Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Liam Howlett <liam.howlett@oracle.com>
To: Carlos Llamas <cmllamas@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Michal Hocko <mhocko@suse.com>,
	Guenter Roeck <groeck@chromium.org>,
	Douglas Anderson <dianders@chromium.org>,
	Christian Brauner <brauner@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15
Date: Tue, 13 Sep 2022 06:36:33 +0000	[thread overview]
Message-ID: <20220913063625.3hgghufytudm6x4p@revolver> (raw)
In-Reply-To: <Yx+ETrzRWGZSIq+m@google.com>

* Carlos Llamas <cmllamas@google.com> [220912 15:11]:
> On Fri, Sep 09, 2022 at 01:03:08PM -0700, Suren Baghdasaryan wrote:
> > On Fri, Sep 9, 2022 at 12:35 PM Carlos Llamas <cmllamas@google.com> wrote:
> > >
> > > Does this mean that users of async calls such as find_vma() can't rely
> > > on mmap_lock to avoid racing with remove_vma()? I see the following
> > > pattern is used quite often:
> > >
> > >         mmap_read_lock(mm);
> > >         vma = find_vma(mm, addr);
> > >         [...]
> > >         mmap_read_unlock(mm);
> > >
> > > Is this not a real concern? I'd drop the asserts from binder and call it
> > > a day. However, we would also need to fix our race with vm_ops->close().
> > 
> > I think by the time exit_mmap() calls remove_vma() there can be no
> > other user of that mm to race with, even oom-reaper would have
> > finished by then (see:
> > https://elixir.bootlin.com/linux/v5.15.67/source/mm/mmap.c#L3157).
> > So, generally remove_vma() would be done under mmap_lock write
> > protection but in case of exit_mmap() that's not necessary. Michal,
> > please correct me if I'm wrong.
> 
> I see, that makes more sense.
> 
> Then it sounds to me like binder should be using mmget_not_zero() to
> serialize against exit_mmap() during these async calls. I'll have a
> closer look at this change.
> 
> Also, we should drop the mmap_lock asserts in binder from v5.15 as the
> expectations there are incorrect. Again, this was done in [1], but for
> different reasons. We could simply amend a small note to the commit log
> with an accurate reason for the backport.
> 
> Liam, wdyt?

It sounds like the binder_alloc vma_vm_mm is being used unsafely as
well?  I'd actually go the other way with this and try to add more
validation that are optimized out on production builds.  Since binder is
saving a pointer to the mm struct and was saving the vma ponter, we
should be very careful around how we use them. Is the mutex in
binder_alloc protection enough for the vma binder buffers uses?  How is
the close() not being called before the exit_mmap() path?

When you look at the mmget_not_zero() stuff, have a look at
binder_alloc_new_buf_locked().  I think it is unsafely using the
vma_vm_mm pointer without calling mmget_not_zero(), but the calling
function is rather large so I'm not sure.


> 
> [1] https://lore.kernel.org/all/20220829201254.1814484-5-cmllamas@google.com/

next prev parent reply	other threads:[~2022-09-13  6:36 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-08 20:28 Carlos Llamas
2022-09-08 22:33 ` Suren Baghdasaryan
2022-09-09 19:35   ` Carlos Llamas
2022-09-09 20:03     ` Suren Baghdasaryan
2022-09-12 19:11       ` Carlos Llamas
2022-09-13  6:36         ` Liam Howlett [this message]
2022-09-23 20:50           ` Carlos Llamas
2022-09-28 23:21             ` Suren Baghdasaryan
2022-09-29 14:39               ` Carlos Llamas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220913063625.3hgghufytudm6x4p@revolver \
    --to=liam.howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=dianders@chromium.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    --cc=surenb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox