From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B02FCC0015E for ; Wed, 26 Jul 2023 21:42:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D0F778D0001; Wed, 26 Jul 2023 17:42:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CBFD66B0072; Wed, 26 Jul 2023 17:42:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B86E18D0001; Wed, 26 Jul 2023 17:42:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A8C726B0071 for ; Wed, 26 Jul 2023 17:42:22 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 6ED34803CC for ; Wed, 26 Jul 2023 21:42:22 +0000 (UTC) X-FDA: 81055086924.23.77B7DC4 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by imf20.hostedemail.com (Postfix) with ESMTP id 82BD21C0009 for ; Wed, 26 Jul 2023 21:42:20 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="Q9/Uar7k"; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.128.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690407740; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; b=bDC01z11qhiKRi5/dXD5PmNQ+OkBUoMOERlCcI4MWz6yF/hyLRIAkyFyCUNDd2NQo52Lq3 /RrmwFobN8GIw+njPmvRUahHJ7UgO3qJx8KAYUuwAjQvAsXFREiPJPx/uxRJ/Xsu/nnds9 uU3yeuBjISgqBKDBcMM8OX/qfAFYCyY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690407740; a=rsa-sha256; cv=none; b=C0Vdu+dtmzUYbWE/YM3RcC4Rkhk3GeZN0yptPEEqoAsQL8ZpxHQl4fhH7jvGzTlf1j5Vs/ lrg5AAhJgVQwUhN3+VYtkZuwmwx2Xic34uwLU8ksq1QVfoySt0KcJr+Gu8XebEPpNT0o6N g36EL+rHc8X2DjibkgTMdRCCXYANqPU= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="Q9/Uar7k"; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.128.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-3fbb07e7155so29325e9.0 for ; Wed, 26 Jul 2023 14:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690407739; x=1691012539; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; b=Q9/Uar7kbm/fDXXNdNUkPT5MjHTU9yfaxCVi/uxAavCHvr3IT/3ZNnNLg+MKNI4YL6 Jtc5XHBGRhprCUa7Wk6WQmejjG0NDu9cV5Jl8+aE7wB3c8OAnz7ap2exn/MqswefA4XL kv7hkNyM/nXCsMkoGDG5RM7C0cZoo6eeAiJh1yG5nLHSJlTIADJmTSPVlHieAXb+uKz1 nLGVDL9fQWFk5IioJvDjH8qhSTVsD0MsA2l82mK5JKp9ClqnxkLhy2we8kb2loP9P7bG EvNtUrP2FWKznSA+DFmTees7h3R0e1W56zyPM7IcYaQAA87Pqtl/wrV2rhsq2WHbNRyj W+EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690407739; x=1691012539; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; b=aCbojrFY6dImEqrzj5/9v5IgUEaWfvAInYqdS4QCavaRGXhz16RuuZvU5duxAgkjU6 wnr4Isr57gEjgkzmWipJ3CHOJneYMmx0Wx18qOzg7ZRAVDDTrYTS39RE6Mdbx6J2W+mj RSL1mXiYnYdsjTI9RycKplwDWk2iQmrsk63cJeon3q8/FDAoy0NigoyGQZYTazGM+gXf uUP2wpz+WLn2Vv1Eg0a6IWpHoOae2mpEemTkZlFXqpqzFA06bByoOn9vnYA9VC1Yhwu1 N5dQclENSha47SfKtxqp/z6C12YuK9y9/L31incBt7Z9tlsMDnWCMdLpx7SiZ3bhYK/k 1ypA== X-Gm-Message-State: ABy/qLa5vcSkXSymzrlemBfFYBJI4Gj5LylkDfMwy2Iw6atb2mkToLpf Jlzi0uch+BUUHV8EckCZPNFo9A== X-Google-Smtp-Source: APBJJlGt5NLcLPw0mVwNnTg9Wjjhuc8TP6mEQ6+lI3ZhoneODO/CaYmfdQ9XC1bJySvoHtz02LbFxA== X-Received: by 2002:a05:600c:1ca1:b0:3f1:9a3d:4f7f with SMTP id k33-20020a05600c1ca100b003f19a3d4f7fmr5322wms.1.1690407738850; Wed, 26 Jul 2023 14:42:18 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:e8c:2042:5dec:b586]) by smtp.gmail.com with ESMTPSA id q9-20020a1ce909000000b003fc04d13242sm3047945wmc.0.2023.07.26.14.42.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 14:42:17 -0700 (PDT) From: Jann Horn To: Andrew Morton Cc: Linus Torvalds , Peter Zijlstra , Suren Baghdasaryan , Matthew Wilcox , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alan Stern , Andrea Parri , Will Deacon , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes Subject: [PATCH 0/2] fix vma->anon_vma check for per-VMA locking; fix anon_vma memory ordering Date: Wed, 26 Jul 2023 23:41:01 +0200 Message-ID: <20230726214103.3261108-1-jannh@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 82BD21C0009 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: qs87htjkxm7wnkidt9gzc8trnuqp4jor X-HE-Tag: 1690407740-300666 X-HE-Meta: U2FsdGVkX1+XJEEEi1lKZhem9b81yDtuy1b3vuPP6i4aZhTUFDhl9gI3Bd7a6HhLhJ1PtNrCf8sK68FYO8O8QpirYvmJaNmgqb0AjgqZhsWMIBiNfFv0/YGmcO6u8ZBHTG2Z7v9CgAjzqed8wpek6X5TdhUYqUyITeSOsqwOtj/0EdeuyXcIbPelDOWB+GAz6e6Ba+E1hUaKyG/7E+wxzr3x2UH5e7FdqaJFrRpEnyoeSblkKhORMdEuhUx3NO5Ih/f/lrFpTyEcthlizAdBOYHCIeAHLEvWOvkD0wMRDQxciwsS2dzQ08j0yqLLrDMnP600kjJiLSL+KHxi0qFyq6Jy7alTYpEmQQ2mAq3Ec8kNorUoHntuf4OUgZCZunBMmzdsZSkqwQPZIifFqF9jd5G8ttzw+mdJGU/PJnjBW1iWjJT1iiFGUXfiddls50HkwlpOdkCjFgO7/JgsqRkzF0rGAl0sbDMoV/aBjWV5hkQZdDkELgMuWOpCQIzAbdBvLB3ElhiePsWKPRLRogvZlGzN/mUd5RStJuRCqsNHg4HLnVwrTkMZLlpclMq8ptK5uOu9TKRZl3S5zLJ4DRlBtlyeeLrO/j18+o4+zLTH/W0bDIOKvtOSrsdeKAoZdScykz9ug/shC5tNxJ6qmq72alqf30XPs15OaLyGSVC3C8j21ms6KKBHqznNYYJolKLf3iq7IcYdVDsI55JYDC1ilQ9e2LCKsY7JyrIB/28Q9gwNGlolC76OZnxK2NuWcbsxTvJIfTMPFEmnJyunB4mVLxZRJHrww+TqPd2OynKeaZAWzveWoCB84xJbm2PAJZrWbzjNLcwLqXUel68zpmL8x2Xs4tJtOPJ25JBgeC7ft1tQOM/50eX1nuzxnHXYOnbh1G/dQdG0yHLfz5cWq2lhVMuSBzBfECPYby0vHfDq43wknWrmM/OX1NsLmqvhiGFhBOtHqlHPm32BoG4NQ8f bjQerrat 303xbzTv7R8hXtygwvWuTHg5D1TiR3iL6P/g+njYfXNTZTwQriHStmI6/lGRmD9kKoFu0Kc3CTAM4I3Lse7yFs7o77G0U5wABImn9R2Uh07hJbMry9w+Wv2NfcpfdhDkbXXvJ/eg3iJiJp1lLEYWwSFGvC0qFsX+n3RVGnUgHNcN0dCP18hifZcqAiSfaYhD+OKgcv+rnunzzOWMSqV66ZgekYFVsN7l3JAlq+x5CIDnM5Yhx4fLnDWkzeiFdXL7Oo12hcuJPkxVvm02wFiD4rny9V94OT68azc/is6HEuT6XGmWcQI2MC9r9KjVrYRr4jLN4k6rw70YTgW7lpLKKwW/n1YG5hcyo8JI7YC9lbMsjZYrJoXQN1RDBb5qetuAV1/XrH7d7c1iYsYGFl3byBkdHdw8qMH7a6/1U8mZbhc5tIC0mqy99yYp+JYmsNL0mDgD2t3zDfi+iAW4nnwQlGowjpd/A4CsIIgcg X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi! Patch 1 here is a straightforward fix for a race in per-VMA locking code that can lead to use-after-free; I hope we can get this one into mainline and stable quickly. Patch 2 is a fix for what I believe is a longstanding memory ordering issue in how vma->anon_vma is used across the MM subsystem; I expect that this one will have to go through a few iterations of review and potentially rewrites, because memory ordering is tricky. (If someone else wants to take over patch 2, I would be very happy.) These patches don't really belong together all that much, I'm just sending them as a series because they'd otherwise conflict. I am CCing: - Suren because patch 1 touches his code - Matthew Wilcox because he is also currently working on per-VMA locking stuff - all the maintainers/reviewers for the Kernel Memory Consistency Model so they can help figure out the READ_ONCE() vs smp_load_acquire() thing - people involved in the previous discussion on the security list Jann Horn (2): mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock mm: Fix anon_vma memory ordering include/linux/rmap.h | 15 ++++++++++++++- mm/huge_memory.c | 4 +++- mm/khugepaged.c | 2 +- mm/ksm.c | 16 +++++++++++----- mm/memory.c | 32 ++++++++++++++++++++------------ mm/mmap.c | 13 ++++++++++--- mm/rmap.c | 6 ++++-- mm/swapfile.c | 3 ++- 8 files changed, 65 insertions(+), 26 deletions(-) base-commit: 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f -- 2.41.0.487.g6d72f3e995-goog