From patchwork Tue Jan 31 02:06:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mateusz Guzik X-Patchwork-Id: 9546373 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 42BF260453 for ; Tue, 31 Jan 2017 02:07:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 299862711E for ; Tue, 31 Jan 2017 02:07:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1E4E628236; Tue, 31 Jan 2017 02:07:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C83082711E for ; Tue, 31 Jan 2017 02:07:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751200AbdAaCHb (ORCPT ); Mon, 30 Jan 2017 21:07:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44316 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751129AbdAaCHa (ORCPT ); Mon, 30 Jan 2017 21:07:30 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BE2B585365; Tue, 31 Jan 2017 02:06:43 +0000 (UTC) Received: from dhcp-1-212.brq.redhat.com (ovpn-204-19.brq.redhat.com [10.40.204.19]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v0V26dPu008161 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Jan 2017 21:06:42 -0500 Date: Tue, 31 Jan 2017 03:06:39 +0100 From: Mateusz Guzik To: Dmitry Vyukov Cc: Al Viro , Thomas Gleixner , "linux-fsdevel@vger.kernel.org" , LKML , syzkaller Subject: Re: timerfd: use-after-free in timerfd_remove_cancel Message-ID: <20170131020638.hf2pzz55u4tymvot@dhcp-1-212.brq.redhat.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 31 Jan 2017 02:06:44 +0000 (UTC) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Jan 30, 2017 at 07:41:59PM +0100, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free in timerfd_remove_cancel: > https://gist.githubusercontent.com/dvyukov/202576d437c84ffbbe52e9ccd77e1b44/raw/5562bff8626a73627157331ea2b837f59080ac84/gistfile1.txt > > BUG: KASAN: use-after-free in __list_del include/linux/list.h:104 > [inline] at addr ffff88006bab1410 > BUG: KASAN: use-after-free in __list_del_entry > include/linux/list.h:119 [inline] at addr ffff88006bab1410 > BUG: KASAN: use-after-free in list_del_rcu include/linux/rculist.h:129 > [inline] at addr ffff88006bab1410 > BUG: KASAN: use-after-free in timerfd_remove_cancel fs/timerfd.c:120 > [inline] at addr ffff88006bab1410 > BUG: KASAN: use-after-free in timerfd_release+0x28e/0x310 > fs/timerfd.c:209 at addr ffff88006bab1410 > Write of size 8 by task a.out/2897 > [..] > Seems that ctx->might_cancel is racy. > Indeed it is. Can you try the patch below please. If it works I'll send it in a nicer form. --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/timerfd.c b/fs/timerfd.c index c173cc1..63f91c3 100644 --- a/fs/timerfd.c +++ b/fs/timerfd.c @@ -112,14 +112,30 @@ void timerfd_clock_was_set(void) rcu_read_unlock(); } +static void timerfd_set_cancel(struct timerfd_ctx *ctx) +{ + if (ctx->might_cancel) + return; + + spin_lock(&cancel_lock); + if (!ctx->might_cancel) { + ctx->might_cancel = true; + list_add_rcu(&ctx->clist, &cancel_list); + } + spin_unlock(&cancel_lock); +} + static void timerfd_remove_cancel(struct timerfd_ctx *ctx) { + if (!ctx->might_cancel) + return; + + spin_lock(&cancel_lock); if (ctx->might_cancel) { ctx->might_cancel = false; - spin_lock(&cancel_lock); list_del_rcu(&ctx->clist); - spin_unlock(&cancel_lock); } + spin_unlock(&cancel_lock); } static bool timerfd_canceled(struct timerfd_ctx *ctx) @@ -134,16 +150,10 @@ static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags) { if ((ctx->clockid == CLOCK_REALTIME || ctx->clockid == CLOCK_REALTIME_ALARM) && - (flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) { - if (!ctx->might_cancel) { - ctx->might_cancel = true; - spin_lock(&cancel_lock); - list_add_rcu(&ctx->clist, &cancel_list); - spin_unlock(&cancel_lock); - } - } else if (ctx->might_cancel) { + (flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) + timerfd_set_cancel(ctx); + else timerfd_remove_cancel(ctx); - } } static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)