[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJuCfpFKjhmti8k6OHoDHAu6dPvqP0jn8FFdSDPqmRfH97bkiQ@mail.gmail.com>
Date: Wed, 28 Jun 2023 14:50:59 -0700
From: Suren Baghdasaryan <surenb@...gle.com>
To: Tejun Heo <tj@...nel.org>
Cc: Greg KH <gregkh@...uxfoundation.org>,
Christian Brauner <brauner@...nel.org>, peterz@...radead.org,
lujialin4@...wei.com, lizefan.x@...edance.com, hannes@...xchg.org,
mingo@...hat.com, ebiggers@...nel.org, oleg@...hat.com,
akpm@...ux-foundation.org, viro@...iv.linux.org.uk,
juri.lelli@...hat.com, vincent.guittot@...aro.org,
dietmar.eggemann@....com, rostedt@...dmis.org, bsegall@...gle.com,
mgorman@...e.de, bristot@...hat.com, vschneid@...hat.com,
linux-kernel@...r.kernel.org, cgroups@...r.kernel.org,
linux-fsdevel@...r.kernel.org, kernel-team@...roid.com
Subject: Re: [PATCH 1/2] kernfs: add kernfs_ops.free operation to free
resources tied to the file
On Wed, Jun 28, 2023 at 1:34 PM Tejun Heo <tj@...nel.org> wrote:
>
> Hello, Suren.
>
> On Wed, Jun 28, 2023 at 01:12:23PM -0700, Suren Baghdasaryan wrote:
> > AFAIU all other files that handle polling rely on f_op->release()
> > being called after all the users are gone, therefore they can safely
> > free their resources. However kernfs can call ->release() while there
> > are still active users of the file. I can't use that operation for
> > resource cleanup therefore I was suggesting to add a new operation
> > which would be called only after the last fput() and would guarantee
> > no users. Again, I'm not an expert in this, so there might be a better
> > way to handle it. Please advise.
>
> So, w/ kernfs, the right thing to do is making sure that whatever is exposed
> to the kernfs user is terminated on removal - ie. after kernfs_ops->release
> is called, the ops table should be considered dead and there shouldn't be
> anything left to clean up from the kernfs user side. You can add abstraction
> kernfs so that kernfs can terminate the calls coming down from the higher
> layers on its own. That's how every other operation is handled and what
> should happen with the psi polling too.
I'm not sure I understand. The waitqueue head we are freeing in
->release() can be accessed asynchronously and does not require any
kernfs_op call. Here is a recap of that race:
do_select
vfs_poll
cgroup_pressure_release
psi_trigger_destroy
wake_up_pollfree(&t->event_wait) -> unblocks vfs_poll
synchronize_rcu()
kfree(t) -> frees waitqueue head
poll_freewait() -> UAF
Note that poll_freewait() is not part of any kernel_op, so I'm not
sure how adding an abstraction kernfs would help, but again, this is
new territory for me and I might be missing something.
On a different note, I think there might be an easy way to fix this.
What if psi triggers reuse kernfs_open_node->poll waitqueue head?
Since we are overriding the ->poll() method, that waitqueue head is
unused AFAIKT. And best of all, its lifecycle is tied to the file's
lifecycle, so it does not have the issue that trigger waitqueue head
has. In the trigger I could simply store a pointer to that waitqueue
and use it. Then in ->release() freeing trigger would not affect the
waitqueue at all. Does that sound sane?
>
> Thanks.
>
> --
> tejun
Powered by blists - more mailing lists