All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matthew Wilcox <willy@infradead.org>
To: Jann Horn <jannh@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
	syzbot <syzbot+8645fe63c4d22c8d27b8@syzkaller.appspotmail.com>
Subject: Re: [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (2)
Date: Thu, 27 Jul 2023 19:17:06 +0100	[thread overview]
Message-ID: <ZMK0ony0LG2SL2Ha@casper.infradead.org> (raw)
In-Reply-To: <CAG48ez1yg7m=aNsjNiGt_s0_tEBEmEXXx0-vijuN9MBmoxL7PQ@mail.gmail.com>

On Thu, Jul 27, 2023 at 07:59:33PM +0200, Jann Horn wrote:
> On Thu, Jul 27, 2023 at 7:22 PM Suren Baghdasaryan <surenb@google.com> wrote:
> > Hmm. lock_vma_under_rcu() specifically checks for vma->anon_vma==NULL
> > condition (see [1]) to avoid going into find_mergeable_anon_vma() (a
> > check inside anon_vma_prepare() should prevent that). So, it should
> > fall back to mmap_lock'ing.
> 
> This syzkaller report applies to a tree with Willy's in-progress patch
> series, where lock_vma_under_rcu() only checks for vma->anon_vma if
> vma_is_anonymous() is true - it permits private non-anonymous VMAs
> (which require an anon_vma for handling write faults)  even if they
> don't have an anon_vma.
> 
> The commit bisected by syzkaller
> (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a52f58b34afe095ebc5823684eb264404dad6f7b)
> removes the vma_is_anonymous() check in handle_pte_fault(), so it lets
> us reach do_wp_page() with a non-anonymous private VMA without
> anon_vma, even though that requires allocation of an anon_vma.
> 
> So I think this is pretty clearly an issue with Willy's in-progress
> patch series that syzkaller blamed correctly.

Agreed.  What do we think the right solution is?

Option 1:

+++ b/mm/memory.c
@@ -3197,6 +3197,12 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
        struct mmu_notifier_range range;
        int ret;

+       if (!vma->anon_vma) {
+               // check if there are other things to undo here
+               vma_end_read(vmf->vma);
+               return VM_FAULT_RETRY;
+       }
+
        delayacct_wpcopy_start();

Option 2:

@@ -5581,7 +5587,8 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm,
                goto inval;

        /* find_mergeable_anon_vma uses adjacent vmas which are not locked */
-       if (vma_is_anonymous(vma) && !vma->anon_vma)
+       if ((vma_is_anonymous(vma) ||
+            vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) && !vma->anon_vma)
                goto inval;

The problem with option 2 is that we don't know whether this is a write
fault or not, so we'll handle read faults on private file
mappings under the mmap_lock UNTIL somebody writes to the mapping, which
might be never.  That seems like a bad idea.

We could pass FAULT_FLAG_WRITE into lock_vma_under_rcu(), but that also
seems like a bad idea.  I dunno.  Three bad ideas.  Anyone think of a
good one?


  parent reply	other threads:[~2023-07-27 18:17 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-06  3:12 [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (2) syzbot
2023-07-06 16:53 ` Liam R. Howlett
2023-07-25 20:27 ` syzbot
2023-07-26  6:57 ` syzbot
2023-07-27 16:47   ` Liam R. Howlett
2023-07-27 17:22     ` Suren Baghdasaryan
2023-07-27 17:59       ` Jann Horn
2023-07-27 18:12         ` Liam R. Howlett
2023-07-27 18:17         ` Matthew Wilcox [this message]
2023-07-27 18:31           ` Suren Baghdasaryan
2023-07-27 18:46             ` Matthew Wilcox
2023-07-27 19:20           ` Jann Horn
2023-07-27 20:08             ` Matthew Wilcox
2023-07-27 18:50   ` Matthew Wilcox
2023-07-27 18:50     ` syzbot
2023-07-27 18:52   ` Matthew Wilcox
2023-07-27 18:53     ` syzbot
2023-07-27 18:54       ` Matthew Wilcox
2023-07-27 19:12         ` Aleksandr Nogikh
2023-07-27 18:56   ` Matthew Wilcox
2023-07-27 19:17     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZMK0ony0LG2SL2Ha@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=jannh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=surenb@google.com \
    --cc=syzbot+8645fe63c4d22c8d27b8@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.