watch_queue: Fix missing locking in add_watch_to_object()

stable inclusion from stable-v5.10.135 commit 7fa8999b31674dc7697fa37a1eee088767cd84f3 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZWFM Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7fa8999b31674dc7697fa37a1eee088767cd84f3 -------------------------------- commit e64ab2db upstream. If a watch is being added to a queue, it needs to guard against interference from addition of a new watch, manual removal of a watch and removal of a watch due to some other queue being destroyed. KEYCTL_WATCH_KEY guards against this for the same {key,queue} pair by holding the key->sem writelocked and by holding refs on both the key and the queue - but that doesn't prevent interaction from other {key,queue} pairs. While add_watch_to_object() does take the spinlock on the event queue, it doesn't take the lock on the source's watch list. The assumption was that the caller would prevent that (say by taking key->sem) - but that doesn't prevent interference from the destruction of another queue. Fix this by locking the watcher list in add_watch_to_object(). Fixes: c73be61c ("pipe: Add general notification queue support") Reported-by: syzbot+03d7b43290037d1f87ca@syzkaller.appspotmail.com Signed-off-by: N David Howells <dhowells@redhat.com> cc: keyrings@vger.kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>

watch_queue: Fix missing locking in add_watch_to_object()
stable inclusion from stable-v5.10.135 commit 7fa8999b31674dc7697fa37a1eee088767cd84f3 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZWFM Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7fa8999b31674dc7697fa37a1eee088767cd84f3 -------------------------------- commit e64ab2db upstream. If a watch is being added to a queue, it needs to guard against interference from addition of a new watch, manual removal of a watch and removal of a watch due to some other queue being destroyed. KEYCTL_WATCH_KEY guards against this for the same {key,queue} pair by holding the key->sem writelocked and by holding refs on both the key and the queue - but that doesn't prevent interaction from other {key,queue} pairs. While add_watch_to_object() does take the spinlock on the event queue, it doesn't take the lock on the source's watch list. The assumption was that the caller would prevent that (say by taking key->sem) - but that doesn't prevent interference from the destruction of another queue. Fix this by locking the watcher list in add_watch_to_object(). Fixes: c73be61c ("pipe: Add general notification queue support") Reported-by: syzbot+03d7b43290037d1f87ca@syzkaller.appspotmail.com Signed-off-by: N David Howells <dhowells@redhat.com> cc: keyrings@vger.kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>
20eddb59 · Linus Torvalds · Zheng Zengkai · 3a3f4536 · 20eddb59
隐藏空白更改
内联并排

Showing with 36 addition and 22 deletion

kernel/watch_queue.c kernel/watch_queue.c +36 -22

未找到文件。
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -457,6 +457,33 @@ void init_watch(struct watch *watch, struct watch_queue *wqueue)
 	rcu_assign_pointer(watch->queue, wqueue);
 }
+static int add_one_watch(struct watch *watch, struct watch_list *wlist, struct watch_queue *wqueue)
+{
+	const struct cred *cred;
+	struct watch *w;
+	hlist_for_each_entry(w, &wlist->watchers, list_node) {
+		struct watch_queue *wq = rcu_access_pointer(w->queue);
+		if (wqueue == wq && watch->id == w->id)
+			return -EBUSY;
+	}
+	cred = current_cred();
+	if (atomic_inc_return(&cred->user->nr_watches) > task_rlimit(current, RLIMIT_NOFILE)) {
+		atomic_dec(&cred->user->nr_watches);
+		return -EAGAIN;
+	}
+	watch->cred = get_cred(cred);
+	rcu_assign_pointer(watch->watch_list, wlist);
+	kref_get(&wqueue->usage);
+	kref_get(&watch->usage);
+	hlist_add_head(&watch->queue_node, &wqueue->watches);
+	hlist_add_head_rcu(&watch->list_node, &wlist->watchers);
+	return 0;
+}
 /**
 * add_watch_to_object - Add a watch on an object to a watch list
 * @watch: The watch to add
@@ -471,34 +498,21 @@ void init_watch(struct watch *watch, struct watch_queue *wqueue)
 */
 int add_watch_to_object(struct watch *watch, struct watch_list *wlist)
 {
-	struct watch_queue *wqueue = rcu_access_pointer(watch->queue);
+	struct watch_queue *wqueue;
-	struct watch *w;
+	int ret = -ENOENT;
-	hlist_for_each_entry(w, &wlist->watchers, list_node) {
-		struct watch_queue *wq = rcu_access_pointer(w->queue);
-		if (wqueue == wq && watch->id == w->id)
-			return -EBUSY;
-	}
-	watch->cred = get_current_cred();
-	rcu_assign_pointer(watch->watch_list, wlist);
-	if (atomic_inc_return(&watch->cred->user->nr_watches) >
+	rcu_read_lock();
-	    task_rlimit(current, RLIMIT_NOFILE)) {
-		atomic_dec(&watch->cred->user->nr_watches);
-		put_cred(watch->cred);
-		return -EAGAIN;
-	}
+	wqueue = rcu_access_pointer(watch->queue);
 	if (lock_wqueue(wqueue)) {
-		kref_get(&wqueue->usage);
+		spin_lock(&wlist->lock);
-		kref_get(&watch->usage);
+		ret = add_one_watch(watch, wlist, wqueue);
-		hlist_add_head(&watch->queue_node, &wqueue->watches);
+		spin_unlock(&wlist->lock);
 		unlock_wqueue(wqueue);
 	}
-	hlist_add_head_rcu(&watch->list_node, &wlist->watchers);
+	rcu_read_unlock();
-	return 0;
+	return ret;
 }
 EXPORT_SYMBOL(add_watch_to_object);