From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA830C3DA49 for ; Thu, 11 Jul 2024 05:13:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4E6AD6B008C; Thu, 11 Jul 2024 01:13:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4959C6B0093; Thu, 11 Jul 2024 01:13:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 35CD96B0095; Thu, 11 Jul 2024 01:13:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 178F06B008C for ; Thu, 11 Jul 2024 01:13:23 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B0B621403CE for ; Thu, 11 Jul 2024 05:13:22 +0000 (UTC) X-FDA: 82326303444.20.B46BB89 Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) by imf25.hostedemail.com (Postfix) with ESMTP id DD0D4A0002 for ; Thu, 11 Jul 2024 05:13:19 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=a8yM9NjV; spf=pass (imf25.hostedemail.com: domain of peili.dev@gmail.com designates 209.85.128.180 as permitted sender) smtp.mailfrom=peili.dev@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720674768; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=iQXtYB9XCir9GCdKuowEuKTyQp208kpzJxxFmEuVXk4=; b=ZLcQZL99aq/GrNlcTQBf8HUI1AciRivqYD3HtoY5OEa5wbGfuoB9OOyQEumWKGYisSScQv o+OQOdP0WFueM2o0GyuJ4WOmTb0TKu64bqnVfQyJR24lPTZA2SMG+Ok8diQGBzzuOADhNv HS5BVo1q3aO6ToC0dw6yKmgEGUw/CmU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720674768; a=rsa-sha256; cv=none; b=LT+OicIdI3F7esjqwMv8e6kq2H0hTeVJgFXi2Gljzq1PHSFB7g497fuf3JOSF38mQ/FSIj TMVTw94bV+zGKB4xrpZzai/w4kGyEcVCND6UHLTdWqCUC8qOpmD5xtjtGALYWn0uLFjJQ8 zwjvDMM7qEv9tXA8Eg7m+39+hDi0SLA= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=a8yM9NjV; spf=pass (imf25.hostedemail.com: domain of peili.dev@gmail.com designates 209.85.128.180 as permitted sender) smtp.mailfrom=peili.dev@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-655fa53c64cso4783957b3.3 for ; Wed, 10 Jul 2024 22:13:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720674799; x=1721279599; darn=kvack.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=iQXtYB9XCir9GCdKuowEuKTyQp208kpzJxxFmEuVXk4=; b=a8yM9NjVXU7lES5rEzMLNatYp7DvxN6pDJ9rZxfodbho7z0hxUZLUgYe4r1EUyvVfb bCIgMQWzb9fCZPZqvdy1tZqzRMlAnGSROMhKYfoySh862o2chLjwISv11JNMuIE3Zgu+ +nqyihP2ME/SiL8M7MDfnVFbGZ+U0+iIwRkZdPx1KegDnNfB/590doBJt0+m3JA9oczO gYM5A3MiNE86HVFptgavl/lRweAliIBiDYnwYWvy1AdOUdWIPgvr6IzJ3opg+0lwN3Yn ifRulmxb5e1zuOySxDNVpND2Ok/9ffEJ04A1UYBb6baEvAdZV6GwtukHJ5V64ZyGQ3Ql OuPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720674799; x=1721279599; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iQXtYB9XCir9GCdKuowEuKTyQp208kpzJxxFmEuVXk4=; b=VTIvQyywEFW4ZGqLfyJTpgRDY0GpeX9NmegAFb09vnYYzBtKNvJvUVsMIVG5hQ8P0p inVr/okQtEgIMgPLKmej7bjKdp/MzAzZ7hiPHrsVIWk9KHi5luEphZiBmCJh7kyGN8V/ by7jQZlX0EAl/ltFCAKwLmzXiua0QI6Rg2Dshu4AApq4jRt/o1GXgQ5rDvzkHRshMip9 XeJqfqmlhOxrw0jdydFXc5MvgSlCZhOpnc9n0sJ+Xqt3jTx4+yNXNvzb1wfRg05TuMbU OWlTY8Rpol5IPB1InASSxPco56ssYuY9Eg1plWm7XssL+/nyrbvBG38YG56kq5hFHvJy EGqg== X-Gm-Message-State: AOJu0Yyjwg1+Xq/y1ZS4dTFpwgFzcUHoJHYLSyerRjyQQ1rrwFPiXJnD X6u8MZR/ZO6j6/wgQRTwLpSD5ANw6XFZvjbBlD8wOezsVfQr3rVI X-Google-Smtp-Source: AGHT+IEyAVKw5Vd18ENIlHU5gmCTPX/H+yQcQCMZso6vu9YM82xH6jarDD3R68xOoUe+H2XjSgqjhA== X-Received: by 2002:a81:b101:0:b0:62c:fcba:cfeb with SMTP id 00721157ae682-65c0703a2d2mr34072307b3.34.1720674798840; Wed, 10 Jul 2024 22:13:18 -0700 (PDT) Received: from [127.0.1.1] (107-197-105-120.lightspeed.sntcca.sbcglobal.net. [107.197.105.120]) by smtp.gmail.com with ESMTPSA id 00721157ae682-658e4f18ac1sm9812667b3.47.2024.07.10.22.13.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jul 2024 22:13:18 -0700 (PDT) From: Pei Li Date: Wed, 10 Jul 2024 22:13:17 -0700 Subject: [PATCH] mm: Fix mmap_assert_locked() in follow_pte() MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240710-bug12-v1-1-0e5440f9b8d3@gmail.com> X-B4-Tracking: v=1; b=H4sIAOxpj2YC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIxMDc0MD3aTSdEMj3bTU5LRUk6Qkg5TkJCWg2oKi1LTMCrA50bG1tQDwdHD 9VwAAAA== To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com, Pei Li X-Mailer: b4 0.15-dev-13183 X-Developer-Signature: v=1; a=ed25519-sha256; t=1720674797; l=3183; i=peili.dev@gmail.com; s=20240625; h=from:subject:message-id; bh=3ICe51SaAt5djViV4CNOeZvsuOCXxxCiY5DHVoQXx74=; b=7v20EAV87UFY21GDUltDd4EeyRABLCZfR+Cx3h6CHtW1mZm9ikaQaBEWHqW7Ox4T5/FK+bSVJ xDafQfayV5QC0fjJZNKTyya6vp2sAYnNbj6lBbTTsxareJMGLm1ZNUA X-Developer-Key: i=peili.dev@gmail.com; a=ed25519; pk=I6GWb2uGzELGH5iqJTSK9VwaErhEZ2z2abryRD6a+4Q= X-Rspamd-Queue-Id: DD0D4A0002 X-Stat-Signature: j3aqs6pnam8mg5qn13xpp3q6k4j3sxrk X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1720674799-14624 X-HE-Meta: U2FsdGVkX19L4RmYJidPdZA/P3gGy9rJGWXvxmdP+WfOep7P4Qvzsp4h20sBthkj7KJ4pkJiJ/fzKO1ESDQlt42M1nXZd04WGnz4clwcQYgTNX0soPLrgv7sZvmQ+hk0PBKQELj2NSFmqZUHgehbkGK2bTdxedmXgFMZ7YC4fMTiDYlq1YdjhOVkEJbl0Gc1C7OoLCmxCEuJYn+BQYPrT9I8AkEdIz9cexXJ1sug9eMf7IKW7TOQKcFGAwLmXyWBk+zNjXnbHG1XRCpU8027/zwEWRt0lp7siiCziqXHmsDYTKUgZnQ/HwmOb4uxcptAPCuzeM6r1s3zmsh9Gx1EveRR2XZ5ohqjAn5WAYWTVg+ocOKOLjjOxstqmJ6F19cye1dHLkBx56gOMcsNDl1fh4V/S/3ecQbFXiebh29h6pcrdU601SqSXPvsARU9auNp6GnsljVJzpR24sMFqOzEcScZ/fIlG7pCZizi0WwbbUnjTXX4LtevoAnC4wSla6jVGK9Z/JHmgVkATPX2LRaWbbwfsBW3GUfEFQE9GOYX7WkI1sBgfbsNwkfHoWRjfc014GTLAsjHEP0yz0I2YxxR/UtUQkRJhUn/zHPu+AyipU7ekHAjMVqICHxLKEgXdwG2SCXsoyw6Spii9zlc3L7pmHIho9XAuBMx83giXDbLqZVCeP1VbxOlBSX3Qmv2v7SGASxMKp26Wjx7swxm11sO8iTUQ6Q8rY0COX6qzxZ+OXkYfz5httbdQfWwJHi0N2upCOhRNnCaWmH5yfw3MLaIxurE053mHYL270MJTVy1MDlxPuSjbPFGqw/zOrtRNnefAmJmSNnu7wsWz7JDSnRjIoUIAvXIoI75ZCaCpS/pOKxk4LKIqe/F/1+rhYOfkhc4f3ZVr7q6hpK/kAKxsbwzEH1ymAvIsMs755Oann8q5p3gSFj7g82TfiyN9dDncaXg3VE19uVC+eV90OU1zG9 7lxnubkE gJjNaEvReHI1s79OmpMxR1pp7cAWiPkecbQlRTnP0KRUOdAjYThlJ1nfbQRlC9+LAE5NMBpSI/8anH67IlcOM6UjV1VWw67/ZopjYLvRhKsGkCWh9pCPfljm91zwJyycDiHsFSaKLFoT2cUt1iEJzK36+y6WtlHm7RlTKo1+WRZgerZ+qp37IjMxKeYKlEse87LtkODCKrRadFZcoYWfxavZfeLY66C8z3OtfquMuI5PETBabADBPMhEbzMboArMjo7LaWBMi2YhP7Zc9EpenhMfIwe+tgemAUMkeiIYJpbzCcSfSsiOM57DPv7AjCexZ6y1TE9SIeb43t4y0jQHfQ7Wpu6zWXO0Mt/0ZOFT2hByN1QL6x284ikTF4UV/MXIyVIcVlhdwzb74miP7AFZLb0AVtd+icodX6VeMv76dfe3D3cyDIhtgf1J0d9Kvkqeju29ERzZEFCHb3x+ZD2q9y96dXksiqjPNaQSEflf8sGffDr6MQ1HrxsZR6aJgngEqLPMOGVs33l95dN1V3h3hjnv1Ghvav1b2B9BbnZQ3aq3aIH108EbZRJ+R0vkKT7CFOuAgubxeVh75/FgFRh8WKT8ZRZL4HKYdaCfr7UBgu4RQEjKQmNptranbik6SBtD0/BpXGqQq8s/nY5S/2Z37qUCYVaL6mu04z29Hbaz/yYOy1L5OoD89ViXz3h4CXvApAbrqbq+9ZMmX8w4B6bI3T9EpyYKdDv1Xz+iD X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This patch fixes this warning by acquiring read lock before entering untrack_pfn() while write lock is not held. syzbot has tested the proposed patch and the reproducer did not trigger any issue. Reported-by: syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=35a4414f6e247f515443 Tested-by: syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com Signed-off-by: Pei Li --- Syzbot reported the following warning in follow_pte(): WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 rwsem_assert_held include/linux/rwsem.h:195 [inline] WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 mmap_assert_locked include/linux/mmap_lock.h:65 [inline] WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 follow_pte+0x414/0x4c0 mm/memory.c:5980 This is because we are assuming that mm->mmap_lock should be held when entering follow_pte(). This is added in commit c5541ba378e3 (mm: follow_pte() improvements). However, in the following call stack, we are not acquring the lock: follow_phys arch/x86/mm/pat/memtype.c:957 [inline] get_pat_info+0xf2/0x510 arch/x86/mm/pat/memtype.c:991 untrack_pfn+0xf7/0x4d0 arch/x86/mm/pat/memtype.c:1104 unmap_single_vma+0x1bd/0x2b0 mm/memory.c:1819 zap_page_range_single+0x326/0x560 mm/memory.c:1920 In zap_page_range_single(), we passed mm_wr_locked as false, as we do not expect write lock to be held. In the special case where vma->vm_flags is set as VM_PFNMAP, we are hitting untrack_pfn() which eventually calls into follow_phys. This patch fixes this warning by acquiring read lock before entering untrack_pfn() while write lock is not held. syzbot has tested the proposed patch and the reproducer did not trigger any issue: Tested on: commit: 9d9a2f29 Merge tag 'mm-hotfixes-stable-2024-07-10-13-1.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13be8021980000 kernel config: https://syzkaller.appspot.com/x/.config?x=3456bae478301dc8 dashboard link: https://syzkaller.appspot.com/bug?extid=35a4414f6e247f515443 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=145e3441980000 Note: testing is done by a robot and is best-effort only. --- mm/memory.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mm/memory.c b/mm/memory.c index d10e616d7389..75d7959b835b 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1815,9 +1815,16 @@ static void unmap_single_vma(struct mmu_gather *tlb, if (vma->vm_file) uprobe_munmap(vma, start, end); - if (unlikely(vma->vm_flags & VM_PFNMAP)) + if (unlikely(vma->vm_flags & VM_PFNMAP)) { + if (!mm_wr_locked) + mmap_read_lock(vma->vm_mm); + untrack_pfn(vma, 0, 0, mm_wr_locked); + if (!mm_wr_locked) + mmap_read_unlock(vma->vm_mm); + } + if (start != end) { if (unlikely(is_vm_hugetlb_page(vma))) { /* --- base-commit: 734610514cb0234763cc97ddbd235b7981889445 change-id: 20240710-bug12-fecfe4bb0dcb Best regards, -- Pei Li