From: Andrea Arcangeli <aarcange@redhat.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Eric Biggers <ebiggers3@gmail.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
viro@zeniv.linux.org.uk, linux-mm@kvack.org,
syzkaller-bugs@googlegroups.com
Subject: [PATCH 1/1] userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
Date: Sat, 23 Dec 2017 01:25:05 +0100 [thread overview]
Message-ID: <20171223002505.593-2-aarcange@redhat.com> (raw)
In-Reply-To: <20171223002505.593-1-aarcange@redhat.com>
The previous fix 384632e67e0829deb8015ee6ad916b180049d252 corrected
the refcounting in case of UFFD_EVENT_FORK failure for the fork
userfault paths. That still didn't clear the vma->vm_userfaultfd_ctx
of the vmas that were set to point to the aborted new uffd ctx earlier
in dup_userfaultfd.
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
---
fs/userfaultfd.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 896f810b6a06..1a88916455bd 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -591,11 +591,14 @@ int handle_userfault(struct vm_fault *vmf, unsigned long reason)
static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
struct userfaultfd_wait_queue *ewq)
{
+ struct userfaultfd_ctx *release_new_ctx;
+
if (WARN_ON_ONCE(current->flags & PF_EXITING))
goto out;
ewq->ctx = ctx;
init_waitqueue_entry(&ewq->wq, current);
+ release_new_ctx = NULL;
spin_lock(&ctx->event_wqh.lock);
/*
@@ -622,8 +625,7 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
new = (struct userfaultfd_ctx *)
(unsigned long)
ewq->msg.arg.reserved.reserved1;
-
- userfaultfd_ctx_put(new);
+ release_new_ctx = new;
}
break;
}
@@ -638,6 +640,20 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
__set_current_state(TASK_RUNNING);
spin_unlock(&ctx->event_wqh.lock);
+ if (release_new_ctx) {
+ struct vm_area_struct *vma;
+ struct mm_struct *mm = release_new_ctx->mm;
+
+ /* the various vma->vm_userfaultfd_ctx still points to it */
+ down_write(&mm->mmap_sem);
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+ up_write(&mm->mmap_sem);
+
+ userfaultfd_ctx_put(release_new_ctx);
+ }
+
/*
* ctx may go away after this if the userfault pseudo fd is
* already released.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Andrea Arcangeli <aarcange@redhat.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Eric Biggers <ebiggers3@gmail.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
viro@zeniv.linux.org.uk, linux-mm@kvack.org,
syzkaller-bugs@googlegroups.com
Subject: [PATCH 1/1] userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
Date: Sat, 23 Dec 2017 01:25:05 +0100 [thread overview]
Message-ID: <20171223002505.593-2-aarcange@redhat.com> (raw)
In-Reply-To: <20171223002505.593-1-aarcange@redhat.com>
The previous fix 384632e67e0829deb8015ee6ad916b180049d252 corrected
the refcounting in case of UFFD_EVENT_FORK failure for the fork
userfault paths. That still didn't clear the vma->vm_userfaultfd_ctx
of the vmas that were set to point to the aborted new uffd ctx earlier
in dup_userfaultfd.
Cc: stable@vger.kernel.org
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
---
fs/userfaultfd.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 896f810b6a06..1a88916455bd 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -591,11 +591,14 @@ int handle_userfault(struct vm_fault *vmf, unsigned long reason)
static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
struct userfaultfd_wait_queue *ewq)
{
+ struct userfaultfd_ctx *release_new_ctx;
+
if (WARN_ON_ONCE(current->flags & PF_EXITING))
goto out;
ewq->ctx = ctx;
init_waitqueue_entry(&ewq->wq, current);
+ release_new_ctx = NULL;
spin_lock(&ctx->event_wqh.lock);
/*
@@ -622,8 +625,7 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
new = (struct userfaultfd_ctx *)
(unsigned long)
ewq->msg.arg.reserved.reserved1;
-
- userfaultfd_ctx_put(new);
+ release_new_ctx = new;
}
break;
}
@@ -638,6 +640,20 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
__set_current_state(TASK_RUNNING);
spin_unlock(&ctx->event_wqh.lock);
+ if (release_new_ctx) {
+ struct vm_area_struct *vma;
+ struct mm_struct *mm = release_new_ctx->mm;
+
+ /* the various vma->vm_userfaultfd_ctx still points to it */
+ down_write(&mm->mmap_sem);
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+ vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+ up_write(&mm->mmap_sem);
+
+ userfaultfd_ctx_put(release_new_ctx);
+ }
+
/*
* ctx may go away after this if the userfault pseudo fd is
* already released.
next prev parent reply other threads:[~2017-12-23 0:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-22 21:37 kernel BUG at fs/userfaultfd.c:LINE! syzbot
2017-12-22 22:23 ` Eric Biggers
2017-12-22 22:23 ` Eric Biggers
2017-12-23 0:25 ` [PATCH 0/1] " Andrea Arcangeli
2017-12-23 0:25 ` Andrea Arcangeli
2017-12-23 0:25 ` Andrea Arcangeli [this message]
2017-12-23 0:25 ` [PATCH 1/1] userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails Andrea Arcangeli
2017-12-25 9:07 ` Mike Rapoport
2017-12-25 9:07 ` Mike Rapoport
2017-12-23 7:31 ` [PATCH 0/1] Re: kernel BUG at fs/userfaultfd.c:LINE! Dmitry Vyukov
2017-12-23 7:31 ` Dmitry Vyukov
2018-01-17 8:56 ` Pavel Machek
2018-01-17 23:26 ` Eric Biggers
2018-01-17 23:26 ` Eric Biggers
2018-01-18 8:24 ` Pavel Machek
2018-01-31 1:31 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171223002505.593-2-aarcange@redhat.com \
--to=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebiggers3@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rppt@linux.vnet.ibm.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.