From: Xiubo Li <xiubli@xxxxxxxxxx> When closing the file descripters in parallel in multiple threads, who are sharing the same file descripters, the filp_close() will remove all the Posix-style locks. But if two threads both calling the filp_close() it may race and cause use-after-free crash: PID: 327771 TASK: ffff952aa1db3180 CPU: 8 COMMAND: "db2fmp" #0 [ffff95202f33b960] machine_kexec at ffffffff890662f4 #1 [ffff95202f33b9c0] __crash_kexec at ffffffff89122b82 #2 [ffff95202f33ba90] crash_kexec at ffffffff89122c70 #3 [ffff95202f33baa8] oops_end at ffffffff89791798 #4 [ffff95202f33bad0] no_context at ffffffff89075d14 #5 [ffff95202f33bb20] __bad_area_nosemaphore at ffffffff89075fe2 #6 [ffff95202f33bb70] bad_area_nosemaphore at ffffffff89076104 #7 [ffff95202f33bb80] __do_page_fault at ffffffff89794750 #8 [ffff95202f33bbf0] do_page_fault at ffffffff89794975 #9 [ffff95202f33bc20] page_fault at ffffffff89790778 [exception RIP: ceph_fl_release_lock+20] RIP: ffffffffc08247a4 RSP: ffff95202f33bcd0 RFLAGS: 00010286 RAX: ffff952d4ebd8a00 RBX: 0000000000000000 RCX: dead000000000200 RDX: ffff95202f33bd60 RSI: ffff95202f33bd60 RDI: ffff9526b6ac5b00 RBP: ffff95202f33bce0 R8: ffff9526b6ac5b18 R9: ffffffffc083c368 R10: 0000000000001109 R11: 0000000000000000 R12: ffff95202f33bd60 R13: ffff9526b6ac5b00 R14: 0000000000000000 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #10 [ffff95202f33bce8] locks_release_private at ffffffff892ab3d7 #11 [ffff95202f33bd00] locks_free_lock at ffffffff892ac34d #12 [ffff95202f33bd18] locks_dispose_list at ffffffff892ac44b #13 [ffff95202f33bd40] __posix_lock_file at ffffffff892acdfa #14 [ffff95202f33bda8] posix_lock_file at ffffffff892ad146 #15 [ffff95202f33bdb8] ceph_lock at ffffffffc0824e8a [ceph] #16 [ffff95202f33bdf8] vfs_lock_file at ffffffff892ad185 #17 [ffff95202f33be08] locks_remove_posix at ffffffff892ad239 #18 [ffff95202f33bee0] locks_remove_posix at ffffffff892ad2a0 #19 [ffff95202f33bef0] filp_close at ffffffff8924baa6 #20 [ffff95202f33bf18] __close_fd at ffffffff8926f89c #21 [ffff95202f33bf40] sys_close at ffffffff8924d503 #22 [ffff95202f33bf50] system_call_fastpath at ffffffff89799f92 RIP: 00007f806ec446ab RSP: 00007f80517f0d90 RFLAGS: 00010206 RAX: 0000000000000003 RBX: 00007f8030001a20 RCX: 00007f80300386b0 RDX: 00007f806ef0d880 RSI: 0000000000000001 RDI: 0000000000000006 RBP: 00007f806ef0e3c0 R8: 00007f80517fa700 R9: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 00007f80300035b0 R14: 00007f80517f1104 R15: 000000000000006c ORIG_RAX: 0000000000000003 CS: 0033 SS: 002b We need to make sure that the filp in the file_lock shouldn't be release when any file_lock is still referring to it. For the Posix-style locks, whose owner will be the thread ids, we will increase the filp's reference. URL: https://tracker.ceph.com/issues/57986 Signed-off-by: Xiubo Li <xiubli@xxxxxxxxxx> --- drivers/android/binder.c | 2 +- fs/file.c | 15 ++++++++++----- fs/locks.c | 18 +++++++++++++++--- include/linux/fs.h | 14 ++++++++++++++ io_uring/openclose.c | 3 ++- 5 files changed, 42 insertions(+), 10 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 880224ec6abb..03692564d940 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1924,7 +1924,7 @@ static void binder_deferred_fd_close(int fd) if (twcb->file) { // pin it until binder_do_fd_close(); see comments there get_file(twcb->file); - filp_close(twcb->file, current->files); + filp_close(twcb->file, file_lock_make_thread_owner(current->files)); task_work_add(current, &twcb->twork, TWA_RESUME); } else { kfree(twcb); diff --git a/fs/file.c b/fs/file.c index 5f9c802a5d8d..39ad8e74a8d9 100644 --- a/fs/file.c +++ b/fs/file.c @@ -417,6 +417,7 @@ static struct fdtable *close_files(struct files_struct * files) * files structure. */ struct fdtable *fdt = rcu_dereference_raw(files->fdt); + fl_owner_t owner = file_lock_make_thread_owner(files); unsigned int i, j = 0; for (;;) { @@ -429,7 +430,7 @@ static struct fdtable *close_files(struct files_struct * files) if (set & 1) { struct file * file = xchg(&fdt->fd[i], NULL); if (file) { - filp_close(file, files); + filp_close(file, owner); cond_resched(); } } @@ -653,6 +654,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) int close_fd(unsigned fd) { struct files_struct *files = current->files; + fl_owner_t owner = file_lock_make_thread_owner(files); struct file *file; spin_lock(&files->file_lock); @@ -661,7 +663,7 @@ int close_fd(unsigned fd) if (!file) return -EBADF; - return filp_close(file, files); + return filp_close(file, owner); } EXPORT_SYMBOL(close_fd); /* for ksys_close() */ @@ -695,6 +697,7 @@ static inline void __range_cloexec(struct files_struct *cur_fds, static inline void __range_close(struct files_struct *cur_fds, unsigned int fd, unsigned int max_fd) { + fl_owner_t owner = file_lock_make_thread_owner(cur_fds); unsigned n; rcu_read_lock(); @@ -711,7 +714,7 @@ static inline void __range_close(struct files_struct *cur_fds, unsigned int fd, if (file) { /* found a valid file to close */ - filp_close(file, cur_fds); + filp_close(file, owner); cond_resched(); } } @@ -816,6 +819,7 @@ struct file *close_fd_get_file(unsigned int fd) void do_close_on_exec(struct files_struct *files) { + fl_owner_t owner = file_lock_make_thread_owner(files); unsigned i; struct fdtable *fdt; @@ -841,7 +845,7 @@ void do_close_on_exec(struct files_struct *files) rcu_assign_pointer(fdt->fd[fd], NULL); __put_unused_fd(files, fd); spin_unlock(&files->file_lock); - filp_close(file, files); + filp_close(file, owner); cond_resched(); spin_lock(&files->file_lock); } @@ -1080,6 +1084,7 @@ static int do_dup2(struct files_struct *files, struct file *file, unsigned fd, unsigned flags) __releases(&files->file_lock) { + fl_owner_t owner = file_lock_make_thread_owner(files); struct file *tofree; struct fdtable *fdt; @@ -1111,7 +1116,7 @@ __releases(&files->file_lock) spin_unlock(&files->file_lock); if (tofree) - filp_close(tofree, files); + filp_close(tofree, owner); return fd; diff --git a/fs/locks.c b/fs/locks.c index 607f94a0e789..e8b67f87e0ee 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -331,6 +331,8 @@ EXPORT_SYMBOL_GPL(locks_owner_has_blockers); /* Free a lock which is not in use. */ void locks_free_lock(struct file_lock *fl) { + if (fl->fl_file && file_lock_is_thread_owner(fl->fl_owner)) + fput(fl->fl_file); locks_release_private(fl); kmem_cache_free(filelock_cache, fl); } @@ -384,7 +386,10 @@ void locks_copy_lock(struct file_lock *new, struct file_lock *fl) locks_copy_conflock(new, fl); - new->fl_file = fl->fl_file; + if (file_lock_is_thread_owner(new->fl_owner)) + new->fl_file = get_file(fl->fl_file); + else + new->fl_file = fl->fl_file; new->fl_ops = fl->fl_ops; if (fl->fl_ops) { @@ -488,13 +493,14 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl, } else fl->fl_end = OFFSET_MAX; - fl->fl_owner = current->files; + fl->fl_owner = file_lock_make_thread_owner(current->files); fl->fl_pid = current->tgid; - fl->fl_file = filp; + fl->fl_file = get_file(filp); fl->fl_flags = FL_POSIX; fl->fl_ops = NULL; fl->fl_lmops = NULL; + return assign_type(fl, l->l_type); } @@ -2243,6 +2249,7 @@ int fcntl_getlk(struct file *filp, unsigned int cmd, struct flock *flock) fl->fl_flags |= FL_OFDLCK; fl->fl_owner = filp; + fput(filp); } error = vfs_test_lock(filp, fl); @@ -2376,6 +2383,7 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, cmd = F_SETLK; file_lock->fl_flags |= FL_OFDLCK; file_lock->fl_owner = filp; + fput(filp); break; case F_OFD_SETLKW: error = -EINVAL; @@ -2385,6 +2393,7 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd, cmd = F_SETLKW; file_lock->fl_flags |= FL_OFDLCK; file_lock->fl_owner = filp; + fput(filp); fallthrough; case F_SETLKW: file_lock->fl_flags |= FL_SLEEP; @@ -2450,6 +2459,7 @@ int fcntl_getlk64(struct file *filp, unsigned int cmd, struct flock64 *flock) cmd = F_GETLK64; fl->fl_flags |= FL_OFDLCK; fl->fl_owner = filp; + fput(filp); } error = vfs_test_lock(filp, fl); @@ -2499,6 +2509,7 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, cmd = F_SETLK64; file_lock->fl_flags |= FL_OFDLCK; file_lock->fl_owner = filp; + fput(filp); break; case F_OFD_SETLKW: error = -EINVAL; @@ -2508,6 +2519,7 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd, cmd = F_SETLKW64; file_lock->fl_flags |= FL_OFDLCK; file_lock->fl_owner = filp; + fput(filp); fallthrough; case F_SETLKW64: file_lock->fl_flags |= FL_SLEEP; diff --git a/include/linux/fs.h b/include/linux/fs.h index e654435f1651..d7d81962a863 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1028,6 +1028,20 @@ static inline struct file *get_file(struct file *f) /* legacy typedef, should eventually be removed */ typedef void *fl_owner_t; +/* + * Set the last significant bit to 1 to mark that + * we have get a reference of the fl->fl_file. + */ +static inline fl_owner_t file_lock_make_thread_owner(fl_owner_t owner) +{ + return (fl_owner_t)((unsigned long)owner | 1UL); +} + +static inline bool file_lock_is_thread_owner(fl_owner_t owner) +{ + return ((unsigned long)owner & 1UL); +} + struct file_lock; struct file_lock_operations { diff --git a/io_uring/openclose.c b/io_uring/openclose.c index 67178e4bb282..5a12cdf7f8d0 100644 --- a/io_uring/openclose.c +++ b/io_uring/openclose.c @@ -212,6 +212,7 @@ int io_close_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) int io_close(struct io_kiocb *req, unsigned int issue_flags) { struct files_struct *files = current->files; + fl_owner_t owner = file_lock_make_thread_owner(files); struct io_close *close = io_kiocb_to_cmd(req, struct io_close); struct fdtable *fdt; struct file *file; @@ -247,7 +248,7 @@ int io_close(struct io_kiocb *req, unsigned int issue_flags) goto err; /* No ->flush() or already async, safely close from here */ - ret = filp_close(file, current->files); + ret = filp_close(file, owner); err: if (ret < 0) req_set_fail(req); -- 2.31.1