From patchwork Fri Jun 28 08:23:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1953829 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9T446gPRz20X6 for ; Fri, 28 Jun 2024 18:24:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sN6td-0001Rq-IY; Fri, 28 Jun 2024 08:23:53 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sN6tb-0001RT-2j for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 08:23:51 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6A2953FE1C for ; Fri, 28 Jun 2024 08:23:50 +0000 (UTC) Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-57d27d8f691so100151a12.0 for ; Fri, 28 Jun 2024 01:23:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719563030; x=1720167830; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=63EjkQMacHEkOQxOWaAEjGiWHFjcKl1SG/ung3GjEpQ=; b=YCCdtTxxjth1GZZwKXJqwcRb1Ye6x1jsF+y25lgleYI7xEjOL5QXa8aWLT6Y7Mbi/R gCsjoRXhz9kKbqsnir0eFGHnH6kDBC99Cnx/mY9ZlaBEbQ5kHUkBwM/cELkukVJPPg+L wvPg8W8NWNSrpDtdDIkmju9ZT1nXfdOxxrIwf1oOwZDVX49WSibp8OXpEHpBI1WVTJY9 R2jI7SM7ebnmKZ93hpXilCPJ1lqNMmp7Y77FYPzcafXIYKLAgISjLZIrDZ4YNUkc3gdC 3RrcrKOT4ZtuTf9HobTsA9xf7fTSWLwoiHt/q8pg5tfXQHOMmeV7c/3d+IzG6D3AQDrn 2hWQ== X-Gm-Message-State: AOJu0YylS98qtFmOlzaawGfGQkoBD0mYfZPSLmoZtZUjaj0L+16/Onjg Co0V6KKoLVw+AqHK0yBrLHnL2nAiKdNae8UwGfXA+v1bItEnrHdcG5MrFwgc2+whx+Xn0ksKuin v64G6UkaoJH3Z4iooQWKo7y2A7kNarEOJFX5u/prRFvSWD/12QWQ7P4vLhKULtChRLAxjlDOtBp yrCBLRsyaS8Q== X-Received: by 2002:a50:f681:0:b0:57c:6ade:d8f5 with SMTP id 4fb4d7f45d1cf-57d4bd84c4emr13247516a12.21.1719563030079; Fri, 28 Jun 2024 01:23:50 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEYr38hrly30I4m+3Q7Skp94hIdVuQfBgbh3nuupk+7HlbJ6XcNIcfY509Qedfs0jw4xm2/1g== X-Received: by 2002:a50:f681:0:b0:57c:6ade:d8f5 with SMTP id 4fb4d7f45d1cf-57d4bd84c4emr13247496a12.21.1719563029721; Fri, 28 Jun 2024 01:23:49 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a72aafb9667sm54977566b.94.2024.06.28.01.23.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 01:23:49 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] erofs: fix pcluster use-after-free on UP platforms Date: Fri, 28 Jun 2024 10:23:47 +0200 Message-Id: <20240628082347.3176650-2-juerg.haefliger@canonical.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240628082347.3176650-1-juerg.haefliger@canonical.com> References: <20240628082347.3176650-1-juerg.haefliger@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Gao Xiang During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead. Fixes: 73f5c66df3e2 ("staging: erofs: fix `erofs_workgroup_{try_to_freeze, unfreeze}'") Reviewed-by: Yue Hu Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20220902045710.109530-1-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang (backported from commit 2f44013e39984c127c6efedf70e6b5f4e9dcf315) [juergh: Adjusted context.] CVE-2022-48674 Signed-off-by: Juerg Haefliger --- fs/erofs/internal.h | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h index cc7a42682814..2e9d78c1e3b3 100644 --- a/fs/erofs/internal.h +++ b/fs/erofs/internal.h @@ -119,7 +119,6 @@ struct erofs_workgroup { atomic_t refcount; }; -#if defined(CONFIG_SMP) static inline bool erofs_workgroup_try_to_freeze(struct erofs_workgroup *grp, int val) { @@ -148,34 +147,6 @@ static inline int erofs_wait_on_workgroup_freezed(struct erofs_workgroup *grp) return atomic_cond_read_relaxed(&grp->refcount, VAL != EROFS_LOCKED_MAGIC); } -#else -static inline bool erofs_workgroup_try_to_freeze(struct erofs_workgroup *grp, - int val) -{ - preempt_disable(); - /* no need to spin on UP platforms, let's just disable preemption. */ - if (val != atomic_read(&grp->refcount)) { - preempt_enable(); - return false; - } - return true; -} - -static inline void erofs_workgroup_unfreeze(struct erofs_workgroup *grp, - int orig_val) -{ - preempt_enable(); -} - -static inline int erofs_wait_on_workgroup_freezed(struct erofs_workgroup *grp) -{ - int v = atomic_read(&grp->refcount); - - /* workgroup is never freezed on uniprocessor systems */ - DBG_BUGON(v == EROFS_LOCKED_MAGIC); - return v; -} -#endif /* !CONFIG_SMP */ /* hard limit of pages per compressed cluster */ #define Z_EROFS_CLUSTER_MAX_PAGES (CONFIG_EROFS_FS_CLUSTER_PAGE_LIMIT)