Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Carlos Llamas <cmllamas@google.com>
To: Suren Baghdasaryan <surenb@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Michal Hocko <mhocko@suse.com>,
	Guenter Roeck <groeck@chromium.org>,
	Douglas Anderson <dianders@chromium.org>,
	Christian Brauner <brauner@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15
Date: Thu, 29 Sep 2022 14:39:43 +0000	[thread overview]
Message-ID: <YzWuL4H+jf6Yzu7i@google.com> (raw)
In-Reply-To: <CAJuCfpHS-eZFHvauzdoke_BLMs3em2=ag6qvHPs_rz8=-rTUBA@mail.gmail.com>

On Wed, Sep 28, 2022 at 04:21:27PM -0700, Suren Baghdasaryan wrote:
> > However, I wonder why isn't ->mmap() being undone for this exit path in
> > mmap_region()? If anything fails _after_ call_mmap() it seems we
> > silently unmap and free the vma. What about allocations, atomic_incs,
> > and anything done inside ->mmap()?
> 
> I think if ->mmap() fails it is expected to undo its own changes
> before returning the error. mmap_region() has no idea what kind of
> changes ->mmap() has done before it failed, therefore it can't undo
> them. At least that's how I understand it.

I agree ->mmap() should undo its own changes if it fails. However, the
scenario I'm referring to is an error _after_ ->mmap() call succeeds.
In this case it can be the arch_validate_flags() check. On error, the
vma is torn down and the drivers are never informed about it.

> > Shouldn't a ->close() be needed here
> > to undo these things as such:
> > --
> > @@ -1872,6 +1889,9 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> >
> >         return addr;
> >
> > +undo_mmap:
> > +       if (vma->vm_ops && vma->vm_ops->close)
> > +               vma->vm_ops->close(vma);
> >  unmap_and_free_vma:
> >         fput(vma->vm_file);
> >         vma->vm_file = NULL;
> > --
> >
> 
> I don't see mmap_region() calling vma->vm_ops->open() anywhere. So why
> would it have to call vma->vm_ops->close()?

My understanding is ->mmap() is called on the very first mapping and
vm_ops->close() is subsequently called whenever a mapping is removed.
So IIUC a vm_ops->open() is not required in this exchange.

There are multiple places where I can see rely on this behavior. Just to
provide an example, look at coda_file_mmap() which allocates cvm_ops and
increments references on ->mmap(). It then expects coda_vm_close() to be
called when the vma is removed to decrement these references and lastly
free cvm_ops. However, if mmap_region() fails after ->mmap() call then
vm_ops->close() is never invoked and the reference count in coda is now
off making cvm_ops leaked memory.

Other type of issues happen depending on the ->mmap() implementation. In
our case it was a BUG_ON() in binder.

I don't know if adding vm_ops->close() to the exit error path is an
appropriate solution. Perhaps ->mmap() should be a point of no return
instead and vm_flags should be validated earlier? I would be concerned
about drivers modifying the vm_flags during ->mmap() though. I'll send
out a patch to get more feedback on this vm_ops->close().

--
Carlos Llamas

     prev parent reply	other threads:[~2022-09-29 14:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-08 20:28 BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15 Carlos Llamas
2022-09-08 22:33 ` Suren Baghdasaryan
2022-09-09 19:35   ` Carlos Llamas
2022-09-09 20:03     ` Suren Baghdasaryan
2022-09-12 19:11       ` Carlos Llamas
2022-09-13  6:36         ` Liam Howlett
2022-09-23 20:50           ` Carlos Llamas
2022-09-28 23:21             ` Suren Baghdasaryan
2022-09-29 14:39               ` Carlos Llamas [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YzWuL4H+jf6Yzu7i@google.com \
    --to=cmllamas@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=dianders@chromium.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=liam.howlett@oracle.com \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    --cc=surenb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.