From patchwork Tue Mar 26 09:51:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 1916027 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Xx4MxxpR; dkim=pass (1024-bit key; secure) header.d=digikod.net header.i=@digikod.net header.a=rsa-sha256 header.s=20191114 header.b=lcTiXieD; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V3lSg2Xl8z1yXq for ; Tue, 26 Mar 2024 20:51:47 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc: To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=e6awg/8K1Xi+mqR//7IBqBOHFuznw79ZK+S7TPwk0wM=; b=Xx4MxxpROkifeleLNdKa0aTG2n vaSNWn6nWtUTsBrgw2xKIAigsxI8hbT2TyvsiXtMa4aycZMl6VrpiTdt8yo8cZrPa29/SCHoDyVyp kh/XMKm3SoDrxzBq+yU6aNmMOqxL0inMSLIHbNfJc3knGVLf+NCRWlkbNE9YHYsw5TrOlkpMDyzef nFRlB29xhB8F6ozFO45YHdU4ZXA/og4fFTHJQRKsgcXDESDOFsLFimdQOjBroStCfq7Iza+6zBAFC Z0tIbCDmiZ4wHK8yvyZ1hqf8RGCIu/sgmOZHjtF7bmVyYf9NKQ9wmvpd5aQXjxZndvY/IPzXK4Ru6 2gc8mmTQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rp3T7-00000003u3D-1tvm; Tue, 26 Mar 2024 09:51:45 +0000 Received: from smtp-42a9.mail.infomaniak.ch ([84.16.66.169]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rp3T3-00000003tzx-1GAW for linux-um@lists.infradead.org; Tue, 26 Mar 2024 09:51:43 +0000 Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4V3lST28FvzNkr; Tue, 26 Mar 2024 10:51:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1711446697; bh=pBMis6waGtJRvazqv7DmqZ/uoc/dd8l3LTTdLpiJnSE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lcTiXieDNEC8hrQOmhiQwYuzDC/abUeUVkm+eGtlEKIbs1DqKddPBomjStsLx5Pof +GBBH894Fathn8a8uU0APDC9BeGyyIuewqaT5TjDoEJ8faSPu6yb5HQvClE1zGYZwF rSYthP6yna4iQmxh7yqy/TZhYY1Oi2PuTwNzpp1U= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4V3lSS4QkWzJRS; Tue, 26 Mar 2024 10:51:36 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Brendan Higgins , David Gow , Rae Moar , Shuah Khan Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Alan Maguire , Borislav Petkov , Dave Hansen , "Eric W . Biederman" , "H . Peter Anvin" , Ingo Molnar , James Morris , Kees Cook , Luis Chamberlain , "Madhavan T . Venkataraman" , Marco Pagani , Paolo Bonzini , Sean Christopherson , Stephen Boyd , Thara Gopinath , Thomas Gleixner , Vitaly Kuznetsov , Zahra Tarkhani , kvm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-um@lists.infradead.org, x86@kernel.org Subject: [PATCH v4 2/7] kunit: Fix kthread reference Date: Tue, 26 Mar 2024 10:51:13 +0100 Message-ID: <20240326095118.126696-3-mic@digikod.net> In-Reply-To: <20240326095118.126696-1-mic@digikod.net> References: <20240326095118.126696-1-mic@digikod.net> MIME-Version: 1.0 X-Infomaniak-Routing: alpha X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240326_025141_504406_3E10F21B X-CRM114-Status: GOOD ( 10.39 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: There is a race condition when a kthread finishes after the deadline and before the call to kthread_stop(), which may lead to use after free. Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Fixes: adf505457032 ("kunit: fix UAF when run kfence test case [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [84.16.66.169 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [84.16.66.169 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-um@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-um" Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org There is a race condition when a kthread finishes after the deadline and before the call to kthread_stop(), which may lead to use after free. Cc: Brendan Higgins Cc: Shuah Khan Reviewed-by: Kees Cook Fixes: adf505457032 ("kunit: fix UAF when run kfence test case test_gfpzero") Reviewed-by: David Gow Reviewed-by: Rae Moar Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240326095118.126696-3-mic@digikod.net --- Changes since v2: * Add Fixes tag as suggested by David. * Add David's and Rae's Reviewed-by. Changes since v1: * Add Kees's Reviewed-by. --- lib/kunit/try-catch.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c index a5cb2ef70a25..73f5007f20ea 100644 --- a/lib/kunit/try-catch.c +++ b/lib/kunit/try-catch.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "try-catch-impl.h" @@ -65,14 +66,15 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) try_catch->context = context; try_catch->try_completion = &try_completion; try_catch->try_result = 0; - task_struct = kthread_run(kunit_generic_run_threadfn_adapter, - try_catch, - "kunit_try_catch_thread"); + task_struct = kthread_create(kunit_generic_run_threadfn_adapter, + try_catch, "kunit_try_catch_thread"); if (IS_ERR(task_struct)) { try_catch->try_result = PTR_ERR(task_struct); try_catch->catch(try_catch->context); return; } + get_task_struct(task_struct); + wake_up_process(task_struct); time_remaining = wait_for_completion_timeout(&try_completion, kunit_test_timeout()); @@ -82,6 +84,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) kthread_stop(task_struct); } + put_task_struct(task_struct); exit_code = try_catch->try_result; if (!exit_code)