From: Hugh Dickins <hughd@google•com>
To: Andrew Morton <akpm@linux-foundation•org>
Cc: Miaohe Lin <linmiaohe@huawei•com>,
David Hildenbrand <david@redhat•com>,
Peter Zijlstra <peterz@infradead•org>,
Yang Shi <shy828301@gmail•com>, Peter Xu <peterx@redhat•com>,
linux-kernel@vger•kernel.org, Song Liu <song@kernel•org>,
sparclinux@vger•kernel.org,
Alexander Gordeev <agordeev@linux•ibm.com>,
Claudio Imbrenda <imbrenda@linux•ibm.com>,
Will Deacon <will@kernel•org>,
linux-s390@vger•kernel.org, Yu Zhao <yuzhao@google•com>,
Ira Weiny <ira.weiny@intel•com>,
Alistair Popple <apopple@nvidia•com>,
Russell King <linux@armlinux•org.uk>,
Matthew Wilcox <willy@infradead•org>,
Steven Price <steven.price@arm•com>,
Christoph Hellwig <hch@infradead•org>,
Jason Gunthorpe <jgg@ziepe•ca>,
"Aneesh Kumar K.V" <aneesh.kumar@linux•ibm.com>,
Zi Yan <ziy@nvidia•com>, Huang Ying <ying.huang@intel•com>,
Axel Rasmussen <axelrasmussen@google•com>,
Gerald Schaefer <gerald.schaefer@linux•ibm.com>,
Christian Borntraeger <borntraeger@linux•ibm.com>,
Thomas Hellstrom <thomas.hellstrom@linux•intel.com>,
Ralph Campbell <rcampbell@nvidia•com>,
Pasha Tatashin <pasha.tatashin@soleen•com>,
Vasily Gorbik <gor@linux•ibm.com>,
Anshuman Khandual <anshuman.khandual@arm•com>,
Heiko Carstens <hca@linux•ibm.com>,
Qi Zheng <zhengqi.arch@bytedance•com>,
Suren Baghdasaryan <surenb@google•com>,
Vlastimil Babka <vbabka@suse•cz>,
linux-arm-kernel@lists•infradead.org,
SeongJae Park <sj@kernel•org>,
Lorenzo Stoakes <lstoakes@gmail•com>,
Jann Horn <jannh@google•com>,
linux-mm@kvack•org, linuxppc-dev@lists•ozlabs.org,
Naoya Horiguchi <naoya.horiguchi@nec•com>,
Zack Rusin <zackr@vmware•com>,
Vishal Moola <vishal.moola@gmail•com>,
Minchan Kim <minchan@kernel•org>,
"Kirill A. Shutemov" <kirill.shutemov@linux•intel.com>,
Mel Gorman <mgorman@techsingularity•net>,
"David S. Miller" <davem@davemloft•net>,
Mike Rapoport <rppt@kernel•org>,
Mike Kravetz <mike.kravetz@oracle•com>
Subject: [PATCH v3 10/13 fix] mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock(): fix
Date: Sun, 23 Jul 2023 15:32:27 -0700 (PDT) [thread overview]
Message-ID: <d3d9ff14-ef8-8f84-e160-bfa1f5794275@google.com> (raw)
In-Reply-To: <b53be6a4-7715-51f9-aad-f1347dcb7c4@google.com>
madvise_collapse() setting "mmap_locked = true" after calling
collapse_pte_mapped_thp() looked good but was wrong. If the loop then
moves on to the next extent, mmap_locked assures it that "vma" has been
revalidated under mmap_lock, which was not the case: and led to UAFs,
crashes in __fput() or task_work_run(), even collapse_file()'s
VM_BUG_ON(start & (HPAGE_PMD_NR - 1)) - all detected by syzbot.
(collapse_pte_mapped_thp() does validate the vma that it works on:
but it's not passed in as an argument, collapse_pte_mapped_thp() finds
the vma for mm and addr by itself - which may by this time have changed
from the vma saved in madvise_collapse().)
Reported-by: syzbot+fe7b1487405295d29268@syzkaller•appspotmail.com
Closes: https://lore.kernel.org/lkml/000000000000f9de430600ae05db@google.com/
Reported-by: syzbot+173cc8cfdfbbef6dd755@syzkaller•appspotmail.com
Closes: https://lore.kernel.org/linux-mm/000000000000e4b0f0060123ca40@google.com/
Signed-off-by: Hugh Dickins <hughd@google•com>
---
mm/khugepaged.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index 6bad69c0e4bd..1c773db26e88 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -2747,7 +2747,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev,
BUG_ON(*prev);
mmap_read_lock(mm);
result = collapse_pte_mapped_thp(mm, addr, true);
- mmap_locked = true;
+ mmap_read_unlock(mm);
goto handle_result;
/* Whitelisted set of results where continuing OK */
case SCAN_PMD_NULL:
--
2.35.3
next prev parent reply other threads:[~2023-07-23 22:33 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-12 4:27 [PATCH v3 00/13] mm: free retracted page table by RCU Hugh Dickins
2023-07-12 4:30 ` [PATCH v3 01/13] mm/pgtable: add rcu_read_lock() and rcu_read_unlock()s Hugh Dickins
2023-07-12 4:32 ` [PATCH v3 02/13] mm/pgtable: add PAE safety to __pte_offset_map() Hugh Dickins
2023-07-12 4:33 ` [PATCH v3 03/13] arm: adjust_pte() use pte_offset_map_nolock() Hugh Dickins
2023-07-12 4:34 ` [PATCH v3 04/13] powerpc: assert_pte_locked() " Hugh Dickins
2023-07-18 10:41 ` Aneesh Kumar K.V
2023-07-19 5:04 ` Hugh Dickins
2023-07-19 5:24 ` Aneesh Kumar K V
2023-07-21 13:13 ` Jay Patel
2023-07-23 22:26 ` [PATCH v3 04/13 fix] powerpc: assert_pte_locked() use pte_offset_map_nolock(): fix Hugh Dickins
2023-07-12 4:35 ` [PATCH v3 05/13] powerpc: add pte_free_defer() for pgtables sharing page Hugh Dickins
2023-07-12 4:37 ` [PATCH v3 06/13] sparc: add pte_free_defer() for pte_t *pgtable_t Hugh Dickins
2023-07-12 4:38 ` [PATCH v3 07/13] s390: add pte_free_defer() for pgtables sharing page Hugh Dickins
2023-07-13 4:47 ` Alexander Gordeev
2023-07-19 14:25 ` Claudio Imbrenda
2023-07-23 22:29 ` [PATCH v3 07/13 fix] s390: add pte_free_defer() for pgtables sharing page: fix Hugh Dickins
2023-07-12 4:39 ` [PATCH v3 08/13] mm/pgtable: add pte_free_defer() for pgtable as page Hugh Dickins
2023-07-12 4:41 ` [PATCH v3 09/13] mm/khugepaged: retract_page_tables() without mmap or vma lock Hugh Dickins
2023-07-12 4:42 ` [PATCH v3 10/13] mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock() Hugh Dickins
2023-07-23 22:32 ` Hugh Dickins [this message]
2023-08-03 9:17 ` Qi Zheng
2023-08-06 3:55 ` Hugh Dickins
2023-08-07 2:21 ` Qi Zheng
2023-08-06 3:59 ` [PATCH v3 10/13 fix2] mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock(): fix2 Hugh Dickins
2023-08-14 20:36 ` [BUG] Re: [PATCH v3 10/13] mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock() Jann Horn
2023-08-15 6:34 ` Hugh Dickins
2023-08-15 7:11 ` David Hildenbrand
2023-08-15 15:41 ` Hugh Dickins
2023-08-21 19:48 ` Hugh Dickins
2023-07-12 4:43 ` [PATCH v3 11/13] mm/khugepaged: delete khugepaged_collapse_pte_mapped_thps() Hugh Dickins
2023-07-23 22:35 ` [PATCH v3 11/13 fix] mm/khugepaged: delete khugepaged_collapse_pte_mapped_thps(): fix Hugh Dickins
2023-07-12 4:44 ` [PATCH v3 12/13] mm: delete mmap_write_trylock() and vma_try_start_write() Hugh Dickins
2023-07-12 4:48 ` [PATCH mm " Hugh Dickins
2023-07-12 4:46 ` [PATCH v3 13/13] mm/pgtable: notes on pte_offset_map[_lock]() Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3d9ff14-ef8-8f84-e160-bfa1f5794275@google.com \
--to=hughd@google$(echo .)com \
--cc=agordeev@linux$(echo .)ibm.com \
--cc=akpm@linux-foundation$(echo .)org \
--cc=aneesh.kumar@linux$(echo .)ibm.com \
--cc=anshuman.khandual@arm$(echo .)com \
--cc=apopple@nvidia$(echo .)com \
--cc=axelrasmussen@google$(echo .)com \
--cc=borntraeger@linux$(echo .)ibm.com \
--cc=davem@davemloft$(echo .)net \
--cc=david@redhat$(echo .)com \
--cc=gerald.schaefer@linux$(echo .)ibm.com \
--cc=gor@linux$(echo .)ibm.com \
--cc=hca@linux$(echo .)ibm.com \
--cc=hch@infradead$(echo .)org \
--cc=imbrenda@linux$(echo .)ibm.com \
--cc=ira.weiny@intel$(echo .)com \
--cc=jannh@google$(echo .)com \
--cc=jgg@ziepe$(echo .)ca \
--cc=kirill.shutemov@linux$(echo .)intel.com \
--cc=linmiaohe@huawei$(echo .)com \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-mm@kvack$(echo .)org \
--cc=linux-s390@vger$(echo .)kernel.org \
--cc=linux@armlinux$(echo .)org.uk \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=lstoakes@gmail$(echo .)com \
--cc=mgorman@techsingularity$(echo .)net \
--cc=mike.kravetz@oracle$(echo .)com \
--cc=minchan@kernel$(echo .)org \
--cc=naoya.horiguchi@nec$(echo .)com \
--cc=pasha.tatashin@soleen$(echo .)com \
--cc=peterx@redhat$(echo .)com \
--cc=peterz@infradead$(echo .)org \
--cc=rcampbell@nvidia$(echo .)com \
--cc=rppt@kernel$(echo .)org \
--cc=shy828301@gmail$(echo .)com \
--cc=sj@kernel$(echo .)org \
--cc=song@kernel$(echo .)org \
--cc=sparclinux@vger$(echo .)kernel.org \
--cc=steven.price@arm$(echo .)com \
--cc=surenb@google$(echo .)com \
--cc=thomas.hellstrom@linux$(echo .)intel.com \
--cc=vbabka@suse$(echo .)cz \
--cc=vishal.moola@gmail$(echo .)com \
--cc=will@kernel$(echo .)org \
--cc=willy@infradead$(echo .)org \
--cc=ying.huang@intel$(echo .)com \
--cc=yuzhao@google$(echo .)com \
--cc=zackr@vmware$(echo .)com \
--cc=zhengqi.arch@bytedance$(echo .)com \
--cc=ziy@nvidia$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox