From patchwork Mon May 13 03:07:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chengming Zhou X-Patchwork-Id: 13662990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87D99C25B5F for ; Mon, 13 May 2024 03:08:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1BCF06B024E; Sun, 12 May 2024 23:08:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 146D16B024F; Sun, 12 May 2024 23:08:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F28D66B0250; Sun, 12 May 2024 23:08:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D15CF6B024E for ; Sun, 12 May 2024 23:08:46 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 3F10A40A61 for ; Mon, 13 May 2024 03:08:46 +0000 (UTC) X-FDA: 82111890252.15.88D8C42 Received: from out-178.mta1.migadu.com (out-178.mta1.migadu.com [95.215.58.178]) by imf10.hostedemail.com (Postfix) with ESMTP id 4FB53C000F for ; Mon, 13 May 2024 03:08:44 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=PmPPUFps; spf=pass (imf10.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.178 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1715569724; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=tnZpkKg9cgdujd3Aq4lD9/9/FxuyG285EmfT33GGzAE=; b=23/lq7lJbDm41atHxjHsL0AOh1oDwg7a8YUMlFUVhXxOSlUB6mBDOPAYwR+EwIseI27kO5 om/rRWf4w5wYJ4fQER5AK3ny9NUkzOPeG55yY0zqLM37082UZofAqem0SV0FZyPxRm8lR/ 812gVtkAJvYwWhi+b3CAdbpxwXy1qqw= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=PmPPUFps; spf=pass (imf10.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.178 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1715569724; a=rsa-sha256; cv=none; b=lnYcjZvUyumlHLSG8gmQDD3KOCBdVxdDRoRit3n4T8cDD2JABr5St3jp/SI5dvZl9eC4Q7 KDQcaS6sUs4V4JKKPEM/t31pOu13EAtv7w9z7mVs+cBni2MSlgCJHBYtwGSz7CY49BOBQ4 P8nUY8eAvSganYzRtX98KjK+Ua4f8FQ= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1715569722; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tnZpkKg9cgdujd3Aq4lD9/9/FxuyG285EmfT33GGzAE=; b=PmPPUFpsmDLdW9nAkuKBKOvQZhhIMr8XxYT78ICVRwJkHxeFtr3iwVxZeKxFfc+l48Hb+U qEtyYgQxc6qVfOvr38nbMTX+k8D7q2NQOQYMtI/90IYOLKoL4qsJUSjQ5aToFa+TB10LYA K7vD1DH5aJPSMiMe6JRe8ICGml5Hu2E= From: Chengming Zhou Date: Mon, 13 May 2024 11:07:56 +0800 Subject: [PATCH] mm/ksm: fix possible UAF of stable_node MIME-Version: 1.0 Message-Id: <20240513-b4-ksm-stable-node-uaf-v1-1-f687de76f452@linux.dev> X-B4-Tracking: v=1; b=H4sIAAuEQWYC/x3MzQpCIRBA4VeRWTegZgW9SrTwZ6yh0nDujQviu 19p+S3O6SDUmASuqkOjHwvXMmEOCuLTlwchp2mw2jp9MkcMDl/yQVl8eBOWmghXnzHGeMlkczq HBDP+Nsq8/ce3+xg7I7TMe2gAAAA= To: Andrew Morton , David Hildenbrand , Hugh Dickins , Andrea Arcangeli , Stefan Roesch Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, zhouchengming@bytedance.com, Chengming Zhou X-Developer-Signature: v=1; a=ed25519-sha256; t=1715569718; l=1596; i=chengming.zhou@linux.dev; s=20240508; h=from:subject:message-id; bh=gA/7lXvyMG7IHm8IrlNnrTBKaBmoPVKDklOfk18TL/A=; b=B1X1HMHHKXtit/7X6hdcXthfuE0UbCscRgiIoqnVwo40ChWPCoX/sArCTV7ZidHLIxvtW5T7l YL7nsjs5gk9Bhu6S6h66FOVNFhh0XGvCuDXijPKZ9B8GBzQtTuj9mRK X-Developer-Key: i=chengming.zhou@linux.dev; a=ed25519; pk=kx40VUetZeR6MuiqrM7kPCcGakk1md0Az5qHwb6gBdU= X-Migadu-Flow: FLOW_OUT X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 4FB53C000F X-Stat-Signature: d7g9tw6w15rw5abqzanehtw4de4t9cu1 X-HE-Tag: 1715569724-374485 X-HE-Meta: U2FsdGVkX18tVGZS3LCpY3zudn3NWdJtOEP0GQ/Tp42uaC+I73YCKwNAWkdA2uUAtGJF19BDE1wwmJO9X+/NXzwdvb37oWhBCUugxitP2WEuYCiSWudRjwcncmj6bXHjFJDp3OPbUrJAJ2pyK3Tz5i3V/2AZTTS7zFdeXRhGhubuQP2mqc4cwRf39rdoAtBdf3e8X6Y8x7aObhVXWGyWsvEr8UiGiZX14kobzZbrzbv0GekragffX+oYj8OKpIzelRaqc9yy6czzhu2BvoiN2Fewux7bvbpY7hET+Kh9CHSnlJHXN/FHlMEaVoTOX1gl7qEShbT32DUcS0W+Na8iMs2fnkyVMzXhPlhxcC9dsiYlhopAI5t7X1fiax7e8RRqDS2MN2bUQsMoOHEd8rg13H+YI5hlachg/Xs2BV0q1QbfDojUZjg3BSPFJPBUh6zANKCCIVF5n38VJpa+XkNzAloi1ljlmUmn/Pz2fm3nnrWXooXOPCO6BospqmUCkMOoV5nppu8WmC4Q1LSFeZE5KKtXSpS2bGtg421/5b6BvC1HqNR1B7503cYwhu3DIGYnJpPC2zuk/A1rC+JHzWdThEln0tchIHMNMvhxwQsqrF16B66aITzt/QwT1wLfdp4pUQyZay66OqZ8dJWUd1M3Pe0O0dp71WDF1hYDzJwYNqgPr7VU40M6EA2dSRKbQOWLXIQcN/67V+A/IY1bd/zpG4sAcZgfNYfNZUpklb9KulGBUe28LNc5MfooZmRWGa9JJdC3H5nXNdPaoG0RQMu38IFr1vSmltOT9rpD+9LBytlDhF3+M9B4P4o3U4wIBwTbIFaLOJpGZQQ1ryHa8ErJ8ZET7PK1nCw1hxXw5rx5ZV2g50eSrHXonLtDLnnT7Cij18y1YwLng3AiGcG6RT3BMyncp6awGvH8v2XqIxeT4c2bpC8uP2GpOPvs2V0IlLODYPUkIZIpGRlvW1rcVR9 31khlusi QEDX5QHtcBuN8uPEspvuPTLUFN6iEHShwPHgppkoL5lgesM6B/oE15llrt0SYHLTDpwvI9vzAJaJTjtC9vmo9SFXQDmFkR2VwDttFG6tB8Tkz/mZafSYRfMMI4WiLHoxuAPG+ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The commit 2c653d0ee2ae ("ksm: introduce ksm_max_page_sharing per page deduplication limit") introduced a possible failure case in the stable_tree_insert(), where we may free the new allocated stable_node_dup if we fail to prepare the missing chain node. Then that kfolio return and unlock with a freed stable_node set... And any MM activities can come in to access kfolio->mapping, so UAF. Fix it by moving folio_set_stable_node() to the end after stable_node is inserted successfully. Fixes: 2c653d0ee2ae ("ksm: introduce ksm_max_page_sharing per page deduplication limit") Signed-off-by: Chengming Zhou Acked-by: David Hildenbrand --- mm/ksm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- base-commit: 7e8aafe0636cdcc5c9699ced05ff1f8ffcb937e2 change-id: 20240513-b4-ksm-stable-node-uaf-ccc7fe2fd6bd Best regards, diff --git a/mm/ksm.c b/mm/ksm.c index e1034bf1c937..a8b76af5cf64 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -2153,7 +2153,6 @@ static struct ksm_stable_node *stable_tree_insert(struct folio *kfolio) INIT_HLIST_HEAD(&stable_node_dup->hlist); stable_node_dup->kpfn = kpfn; - folio_set_stable_node(kfolio, stable_node_dup); stable_node_dup->rmap_hlist_len = 0; DO_NUMA(stable_node_dup->nid = nid); if (!need_chain) { @@ -2172,6 +2171,8 @@ static struct ksm_stable_node *stable_tree_insert(struct folio *kfolio) stable_node_chain_add_dup(stable_node_dup, stable_node); } + folio_set_stable_node(kfolio, stable_node_dup); + return stable_node_dup; }