From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 412B0C4332F for ; Wed, 14 Dec 2022 15:54:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D0D788E0005; Wed, 14 Dec 2022 10:54:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CC06D8E0002; Wed, 14 Dec 2022 10:54:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B86188E0005; Wed, 14 Dec 2022 10:54:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id A98768E0002 for ; Wed, 14 Dec 2022 10:54:39 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 80654402F3 for ; Wed, 14 Dec 2022 15:54:39 +0000 (UTC) X-FDA: 80241359478.06.E291266 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf02.hostedemail.com (Postfix) with ESMTP id C44C280003 for ; Wed, 14 Dec 2022 15:54:37 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=ifsuYrAS; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf02.hostedemail.com: domain of longman@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=longman@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671033277; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9W8aVAy/4ZBcYPeetzRCLQ7B8m0kP0x8kl1DzjwZhCs=; b=P6vMRhw9bpfiNeJ6W7e2htDLEbqYdWT+1JR9p4Ulu5KlGQ3PtYmDi6qDw1ewVqr9HmOPIK gxblIKHeq8XNNJmmZn+BgtPPVNUdHPhscH6ZyktOUXRjoADRAcaI+/XBZ02Gp0CuYvV4DK Z+v6VVG2nQew4XpEFWrt9fpE3IPZ+0c= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=ifsuYrAS; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf02.hostedemail.com: domain of longman@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=longman@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671033277; a=rsa-sha256; cv=none; b=Nz6ZSMoUD2Pu4MBUY43u1/Zqbb9+RAlLAtUwcLM3Jd97FoadyP5pNvG8/3yhcAQFByF0oO sIK85OvYlN4rOPzkOiUFjgOK6XkRaTJszagCG6h6zFa+uKIYvE0bWxnKUjQQopi9tYXdP5 nZWVu1qx8obLLwtfbfYIa4PcAdJx4so= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1671033277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9W8aVAy/4ZBcYPeetzRCLQ7B8m0kP0x8kl1DzjwZhCs=; b=ifsuYrAScZMinMgjbSh9NPVHAiAjjp7tdr13BkOpdT2Z9vW3VDuI45SUeQl7DJkFFZsM56 D2sZoSy0uvkBdvKX2cMSOCzy/YNkqWousE7GdhF7C5VLI8T/rrFNcU5D4y3Lwheiqo7B4E FNgZOGzspfNxT/it+Bo9ncSrdajG28s= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-655-88fXQywoNNqJalPplngpOw-1; Wed, 14 Dec 2022 10:54:31 -0500 X-MC-Unique: 88fXQywoNNqJalPplngpOw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4C794811E6E; Wed, 14 Dec 2022 15:54:31 +0000 (UTC) Received: from [10.22.9.99] (unknown [10.22.9.99]) by smtp.corp.redhat.com (Postfix) with ESMTP id D079F2026D68; Wed, 14 Dec 2022 15:54:30 +0000 (UTC) Message-ID: Date: Wed, 14 Dec 2022 10:54:28 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: Re: [PATCH 2/2] mm/kmemleak: Fix UAF bug in kmemleak_scan() Content-Language: en-US To: Catalin Marinas Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song References: <20221210230048.2841047-1-longman@redhat.com> <20221210230048.2841047-3-longman@redhat.com> From: Waiman Long In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Rspamd-Queue-Id: C44C280003 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: ywpcumn4ykndy8fn7xfggud66znpk3sk X-HE-Tag: 1671033277-328594 X-HE-Meta: U2FsdGVkX1921pzekrmlb05KBpsQFdiJ4+bh/t3ETf4ObYPPXsE+INSV1Ds51O9b/bwpfqX6HokyoePL0bsYmXGvV35FAyuYIwzGOCW2XAq5gAYAF8D0xyEMoyaQKQuBF9E8q+XcfNMknD9fPCrS2tsxyWNt1z684OZr96X8GQqaiEHQJCleFcXzk2mCmSR0kTxH9717E51jFWdyFK21V6KW2GDx7Xi3KO1qbfiG47K4iBnlK7cCxNopbnMIz/bq2nS4Zq6h0n+UUfm5SN0cIpkKj/aCZWBoiZUx/f53blZOb/izlu5VjzJzGq7iyWZcUAdOKah1d8pR/Y+VUg5e+LYtPH7fKm6BMjkmHXqW4MFbEhoaDypMeNxnJ7GUX1tNWsbUuTkdE1+Bk2H/5N7qUDJ3c01TFSKx8UxyxerMHMRryX/y8igsrCqaGkg54532mEp1ouyVYXcrws2Wa31MdJOfGneV62oQfzcwDcl3da8Ad4gsq8V5zcUKHgjBK0RuVUYEkK0uBllvqRlK0BVQBSVH368bUurUmgJirnBUWkxUx82gP49qqj+mSh5d57pOj640h8vCHJNQnjny4paeTNHDywJZw9bZbCu6FirfZ4E7AptTzboRaUy7kRzM2cAZthHP9Ec9q98uYRBcJEr5ClcGUsDtPhiLy6YjjsJO5/cdli/Xt1cczuEbXeYXTkiSphYGGGt9Tbg53UAeyesoR/iwGBCd9pCf14dyPUU/EuKJkV+bCs0TwhrNF8j2dkI1maHaE2PDsmu0sKfZwoLzNu/dHMYa4ObnYFfM+GwKtRhmDpzIQtoUyM6brg0wG76AvytuJmDUbWk+L1NTgwlcm0nCbQmFx+/mcJqmIxbpptE9SK7j5LMWwYFCg4Lml16roraKYDVvu5BTf5+B6p6nJ1bcUjo0wSe9KCBUKepjy+0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 12/14/22 06:16, Catalin Marinas wrote: > On Sat, Dec 10, 2022 at 06:00:48PM -0500, Waiman Long wrote: >> Commit 6edda04ccc7c ("mm/kmemleak: prevent soft lockup in first >> object iteration loop of kmemleak_scan()") fixes soft lockup problem >> in kmemleak_scan() by periodically doing a cond_resched(). It does >> take a reference of the current object before doing it. Unfortunately, >> if the object has been deleted from the object_list, the next object >> pointed to by its next pointer may no longer be valid after coming >> back from cond_resched(). This can result in use-after-free and other >> nasty problem. > Ah, kmemleak_cond_resched() releases the rcu lock, so using > list_for_each_entry_rcu() doesn't help. > >> diff --git a/mm/kmemleak.c b/mm/kmemleak.c >> index 8c44f70ed457..d3a8fa4e3af3 100644 >> --- a/mm/kmemleak.c >> +++ b/mm/kmemleak.c >> @@ -1465,15 +1465,26 @@ static void scan_gray_list(void) >> * that the given object won't go away without RCU read lock by performing a >> * get_object() if necessaary. >> */ >> -static void kmemleak_cond_resched(struct kmemleak_object *object) >> +static void kmemleak_cond_resched(struct kmemleak_object **pobject) >> { >> - if (!get_object(object)) >> + struct kmemleak_object *obj = *pobject; >> + >> + if (!(obj->flags & OBJECT_ALLOCATED) || !get_object(obj)) >> return; /* Try next object */ > I don't think we can rely on obj->flags without holding obj->lock. We do > have a few WARN_ON() checks without the lock but in all other places the > lock should be held. Good point. It is just an optimistic check and it is OK to be wrong. I think I may need to use data_race() macro to signify that racing can happen and it is fine. > > Another potential issue with re-scanning is that the loop may never > complete if it always goes from the beginning. Yet another problem with > restarting is that we may count references to an object multiple times > and get more false negatives. > > I'd keep the OBJECT_ALLOCATED logic in the main kmemleak_scan() loop and > retake the object->lock if cond_resched() was called > (kmemleak_need_resched() returning true), check if it was freed and > restart the loop. We could add a new OBJECT_SCANNED flag so that we > skip such objects if we restarted the loop. The flag is reset during > list preparation. > > I wonder whether we actually need the cond_resched() in the first loop. > It does take a lot of locks but it doesn't scan the objects. I had a > patch around to remove the fine-grained locking in favour of the big > kmemleak_lock, it would make this loop faster (not sure what happened to > that patch, I need to dig it out). > Thanks for the review. Another alternative way to handle that is to add an OBJECT_ANCHORED flag to indicate that this object shouldn't be deleted from the object list yet. Maybe also an OBJECT_DELETE_PENDING flag so that kmemleak_cond_resched() will delete it after returning from cond_resched() when set by another function that want to delete this object. All these checks and flag setting will be done with object lock held. How do you think? Cheers, Longman