P\n' # ~ [main] > 20387 init.scope > 31 system.slice > > > - Also I think the ID implementation we use for this is "dense", > > meaning if a cgroup is removed, its ID is likely to be quickly reused. > > The ID for cgroup nodes (underlying it is kernfs) are allocated from idr_alloc_cyclic() which gives new ID after the last allocated ID and wrap after around INT_MAX IDs. So, likeliness of repetition is very low. Also the file_handle returned by name_to_handle_at() for cgroupfs returns the inode ID which gives confidence to the claim of low chance of ID reusing.