From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Oleg Nesterov <oleg@redhat.com>,
Kefeng Wang <wangkefeng.wang@huawei.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Peter Xu <peterx@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>,
Jann Horn <jannh@google.com>, Jason Gunthorpe <jgg@mellanox.com>,
Michal Hocko <mhocko@suse.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.19 69/98] userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
Date: Tue, 27 Aug 2019 09:50:48 +0200 [thread overview]
Message-ID: <20190827072721.875788723@linuxfoundation.org> (raw)
In-Reply-To: <20190827072718.142728620@linuxfoundation.org>
From: Oleg Nesterov <oleg@redhat.com>
commit 46d0b24c5ee10a15dfb25e20642f5a5ed59c5003 upstream.
userfaultfd_release() should clear vm_flags/vm_userfaultfd_ctx even if
mm->core_state != NULL.
Otherwise a page fault can see userfaultfd_missing() == T and use an
already freed userfaultfd_ctx.
Link: http://lkml.kernel.org/r/20190820160237.GB4983@redhat.com
Fixes: 04f5866e41fb ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -881,6 +881,7 @@ static int userfaultfd_release(struct in
/* len == 0 means wake all */
struct userfaultfd_wake_range range = { .len = 0, };
unsigned long new_flags;
+ bool still_valid;
WRITE_ONCE(ctx->released, true);
@@ -896,8 +897,7 @@ static int userfaultfd_release(struct in
* taking the mmap_sem for writing.
*/
down_write(&mm->mmap_sem);
- if (!mmget_still_valid(mm))
- goto skip_mm;
+ still_valid = mmget_still_valid(mm);
prev = NULL;
for (vma = mm->mmap; vma; vma = vma->vm_next) {
cond_resched();
@@ -908,19 +908,20 @@ static int userfaultfd_release(struct in
continue;
}
new_flags = vma->vm_flags & ~(VM_UFFD_MISSING | VM_UFFD_WP);
- prev = vma_merge(mm, prev, vma->vm_start, vma->vm_end,
- new_flags, vma->anon_vma,
- vma->vm_file, vma->vm_pgoff,
- vma_policy(vma),
- NULL_VM_UFFD_CTX);
- if (prev)
- vma = prev;
- else
- prev = vma;
+ if (still_valid) {
+ prev = vma_merge(mm, prev, vma->vm_start, vma->vm_end,
+ new_flags, vma->anon_vma,
+ vma->vm_file, vma->vm_pgoff,
+ vma_policy(vma),
+ NULL_VM_UFFD_CTX);
+ if (prev)
+ vma = prev;
+ else
+ prev = vma;
+ }
vma->vm_flags = new_flags;
vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
}
-skip_mm:
up_write(&mm->mmap_sem);
mmput(mm);
wakeup:
next prev parent reply other threads:[~2019-08-27 8:13 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-27 7:49 [PATCH 4.19 00/98] 4.19.69-stable review Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 01/98] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 02/98] MIPS: kernel: only use i8253 clocksource with periodic clockevent Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 03/98] mips: fix cacheinfo Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 04/98] netfilter: ebtables: fix a memory leak bug in compat Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 05/98] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 06/98] selftests/bpf: fix sendmsg6_prog on s390 Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 07/98] bonding: Force slave speed check after link state recovery for 802.3ad Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 08/98] net: mvpp2: Dont check for 3 consecutive Idle frames for 10G links Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 09/98] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 10/98] selftests: forwarding: gre_multipath: Fix flower filters Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 11/98] can: dev: call netif_carrier_off() in register_candev() Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 12/98] can: mcp251x: add error check when wq alloc failed Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 13/98] can: gw: Fix error path of cgw_module_init Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 14/98] ASoC: Fail card instantiation if DAI format setup fails Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 15/98] st21nfca_connectivity_event_received: null check the allocation Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 16/98] st_nci_hci_connectivity_event_received: " Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 17/98] ASoC: rockchip: Fix mono capture Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 18/98] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 19/98] net: usb: qmi_wwan: Add the BroadMobi BM818 card Greg Kroah-Hartman
2019-08-27 7:49 ` [PATCH 4.19 20/98] qed: RDMA - Fix the hw_ver returned in device attributes Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 21/98] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 22/98] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 23/98] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 24/98] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 25/98] netfilter: ipset: Fix rename concurrency with listing Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 26/98] rxrpc: Fix potential deadlock Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 27/98] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 28/98] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 29/98] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 30/98] perf bench numa: Fix cpu0 binding Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 31/98] can: sja1000: force the string buffer NULL-terminated Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 32/98] can: peak_usb: " Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 33/98] net/ethernet/qlogic/qed: " Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 34/98] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 35/98] NFS: Fix regression whereby fscache errors are appearing on nofsc mounts Greg Kroah-Hartman
2019-08-28 7:11 ` Pavel Machek
2019-08-28 12:52 ` Trond Myklebust
2019-08-27 7:50 ` [PATCH 4.19 36/98] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 37/98] HID: input: fix a4tech horizontal wheel custom usage Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 38/98] drm/rockchip: Suspend DP late Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 39/98] SMB3: Fix potential memory leak when processing compound chain Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 40/98] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 41/98] s390: put _stext and _etext into .text section Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 42/98] net: cxgb3_main: Fix a resource leak in a error path in init_one() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 43/98] net: stmmac: Fix issues when number of Queues >= 4 Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 44/98] net: stmmac: tc: Do not return a fragment entry Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 45/98] net: hisilicon: make hip04_tx_reclaim non-reentrant Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 46/98] net: hisilicon: fix hip04-xmit never return TX_BUSY Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 47/98] net: hisilicon: Fix dma_map_single failed on arm64 Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 48/98] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 49/98] libata: add SG safety checks in SFF pio transfers Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 50/98] x86/lib/cpu: Address missing prototypes warning Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 51/98] drm/vmwgfx: fix memory leak when too many retries have occurred Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 52/98] block, bfq: handle NULL return value by bfq_init_rq() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 53/98] perf ftrace: Fix failure to set cpumask when only one cpu is present Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 54/98] perf cpumap: Fix writing to illegal memory in handling cpumap mask Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 55/98] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 56/98] KVM: arm64: Dont write junk to sysregs on reset Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 57/98] KVM: arm: Dont write junk to CP15 registers " Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 58/98] selftests: kvm: Adding config fragments Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 59/98] HID: wacom: correct misreported EKR ring values Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 60/98] HID: wacom: Correct distance scale for 2nd-gen Intuos devices Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 61/98] Revert "dm bufio: fix deadlock with loop device" Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 62/98] clk: socfpga: stratix10: fix rate caclulationg for cnt_clks Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 63/98] ceph: clear page dirty before invalidate page Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 64/98] ceph: dont try fill file_lock on unsuccessful GETFILELOCK reply Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 65/98] libceph: fix PG split vs OSD (re)connect race Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 66/98] drm/nouveau: Dont retry infinitely when receiving no data on i2c over AUX Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 67/98] gpiolib: never report open-drain/source lines as input to user-space Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 68/98] Drivers: hv: vmbus: Fix virt_to_hvpfn() for X86_PAE Greg Kroah-Hartman
2019-08-27 7:50 ` Greg Kroah-Hartman [this message]
2019-08-27 7:50 ` [PATCH 4.19 70/98] x86/retpoline: Dont clobber RFLAGS during CALL_NOSPEC on i386 Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 71/98] x86/apic: Handle missing global clockevent gracefully Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 72/98] x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h Greg Kroah-Hartman
2019-08-27 11:36 ` Pavel Machek
2019-08-27 13:30 ` Thomas Gleixner
2019-08-28 10:31 ` Pavel Machek
2019-08-28 10:47 ` Thomas Gleixner
2019-08-28 11:49 ` Pavel Machek
2019-08-28 12:00 ` Borislav Petkov
2019-08-28 12:09 ` Pavel Machek
2019-08-28 12:16 ` Borislav Petkov
2019-08-28 12:29 ` Pavel Machek
2019-08-28 12:46 ` Borislav Petkov
2019-08-28 13:37 ` Pavel Machek
2019-08-28 14:15 ` Thomas Gleixner
2019-08-28 22:05 ` Pavel Machek
2019-08-27 7:50 ` [PATCH 4.19 73/98] x86/boot: Save fields explicitly, zero out everything else Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 74/98] x86/boot: Fix boot regression caused by bootparam sanitizing Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 75/98] dm kcopyd: always complete failed jobs Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 76/98] dm btree: fix order of block initialization in btree_split_beneath Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 77/98] dm integrity: fix a crash due to BUG_ON in __journal_read_write() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 78/98] dm raid: add missing cleanup in raid_ctr() Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 79/98] dm space map metadata: fix missing store of apply_bops() return value Greg Kroah-Hartman
2019-08-27 7:50 ` [PATCH 4.19 80/98] dm table: fix invalid memory accesses with too high sector number Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 81/98] dm zoned: improve error handling in reclaim Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 82/98] dm zoned: improve error handling in i/o map code Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 83/98] dm zoned: properly handle backing device failure Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 84/98] genirq: Properly pair kobject_del() with kobject_add() Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 85/98] mm, page_owner: handle THP splits correctly Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 86/98] mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 87/98] mm/zsmalloc.c: fix race condition in zs_destroy_pool Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 88/98] xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 89/98] xfs: dont trip over uninitialized buffer on extent read of corrupted inode Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 90/98] xfs: Move fs/xfs/xfs_attr.h to fs/xfs/libxfs/xfs_attr.h Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 91/98] xfs: Add helper function xfs_attr_try_sf_addname Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 92/98] xfs: Add attibute set and helper functions Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 93/98] xfs: Add attibute remove " Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 94/98] xfs: always rejoin held resources during defer roll Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 95/98] dm zoned: fix potential NULL dereference in dmz_do_reclaim() Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 96/98] powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 97/98] rxrpc: Fix local endpoint refcounting Greg Kroah-Hartman
2019-08-27 7:51 ` [PATCH 4.19 98/98] rxrpc: Fix read-after-free in rxrpc_queue_local() Greg Kroah-Hartman
2019-08-27 17:25 ` [PATCH 4.19 00/98] 4.19.69-stable review Guenter Roeck
2019-08-27 19:10 ` shuah
2019-08-28 1:37 ` kernelci.org bot
2019-08-28 4:56 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190827072721.875788723@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=jgg@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peterx@redhat.com \
--cc=rppt@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox