From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 6.3 21/29] mm: make find_extend_vma() fail if write lock not held
Date: Thu, 29 Jun 2023 20:43:51 +0200 [thread overview]
Message-ID: <20230629184152.582908898@linuxfoundation.org> (raw)
In-Reply-To: <20230629184151.705870770@linuxfoundation.org>
From: Liam R. Howlett <Liam.Howlett@oracle.com>
commit f440fa1ac955e2898893f9301568435eb5cdfc4b upstream.
Make calls to extend_vma() and find_extend_vma() fail if the write lock
is required.
To avoid making this a flag-day event, this still allows the old
read-locking case for the trivial situations, and passes in a flag to
say "is it write-locked". That way write-lockers can say "yes, I'm
being careful", and legacy users will continue to work in all the common
cases until they have been fully converted to the new world order.
Co-Developed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_elf.c | 6 +++---
fs/exec.c | 5 +++--
include/linux/mm.h | 10 +++++++---
mm/memory.c | 2 +-
mm/mmap.c | 50 +++++++++++++++++++++++++++++++++-----------------
mm/nommu.c | 3 ++-
6 files changed, 49 insertions(+), 27 deletions(-)
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -320,10 +320,10 @@ create_elf_tables(struct linux_binprm *b
* Grow the stack manually; some architectures have a limit on how
* far ahead a user-space access may be in order to grow the stack.
*/
- if (mmap_read_lock_killable(mm))
+ if (mmap_write_lock_killable(mm))
return -EINTR;
- vma = find_extend_vma(mm, bprm->p);
- mmap_read_unlock(mm);
+ vma = find_extend_vma_locked(mm, bprm->p, true);
+ mmap_write_unlock(mm);
if (!vma)
return -EFAULT;
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -204,7 +204,8 @@ static struct page *get_arg_page(struct
#ifdef CONFIG_STACK_GROWSUP
if (write) {
- ret = expand_downwards(bprm->vma, pos);
+ /* We claim to hold the lock - nobody to race with */
+ ret = expand_downwards(bprm->vma, pos, true);
if (ret < 0)
return NULL;
}
@@ -852,7 +853,7 @@ int setup_arg_pages(struct linux_binprm
stack_base = vma->vm_end - stack_expand;
#endif
current->mm->start_stack = bprm->p;
- ret = expand_stack(vma, stack_base);
+ ret = expand_stack_locked(vma, stack_base, true);
if (ret)
ret = -EFAULT;
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3065,11 +3065,13 @@ extern vm_fault_t filemap_page_mkwrite(s
extern unsigned long stack_guard_gap;
/* Generic expand stack which grows the stack according to GROWS{UP,DOWN} */
-extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
+int expand_stack_locked(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked);
+#define expand_stack(vma,addr) expand_stack_locked(vma,addr,false)
/* CONFIG_STACK_GROWSUP still needs to grow downwards at some places */
-extern int expand_downwards(struct vm_area_struct *vma,
- unsigned long address);
+int expand_downwards(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked);
#if VM_GROWSUP
extern int expand_upwards(struct vm_area_struct *vma, unsigned long address);
#else
@@ -3170,6 +3172,8 @@ unsigned long change_prot_numa(struct vm
#endif
struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
+struct vm_area_struct *find_extend_vma_locked(struct mm_struct *,
+ unsigned long addr, bool write_locked);
int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
unsigned long pfn, unsigned long size, pgprot_t);
int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr,
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5336,7 +5336,7 @@ struct vm_area_struct *lock_mm_and_find_
goto fail;
}
- if (expand_stack(vma, addr))
+ if (expand_stack_locked(vma, addr, true))
goto fail;
success:
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1898,7 +1898,8 @@ static int acct_stack_growth(struct vm_a
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
-int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+int expand_upwards(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked)
{
struct mm_struct *mm = vma->vm_mm;
struct vm_area_struct *next;
@@ -1922,6 +1923,8 @@ int expand_upwards(struct vm_area_struct
if (gap_addr < address || gap_addr > TASK_SIZE)
gap_addr = TASK_SIZE;
+ if (!write_locked)
+ return -EAGAIN;
next = find_vma_intersection(mm, vma->vm_end, gap_addr);
if (next && vma_is_accessible(next)) {
if (!(next->vm_flags & VM_GROWSUP))
@@ -1991,7 +1994,8 @@ int expand_upwards(struct vm_area_struct
/*
* vma is the first one with address < vma->vm_start. Have to extend vma.
*/
-int expand_downwards(struct vm_area_struct *vma, unsigned long address)
+int expand_downwards(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked)
{
struct mm_struct *mm = vma->vm_mm;
MA_STATE(mas, &mm->mm_mt, vma->vm_start, vma->vm_start);
@@ -2005,10 +2009,13 @@ int expand_downwards(struct vm_area_stru
/* Enforce stack_guard_gap */
prev = mas_prev(&mas, 0);
/* Check that both stack segments have the same anon_vma? */
- if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
- vma_is_accessible(prev)) {
- if (address - prev->vm_end < stack_guard_gap)
+ if (prev) {
+ if (!(prev->vm_flags & VM_GROWSDOWN) &&
+ vma_is_accessible(prev) &&
+ (address - prev->vm_end < stack_guard_gap))
return -ENOMEM;
+ if (!write_locked && (prev->vm_end == address))
+ return -EAGAIN;
}
if (mas_preallocate(&mas, GFP_KERNEL))
@@ -2087,13 +2094,14 @@ static int __init cmdline_parse_stack_gu
__setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
#ifdef CONFIG_STACK_GROWSUP
-int expand_stack(struct vm_area_struct *vma, unsigned long address)
+int expand_stack_locked(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked)
{
- return expand_upwards(vma, address);
+ return expand_upwards(vma, address, write_locked);
}
-struct vm_area_struct *
-find_extend_vma(struct mm_struct *mm, unsigned long addr)
+struct vm_area_struct *find_extend_vma_locked(struct mm_struct *mm,
+ unsigned long addr, bool write_locked)
{
struct vm_area_struct *vma, *prev;
@@ -2101,20 +2109,25 @@ find_extend_vma(struct mm_struct *mm, un
vma = find_vma_prev(mm, addr, &prev);
if (vma && (vma->vm_start <= addr))
return vma;
- if (!prev || expand_stack(prev, addr))
+ if (!prev)
+ return NULL;
+ if (expand_stack_locked(prev, addr, write_locked))
return NULL;
if (prev->vm_flags & VM_LOCKED)
populate_vma_page_range(prev, addr, prev->vm_end, NULL);
return prev;
}
#else
-int expand_stack(struct vm_area_struct *vma, unsigned long address)
+int expand_stack_locked(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked)
{
- return expand_downwards(vma, address);
+ if (unlikely(!(vma->vm_flags & VM_GROWSDOWN)))
+ return -EINVAL;
+ return expand_downwards(vma, address, write_locked);
}
-struct vm_area_struct *
-find_extend_vma(struct mm_struct *mm, unsigned long addr)
+struct vm_area_struct *find_extend_vma_locked(struct mm_struct *mm,
+ unsigned long addr, bool write_locked)
{
struct vm_area_struct *vma;
unsigned long start;
@@ -2125,10 +2138,8 @@ find_extend_vma(struct mm_struct *mm, un
return NULL;
if (vma->vm_start <= addr)
return vma;
- if (!(vma->vm_flags & VM_GROWSDOWN))
- return NULL;
start = vma->vm_start;
- if (expand_stack(vma, addr))
+ if (expand_stack_locked(vma, addr, write_locked))
return NULL;
if (vma->vm_flags & VM_LOCKED)
populate_vma_page_range(vma, addr, start, NULL);
@@ -2136,6 +2147,11 @@ find_extend_vma(struct mm_struct *mm, un
}
#endif
+struct vm_area_struct *find_extend_vma(struct mm_struct *mm,
+ unsigned long addr)
+{
+ return find_extend_vma_locked(mm, addr, false);
+}
EXPORT_SYMBOL_GPL(find_extend_vma);
/*
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -643,7 +643,8 @@ struct vm_area_struct *find_extend_vma(s
* expand a stack to a given address
* - not supported under NOMMU conditions
*/
-int expand_stack(struct vm_area_struct *vma, unsigned long address)
+int expand_stack_locked(struct vm_area_struct *vma, unsigned long address,
+ bool write_locked)
{
return -ENOMEM;
}
next prev parent reply other threads:[~2023-06-29 18:46 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 18:43 [PATCH 6.3 00/29] 6.3.11-rc1 review Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 01/29] mm/mmap: Fix error path in do_vmi_align_munmap() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 02/29] mm/mmap: Fix error return " Greg Kroah-Hartman
2023-07-03 9:23 ` David Woodhouse
2023-07-03 10:02 ` Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 03/29] x86/microcode/AMD: Load late on both threads too Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 04/29] x86/smp: Make stop_other_cpus() more robust Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 05/29] x86/smp: Dont access non-existing CPUID leaf Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 06/29] x86/smp: Remove pointless wmb()s from native_stop_other_cpus() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 07/29] x86/smp: Use dedicated cache-line for mwait_play_dead() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 08/29] x86/smp: Cure kexec() vs. mwait_play_dead() breakage Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 09/29] cpufreq: amd-pstate: Make amd-pstate EPP driver name hyphenated Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 10/29] can: isotp: isotp_sendmsg(): fix return error fix on TX path Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 11/29] maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 12/29] mm: introduce new lock_mm_and_find_vma() page fault helper Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 13/29] mm: make the page fault mmap locking killable Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 14/29] arm64/mm: Convert to using lock_mm_and_find_vma() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 15/29] powerpc/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 16/29] mips/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 17/29] riscv/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 18/29] arm/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 19/29] mm/fault: convert remaining simple cases to lock_mm_and_find_vma() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 20/29] powerpc/mm: convert coprocessor fault " Greg Kroah-Hartman
2023-06-29 18:43 ` Greg Kroah-Hartman [this message]
2023-06-29 18:43 ` [PATCH 6.3 22/29] execve: expand new process stack manually ahead of time Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 23/29] mm: always expand the stack with the mmap write lock held Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 24/29] gup: add warning if some caller would seem to want stack expansion Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 25/29] fbdev: fix potential OOB read in fast_imageblit() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 26/29] HID: hidraw: fix data race on device refcount Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 27/29] HID: wacom: Use ktime_t rather than int when dealing with timestamps Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 28/29] HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651 Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.3 29/29] Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe" Greg Kroah-Hartman
2023-06-29 21:54 ` [PATCH 6.3 00/29] 6.3.11-rc1 review Daniel Díaz
2023-06-30 5:19 ` Greg Kroah-Hartman
2023-06-30 5:25 ` Daniel Díaz
2023-06-30 5:50 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230629184152.582908898@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Liam.Howlett@oracle.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox