lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Sun, 19 Mar 2023 09:47:14 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Teng Qi <starmiku1207184332@...il.com>
Cc:     ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
        martin.lau@...ux.dev, song@...nel.org, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
        haoluo@...gle.com, jolsa@...nel.org, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org, baijiaju1990@...look.com
Subject: Re: [PATCH v2] kernel: bpf: stackmap: fix a possible sleep-in-atomic
 bug in bpf_mmap_unlock_get_irq_work()

On Sun, Mar 19, 2023 at 02:12:49AM +0800, Teng Qi wrote:
> Regarding the first problem, our tool discovered a possible code path that
> 
> starts from mmap_read_unlock() and leads to sleep in kernel v6.3-rc2 source
> 
> code.
> 
> 
> 
> kernel/bpf/mmap_unlock_work.h:52 mmap_read_unlock(mm);
> 
> include/linux/mmap_lock.h:144 up_read(&mm->mmap_lock);
> 
> kernel/locking/rwsem.c:1616 __up_read(sem);
> 
> kernel/locking/rwsem.c:1352 rwsem_wake(sem);
> 
> kernel/locking/rwsem.c:1211 rwsem_mark_wake(sem, RWSEM_WAKE_ANY, &wake_q);
> 
> kernel/locking/rwsem.c:566 wake_q_add_safe(wake_q, tsk);
> 
> kernel/sched/core.c:990 put_task_struct(task);
> 
> include/linux/sched/task.h:119 __put_task_struct(t);
> 
> kernel/fork.c:857 exit_creds(tsk);
> 
> kernel/cred.c:172 put_cred(cred);
> 
> include/linux/cred.h:288 __put_cred(cred);
> 
> kernel/cred.c:151 put_cred_rcu(&cred->rcu);
> 
> kernel/cred.c:121 put_group_info(cred->group_info);
> 
> include/linux/cred.h:53 groups_free(group_info);
> 
> kernel/groups.c:31 kvfree(group_info);
> 
> mm/util.c:647 vfree(addr); <- oops, sleep when size of group_info is large
> 
> 
> 
> However, we cannot guarantee that this code path will be triggered during
> 
> runtime since it was generated by a static analysis tool.

So it is a purely theoretical issue and out of thousands users of up_read()
you've decided to fix one where it is called form mmap_read_unlock().
Why?

You also see that __up_read is doing preempt_disable and then calls rwsem_wake()
which will theoretically can call vfree() with "oops", right?
So agian, why target mmap_read_unlock() ?

Powered by blists - more mailing lists