ipc/shm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
In shm_destroy_orphaned(), we are not performing updates to the IPCS and are
only calling idr_for_each(), which can be protected by the RCU read-critical
section.
And if idr_for_each() is not protected by the RCU read-critical section,
then when radix_tree_node_free() is called to free the struct radix_tree_node
through call_rcu(), the node will be freed immediately, and when reading the
next node in radix_tree_for_each_slot(), the memory that has already been
freed may be read.
Therefore, I think it is appropriate to use RCU instead of semaphore to
protect it.
Fixes: d9a605e40b13 ("ipc: rename ids->rw_mutex")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
ipc/shm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index 99564c870084..8fd87c4e5dc8 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -430,10 +430,10 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data)
void shm_destroy_orphaned(struct ipc_namespace *ns)
{
- down_write(&shm_ids(ns).rwsem);
+ rcu_read_lock();
if (shm_ids(ns).in_use)
idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
- up_write(&shm_ids(ns).rwsem);
+ rcu_read_unlock();
}
/* Locking assumes this will only be called with task == current */
--On Sat, 15 Feb 2025 03:01:57 +0900 Jeongjun Park <aha310510@gmail.com> wrote: > In shm_destroy_orphaned(), we are not performing updates to the IPCS and are > only calling idr_for_each(), which can be protected by the RCU read-critical > section. > > And if idr_for_each() is not protected by the RCU read-critical section, > then when radix_tree_node_free() is called to free the struct radix_tree_node > through call_rcu(), the node will be freed immediately, and when reading the > next node in radix_tree_for_each_slot(), the memory that has already been > freed may be read. A use-after-free? Is there any report of this occurring, or was this change a result of code inspection? If the former, please share details (Link:, Reported-by:, Closes:, etc). > Therefore, I think it is appropriate to use RCU instead of semaphore to > protect it.
Andrew Morton <akpm@linux-foundation.org> wrote: > > On Sat, 15 Feb 2025 03:01:57 +0900 Jeongjun Park <aha310510@gmail.com> wrote: > > > In shm_destroy_orphaned(), we are not performing updates to the IPCS and are > > only calling idr_for_each(), which can be protected by the RCU read-critical > > section. > > > > And if idr_for_each() is not protected by the RCU read-critical section, > > then when radix_tree_node_free() is called to free the struct radix_tree_node > > through call_rcu(), the node will be freed immediately, and when reading the > > next node in radix_tree_for_each_slot(), the memory that has already been > > freed may be read. > > A use-after-free? > > Is there any report of this occurring, or was this change a result of > code inspection? If the former, please share details (Link:, > Reported-by:, Closes:, etc). Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com Sorry I forgot the Reported-by tag. I think the vulnerability is caused by misusing RCU. In addition, since it is a function that does not perform an update operation, it is possible to protect it through RCU, so we can safely get some performance small benefits by using RCU instead of semaphore. Regards, Jeongjun Park > > > Therefore, I think it is appropriate to use RCU instead of semaphore to > > protect it. >
[Fixing Davidlohr's email address -- David could you pop an entry into
.mailmap?]
On Sat, Feb 15, 2025 at 02:00:23PM +0900, Jeongjun Park wrote:
> Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > On Sat, 15 Feb 2025 03:01:57 +0900 Jeongjun Park <aha310510@gmail.com> wrote:
> >
> > > In shm_destroy_orphaned(), we are not performing updates to the IPCS and are
> > > only calling idr_for_each(), which can be protected by the RCU read-critical
> > > section.
> > >
> > > And if idr_for_each() is not protected by the RCU read-critical section,
> > > then when radix_tree_node_free() is called to free the struct radix_tree_node
> > > through call_rcu(), the node will be freed immediately, and when reading the
> > > next node in radix_tree_for_each_slot(), the memory that has already been
> > > freed may be read.
> >
> > A use-after-free?
> >
> > Is there any report of this occurring, or was this change a result of
> > code inspection? If the former, please share details (Link:,
> > Reported-by:, Closes:, etc).
>
> Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com
For anyone else trying to understand what the hell this is about,
the report is at:
https://lore.kernel.org/linux-kernel/67af13f8.050a0220.21dd3.0038.GAE@google.com/
> Sorry I forgot the Reported-by tag. I think the vulnerability is caused by
> misusing RCU. In addition, since it is a function that does not perform
> an update operation, it is possible to protect it through RCU, so we can
> safely get some performance small benefits by using RCU instead of
> semaphore.
shm uses RCU in a very weird way. You're absolutely right that we need
to hold the RCU read lock here to prevent the tree nodes from being
freed below us.
But I'm not convinced that removing the rwsem is safe. Look at what
else is in the call chain:
if (shm_ids(ns).in_use)
idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
shm_try_destroy_orphaned:
shm_destroy(ns, shp);
shm_destroy:
shm_rmid(shp);
shm_rmid:
ipc_rmid(&shm_ids(s->ns), &s->shm_perm);
ipc_rmid:
WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp);
So what's protecting that idr_remove() if not the rwsem?
(the shortcut for this is that shm_destroy() actually documents that it
needs shm_ids.rwsem held. But it doesn't have a lockdep assertion.
Perhaps you could add one?)
Matthew Wilcox <willy@infradead.org> wrote: > > [Fixing Davidlohr's email address -- David could you pop an entry into > .mailmap?] > > On Sat, Feb 15, 2025 at 02:00:23PM +0900, Jeongjun Park wrote: > > Andrew Morton <akpm@linux-foundation.org> wrote: > > > > > > On Sat, 15 Feb 2025 03:01:57 +0900 Jeongjun Park <aha310510@gmail.com> wrote: > > > > > > > In shm_destroy_orphaned(), we are not performing updates to the IPCS and are > > > > only calling idr_for_each(), which can be protected by the RCU read-critical > > > > section. > > > > > > > > And if idr_for_each() is not protected by the RCU read-critical section, > > > > then when radix_tree_node_free() is called to free the struct radix_tree_node > > > > through call_rcu(), the node will be freed immediately, and when reading the > > > > next node in radix_tree_for_each_slot(), the memory that has already been > > > > freed may be read. > > > > > > A use-after-free? > > > > > > Is there any report of this occurring, or was this change a result of > > > code inspection? If the former, please share details (Link:, > > > Reported-by:, Closes:, etc). > > > > Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com > > For anyone else trying to understand what the hell this is about, > the report is at: > > https://lore.kernel.org/linux-kernel/67af13f8.050a0220.21dd3.0038.GAE@google.com/ > > > Sorry I forgot the Reported-by tag. I think the vulnerability is caused by > > misusing RCU. In addition, since it is a function that does not perform > > an update operation, it is possible to protect it through RCU, so we can > > safely get some performance small benefits by using RCU instead of > > semaphore. > > shm uses RCU in a very weird way. You're absolutely right that we need > to hold the RCU read lock here to prevent the tree nodes from being > freed below us. > > But I'm not convinced that removing the rwsem is safe. Look at what > else is in the call chain: > > if (shm_ids(ns).in_use) > idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); > > shm_try_destroy_orphaned: > shm_destroy(ns, shp); > shm_destroy: > shm_rmid(shp); > shm_rmid: > ipc_rmid(&shm_ids(s->ns), &s->shm_perm); > ipc_rmid: > WARN_ON_ONCE(idr_remove(&ids->ipcs_idr, idx) != ipcp); > > So what's protecting that idr_remove() if not the rwsem? After looking into it again, I guess removing the semaphore won't work. Thanks for letting me know! I'll fix it and send you a patch right away. Regards, Jeongjun Park > > (the shortcut for this is that shm_destroy() actually documents that it > needs shm_ids.rwsem held. But it doesn't have a lockdep assertion. > Perhaps you could add one?)
On Sat, Feb 15, 2025 at 03:01:57AM +0900, Jeongjun Park wrote:
> In shm_destroy_orphaned(), we are not performing updates to the IPCS and are
> only calling idr_for_each(), which can be protected by the RCU read-critical
> section.
>
> And if idr_for_each() is not protected by the RCU read-critical section,
> then when radix_tree_node_free() is called to free the struct radix_tree_node
> through call_rcu(), the node will be freed immediately, and when reading the
> next node in radix_tree_for_each_slot(), the memory that has already been
> freed may be read.
>
> Therefore, I think it is appropriate to use RCU instead of semaphore to
> protect it.
>
> Fixes: d9a605e40b13 ("ipc: rename ids->rw_mutex")
This does not fix that commit. That's just the last commit that touches
this line. Indeed, it doesn't fix anything.
You need to justify why making this change is desirable. Does it speed
anything up?
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> ---
> ipc/shm.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 99564c870084..8fd87c4e5dc8 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -430,10 +430,10 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data)
>
> void shm_destroy_orphaned(struct ipc_namespace *ns)
> {
> - down_write(&shm_ids(ns).rwsem);
> + rcu_read_lock();
> if (shm_ids(ns).in_use)
> idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
> - up_write(&shm_ids(ns).rwsem);
> + rcu_read_unlock();
> }
>
> /* Locking assumes this will only be called with task == current */
> --
© 2016 - 2025 Red Hat, Inc.