From patchwork Thu Dec 8 02:53:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejun Heo X-Patchwork-Id: 13067838 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EC19C4708E for ; Thu, 8 Dec 2022 02:53:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4CC268E0003; Wed, 7 Dec 2022 21:53:20 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 47B5E8E0001; Wed, 7 Dec 2022 21:53:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 36A168E0003; Wed, 7 Dec 2022 21:53:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 281F08E0001 for ; Wed, 7 Dec 2022 21:53:20 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id E7FBC804D4 for ; Thu, 8 Dec 2022 02:53:19 +0000 (UTC) X-FDA: 80217617718.03.654EB4A Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf28.hostedemail.com (Postfix) with ESMTP id 345EAC0002 for ; Thu, 8 Dec 2022 02:53:16 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=bwaVRySV; spf=pass (imf28.hostedemail.com: domain of htejun@gmail.com designates 209.85.216.43 as permitted sender) smtp.mailfrom=htejun@gmail.com; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670467998; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Tg8aD+lDH6Tv1G5iqzFowxNp9DpUbCk5WdkpP14KUyw=; b=6bOJWydoXzQsw+0coD9j3YhXwKIRrGnYcgXCadnuPDHDcAkbwPEoIJjzQ1P8UkdCz4wJtM s7v3kBa/7rbkWeHjLjjEF+oawqGB+Yw2omCwGMP4Qw5zGeZlqjQ5USUqtDKU7E/KrjqO5T nFqySZwrGd9WlBWxIFatqXc9CAwL/SY= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=bwaVRySV; spf=pass (imf28.hostedemail.com: domain of htejun@gmail.com designates 209.85.216.43 as permitted sender) smtp.mailfrom=htejun@gmail.com; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670467998; a=rsa-sha256; cv=none; b=42x8BWfrKoi5St/F6nSgrHJDUHmbABR/CTi4Q9HNn0KntmsxLPZKpx1TsC9kSFw+Z2TzP2 nEg8iZqoVYpIex1xCDtWkn2vPkP9Gb1M/YoCrCRHC4d7RACVNgtP44tQtOlycCZltog3Ad vJyk5tMBCf9aNs0e1aPHmDlHfLHnAow= Received: by mail-pj1-f43.google.com with SMTP id k88-20020a17090a4ce100b00219d0b857bcso185562pjh.1 for ; Wed, 07 Dec 2022 18:53:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :sender:from:to:cc:subject:date:message-id:reply-to; bh=Tg8aD+lDH6Tv1G5iqzFowxNp9DpUbCk5WdkpP14KUyw=; b=bwaVRySVfZUnRb2bEPwJ5xCOaAbW2JOL2VzvtwPsxsOLsgpqhXcMxtBMO4VtjWsH7V MDQdVhBlbBUjWAU33uNkOOvxe6VkCUIQpal1m6VcrraOtDor8fGL9ie8cC1x1k9jxDpj czQSokKN+AFxHVJpY8Th5uLXRaS/kzWqoEfgdtR/nJOjRFicdSnYdhZ4WHoINWQqfB/R k05tFcdSkGfjgd0dvF+scgm7a1+iUyuh/FVGqvRGA392bZFPehNVJTITg5BaWJBBlLvm tIEKV5suDt1M2Sc9G4ukFt5sH7wc7eq/2lUB3Z18JNCWI+My330fDciGZKoERtGwNA5C HQVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Tg8aD+lDH6Tv1G5iqzFowxNp9DpUbCk5WdkpP14KUyw=; b=ExM6/itnT31X2eObU+Z6PwinG8b0rh24CDTizXmVCeEdlOvLmO6OAT0RxofOFYH0pv RV13p3tNISenoTlTXGdte7TGK7hcyIeDTV3d4PcrPvngniTSo9uUVzRLijJOp8mqlpNf zXFOMF+QMh68iC1b8uOMhT68EizGspiJKqaVEfCJgDTIVd4VQxM2hw5S/Rqh6TsmHCg/ grmvFrNQesfILZjY0T1CCqkPXOamhNLIow8+qnL6sUpyUFIVRRlH15xZDywB9MaFbvtQ 3rA3wSUJ1WX/FkByjJYv3By6B6oRHin+yXImVbfFjxehzLEg2vooW0C7bByMCrwWaDPd kO5A== X-Gm-Message-State: ANoB5plLq+Lirr9vy107vKbevC5AdsIZwrH2mbZbnYwv4JCxofVaKGay gml58wGEBkdgeJXN6fUdWSg= X-Google-Smtp-Source: AA0mqf6MHLTy6w/tpnXtPpaIlwt8HeZbJL0xdkJqzAciMkw8dRBGOvKbVId36jXJqjg26Wh9+SLmYQ== X-Received: by 2002:a17:90a:1f8c:b0:219:fcad:75be with SMTP id x12-20020a17090a1f8c00b00219fcad75bemr10669236pja.165.1670467996865; Wed, 07 Dec 2022 18:53:16 -0800 (PST) Received: from localhost (2603-800c-1a02-1bae-a7fa-157f-969a-4cde.res6.spectrum.com. [2603:800c:1a02:1bae:a7fa:157f:969a:4cde]) by smtp.gmail.com with ESMTPSA id o25-20020aa79799000000b005769b244c2fsm8692079pfp.40.2022.12.07.18.53.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Dec 2022 18:53:16 -0800 (PST) Date: Wed, 7 Dec 2022 16:53:15 -1000 From: Tejun Heo To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn , Linus Torvalds , Johannes Weiner , Michal Hocko , Roman Gushchin , Shakeel Butt , Muchun Song , cgroups@vger.kernel.org Subject: [PATCH for-6.1-fixes] memcg: Fix possible use-after-free in memcg_write_event_control() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 345EAC0002 X-Stat-Signature: q3hbxxczd5c8m4ygeyxgqgiggb6h5496 X-Rspam-User: X-HE-Tag: 1670467996-755180 X-HE-Meta: U2FsdGVkX18CU+14qu10fit0jaDYcFTg47MAMhXBFc9XNO6cpa06xpoLR0lJUM3LjHx0QHRZGM4ToM4rkucJHMAKDhH0x6x8c4LAs52cM02f8cN1CyWe7AdjrQGE9TIHecz0WGB9ZAThnz2SVPc35fHmHX33foqieD6LkBCbETST4f0lKjnGs/J7XJhXQZUVIYw53kx0PzOaEREfWU7tnARJ07jC6h/gD9m4oKuNXTfqA+IoUJFny+ijHXVJoRfhr0biFDvnDkUXuKUmo6UTDXqzxW8Z1eizfmP7ycyQ9M/D9D7Wq7qtpzj55oRRKayLMt4rpkttxJGFOwPxuMloYkyajLENFQVxRGznUm14jnMovi7N5s7XwgjfOPnkJk9+aBkLn8ZcCW+xhNo474BHkLX3X1oyUGfxNFcbk7OcbtAbVO4yuV5Ip2tj13NoGqGTxLfuyn28DGlevBA8KOjLIib7jBWiaiJE7DdNOtzjMlR5giXy+zjpRlX8iZR97CH0Vp2Qcw4EmBTjYP7g+kRb9evQJnwaE/6sNYSc0yTMmBJ6s0N+unygha5xQrpR3wBk4jG20YB5eMoyMCrKIX7wrJvgvIxHafF7xc8WACGClAqVzP/KnrClFL8XBa7iQB1N2GKZR78RFhq/J7p738bwNJhkb3d8azs4MrM8qS9u6uy9acW+5HsHxqc4tR9ULkq+g7noa5ZPF5GPlh2HuWkhKyLuEJjHa+VwzvGicAKnz3YHYhHwGoJw9ZvJa6n1A9qiHc+lL3/i77Vjf8Ad9wquSi1ZWGX3uq9femgYfd18zVRdfdGItj9ebbD9W1qCfuzbjZ9yNF1blU4H2Y7NAczr7psQW/fH/77A7mgULN2vt4WtjHj/4lWsVQJHXk1lkHPbYrV8MlLnvOAN2bsObkbUOZ5+kviiOpAg17mZbQdPtqduSXAEEAeq90t6InYfdkxDuWCNB9qljVQseGfU7g6 MGtBolGk OkvXCbyyRVfCtYJ8AUs/oFIoULHT22lGnMxE6V10pYGq/jKMbyxbwevZL706OGOvccSSIPtTbgMRawm+pS78O/xIiatjmjmspJ6lRvev98MGVyyGLVWxtmoS6OsCqleITBE38+f8Lnw5KnoIuLpLFl7h7FOo14f1Sg2L5NuuXuWfcHLZOAV72Lp2CYelG55EjL2tswPnRLKQC+ldX7qLgfUx5yHYbynnA1LRJwFLVu6uGOwquoUm2sN27WMhnPzg6lAc44uzVOKAiPOqJed5uzyPGrCtmhB6khidq X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type. Signed-off-by: Tejun Heo Fixes: 347c4a874710 ("memcg: remove cgroup_event->cft") Cc: stable@vger.kernel.org # v3.14+ Reported-by: Jann Horn Cc: Linus Torvalds Acked-by: Roman Gushchin Acked-by: Johannes Weiner --- include/linux/cgroup.h | 1 + kernel/cgroup/cgroup-internal.h | 1 - mm/memcontrol.c | 15 +++++++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h index 528bd44b59e2..2b7d077de7ef 100644 --- a/include/linux/cgroup.h +++ b/include/linux/cgroup.h @@ -68,6 +68,7 @@ struct css_task_iter { struct list_head iters_node; /* css_set->task_iters */ }; +extern struct file_system_type cgroup_fs_type; extern struct cgroup_root cgrp_dfl_root; extern struct css_set init_css_set; diff --git a/kernel/cgroup/cgroup-internal.h b/kernel/cgroup/cgroup-internal.h index fd4020835ec6..367b0a42ada9 100644 --- a/kernel/cgroup/cgroup-internal.h +++ b/kernel/cgroup/cgroup-internal.h @@ -167,7 +167,6 @@ struct cgroup_mgctx { extern spinlock_t css_set_lock; extern struct cgroup_subsys *cgroup_subsys[]; extern struct list_head cgroup_roots; -extern struct file_system_type cgroup_fs_type; /* iterate across the hierarchies */ #define for_each_root(root) \ diff --git a/mm/memcontrol.c b/mm/memcontrol.c index a1a35c12635e..266a1ab05434 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4832,6 +4832,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, unsigned int efd, cfd; struct fd efile; struct fd cfile; + struct dentry *cdentry; const char *name; char *endp; int ret; @@ -4885,6 +4886,16 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, if (ret < 0) goto out_put_cfile; + /* + * The control file must be a regular cgroup1 file. As a regular cgroup + * file can't be renamed, it's safe to access its name afterwards. + */ + cdentry = cfile.file->f_path.dentry; + if (cdentry->d_sb->s_type != &cgroup_fs_type || !d_is_reg(cdentry)) { + ret = -EINVAL; + goto out_put_cfile; + } + /* * Determine the event callbacks and set them in @event. This used * to be done via struct cftype but cgroup core no longer knows @@ -4893,7 +4904,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, * * DO NOT ADD NEW FILES. */ - name = cfile.file->f_path.dentry->d_name.name; + name = cdentry->d_name.name; if (!strcmp(name, "memory.usage_in_bytes")) { event->register_event = mem_cgroup_usage_register_event; @@ -4917,7 +4928,7 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, * automatically removed on cgroup destruction but the removal is * asynchronous, so take an extra ref on @css. */ - cfile_css = css_tryget_online_from_dir(cfile.file->f_path.dentry->d_parent, + cfile_css = css_tryget_online_from_dir(cdentry->d_parent, &memory_cgrp_subsys); ret = -EINVAL; if (IS_ERR(cfile_css))