From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE838D44162 for ; Tue, 19 Nov 2024 14:25:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DD24C6B00A0; Tue, 19 Nov 2024 09:25:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D82516B00A1; Tue, 19 Nov 2024 09:25:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BFC066B00A2; Tue, 19 Nov 2024 09:25:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 9E7D86B00A0 for ; Tue, 19 Nov 2024 09:25:39 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 4CE881A04EB for ; Tue, 19 Nov 2024 14:25:39 +0000 (UTC) X-FDA: 82803065394.01.D8259E2 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf17.hostedemail.com (Postfix) with ESMTP id F2BFE40005 for ; Tue, 19 Nov 2024 14:24:58 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=1lYGjXT6; dmarc=pass (policy=none) header.from=linuxfoundation.org; spf=pass (imf17.hostedemail.com: domain of gregkh@linuxfoundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732026246; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:dkim-signature; bh=z1Sj4q2iBDT/KVvly44OsRWGjAEOHMHyuY6YjQRCJM4=; b=Xnd6aG1c6VXxN/pV86cmkfmyB3T/aSDqKCKZkr3ojemjRGBm+QwBL5om7Q5GwfNNQ76kua /JgOni/cVb/QrTTYUJrihK21z6/b3S8WPu9mogx81iP3fmcHAhMAnVVJ3NemXVkVR5QGbz VMzXS0XAF0jO6igTb6WOPTH2WMLMX6o= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=1lYGjXT6; dmarc=pass (policy=none) header.from=linuxfoundation.org; spf=pass (imf17.hostedemail.com: domain of gregkh@linuxfoundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732026246; a=rsa-sha256; cv=none; b=oB3LoJQI9wdi1FnMoR8a+3OrE1IS4pcM7wzEqs0W5rcVOPaLo8FoiOHqpb9st9MTtXrPl3 3hoQYlIEQjkFZcsqnVixdOQhMKySyMBr5SiCIRoNbbN+F5c2BcI3yg7RV9/8ySsNQZPG6R S08w7B1GkmHH3Qczi53Y/vjFE+6J8zg= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 8F58AA42AE2; Tue, 19 Nov 2024 14:23:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB190C4CECF; Tue, 19 Nov 2024 14:25:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1732026336; bh=3GDoQt/H5QGjG/vtNfvIo2Dy324TslMryEGKCCW2vMk=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=1lYGjXT6emBvPScsb079Q28CczCAbPNKgehohOw5abA/O5JZ0V715/t/DU87VH9AR OQqwRVQx6C97QXvEpDoTvnnVx9hHdGDHYCSf/gHDMyke/IkiN3BFXOgeKT9b+Zb0si LaCIjMXfqG1IVpoXHulFFe2/eGpJr0EIhhFDb/l8= Subject: Patch "mm: unconditionally close VMAs on error" has been added to the 5.15-stable tree To: James.Bottomley@HansenPartnership.com,Liam.Howlett@oracle.com,akpm@linux-foundation.org,andreas@gaisler.com,broonie@kernel.org,catalin.marinas@arm.com,davem@davemloft.net,deller@gmx.de,gregkh@linuxfoundation.org,jannh@google.com,linux-mm@kvack.org,lorenzo.stoakes@oracle.com,peterx@redhat.com,torvalds@linux-foundation.org,vbabka@suse.cz,will@kernel.org Cc: From: Date: Tue, 19 Nov 2024 15:25:03 +0100 In-Reply-To: <9ccad1c5a53af878459f32ae3efaa3d12d33e4e2.1731667436.git.lorenzo.stoakes@oracle.com> Message-ID: <2024111903-boondocks-freeware-ab57@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: F2BFE40005 X-Stat-Signature: u4grfdhp8i1cxzw3oj6qi4pajc89icpo X-HE-Tag: 1732026298-462510 X-HE-Meta: U2FsdGVkX19FaClR3Euqyzzb6+t1mJzX+Jx5JZ8K2TdexCKySFxZNOMvGBm1BbwNqLnBE3QkjPvZ8VaNoGMBmzuWXYvyLO4vlXUKmj72ODRiJ620AHePcFQ77erOHK0lZDJLr1epUIG7KFh37LTJ5Ly7l55Ie1kDb5yCjvAezkNsS5qXegQ9LZaZqViMUGlkhtIRUSHrMhJ1ngnlf+DN0SS/Bcl/LNTQNrm1ycaOXshaUXZJG6pqsWpqdGBzC9j21dArvF8HzZpL5/uE9sBGaLzSpkwzOUhPQ5dtjamgDtAmfpQEbMIrUwnHL/aLhKBMSQdarJtZVjw4NsM8Wx0wQgqKpfDbi0wNXRnVP+yySStGNBfqSgbQZMTla8hs4wC/QtRUW48NTJdYzTfbJRGLmDIdmLfZsrpM8qxGVTtKAN9U7Lax1iiHkcUN2xTbWr944ptH6vUKLeKt5fwSLodDH4QQG/y105DW5TdGW8zo0EqbCi6TBEMWAQNQvxPI2L6hUlsQNx2tKMfLn0JuNjWFm4vDIDkQpTntS8iw5sgoQUc1Drw9CcTX/1ssaajl7EzyGsA1Xg/iG7N6w5GIQg8ciJS++FQ/bNbHc2paSRInaDh6opJYTudUkrPj55jK1BmgyyW5zb9z13kCnCPn8AA2AmcaHzdPoKAHdpseynJyGj7N91zFxUUb75oHLF+gLynzRIkhZXGurck2NL7dlOF3AFcP0y+oSV08EOBL224eI3AqicrUVKBCyACHQ73m5+EqyubLadUTG6s1Ky0/HJiC6JlgcfoncQjV6ljhDOWpJLomKneqikVo7ST9yiYhuJvtAMZo9gtTnzjtWiqA+4LggqCxbHyxaKPm801bnGMfCicaCKK6GIFA3IlUzd8Vgr7q7HxHlYQM1TU5XpTE7zyJ21cdiuirLnPKkibYW0lbkLpDi/tS1HkTE0eGJ6Qm9hqu/KZPuytADAL71z9IAmC 4UAtH9WI lzxuNKyZXyxocgW2qkX6sgCgr0ir4ut1muU/fzpYpn9s0kjpnGLSsd3RCM3EMdyT58ZYpSKnHgCSApOgbLi9Am/WBJv8ZgpU1zlS74utGyl2MMnqj4GXDJREkKvYuZE+yRg3PBtoyuw/uGdKcqiS975xqf6qSiR2eiXGbNtL3KI2NH2Dq6L8QRurwruoJ9IUYBOS0LlBIWAkCdRHY80cPm7XopRS0kvSY6oESlIuLTjshwwPvo52pb7BQTcvz0M1tYOWteRF7PITNm8H0PgukGqB9/LgS3ScEfoQ4U4fsAb7+BxCu3MFwsP/RLSSm7hzre6NKtjOoTXGZROlK+08Q8ExnGpbzTesxIbZN1+o+YupfyJqYH2n0jd7TJESMy2A3BeVo98cxIWQ8Izd/F52dIQns0e/FonX11MG8veMQwHNRGjDAAQ2UdAQveirGH2P2Yd6ku6Yq9KTRFiz1Qybo5KxtPEDXF+9GM0qCu2qEarJxsw+OqWF77Uzh72ZnyYdSlT0WTTb9KdK+pAOF86SoVfULHfgsZFSFsVrr+ztmU1fYrJNVb2vAj7i/s78KOPvryBzbEPIp9iE2oxVYdCeB/ix2+HxzHipF2SEHnLqCoiiGO7GdRnBQp3A+sTXqiQKtJYjT5jwunVADKBQKIXVZbKSaPHUr+gIagn3FOHPMHMc69bnYQci7njE36hc1MZlbGtGz7NcMyLcZ1RYc2ms4/25Y94YC8akOzD0Y4f/0JU/I88+MmJ97mnrWJRbX05Ej2LU7tdqjm8NvVj3wJweMp5o2vOiq7jjIx8/s+0IXPDc/vNNLTsNPcGnbpVmY2tWzIRtMDCn24QrtqZBkWLS6qqqjrR/ZacicB4rKra/GZU0bX+0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This is a note to let you know that I've just added the patch titled mm: unconditionally close VMAs on error to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mm-unconditionally-close-vmas-on-error.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From stable+bounces-93526-greg=kroah.com@vger.kernel.org Fri Nov 15 13:39:49 2024 From: Lorenzo Stoakes Date: Fri, 15 Nov 2024 12:38:14 +0000 Subject: mm: unconditionally close VMAs on error To: stable@vger.kernel.org Cc: Andrew Morton , "Liam R . Howlett" , Vlastimil Babka , Jann Horn , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Linus Torvalds , Peter Xu , Catalin Marinas , Will Deacon , Mark Brown , "David S . Miller" , Andreas Larsson , "James E . J . Bottomley" , Helge Deller Message-ID: <9ccad1c5a53af878459f32ae3efaa3d12d33e4e2.1731667436.git.lorenzo.stoakes@oracle.com> From: Lorenzo Stoakes [ Upstream commit 4080ef1579b2413435413988d14ac8c68e4d42c8 ] Incorrect invocation of VMA callbacks when the VMA is no longer in a consistent state is bug prone and risky to perform. With regards to the important vm_ops->close() callback We have gone to great lengths to try to track whether or not we ought to close VMAs. Rather than doing so and risking making a mistake somewhere, instead unconditionally close and reset vma->vm_ops to an empty dummy operations set with a NULL .close operator. We introduce a new function to do so - vma_close() - and simplify existing vms logic which tracked whether we needed to close or not. This simplifies the logic, avoids incorrect double-calling of the .close() callback and allows us to update error paths to simply call vma_close() unconditionally - making VMA closure idempotent. Link: https://lkml.kernel.org/r/28e89dda96f68c505cb6f8e9fc9b57c3e9f74b42.1730224667.git.lorenzo.stoakes@oracle.com Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Vlastimil Babka Reviewed-by: Liam R. Howlett Reviewed-by: Jann Horn Cc: Andreas Larsson Cc: Catalin Marinas Cc: David S. Miller Cc: Helge Deller Cc: James E.J. Bottomley Cc: Linus Torvalds Cc: Mark Brown Cc: Peter Xu Cc: Will Deacon Cc: Signed-off-by: Andrew Morton Signed-off-by: Lorenzo Stoakes Signed-off-by: Greg Kroah-Hartman --- mm/internal.h | 7 +++++++ mm/mmap.c | 9 +++------ mm/nommu.c | 3 +-- mm/util.c | 15 +++++++++++++++ 4 files changed, 26 insertions(+), 8 deletions(-) --- a/mm/internal.h +++ b/mm/internal.h @@ -46,6 +46,13 @@ void page_writeback_init(void); */ int mmap_file(struct file *file, struct vm_area_struct *vma); +/* + * If the VMA has a close hook then close it, and since closing it might leave + * it in an inconsistent state which makes the use of any hooks suspect, clear + * them down by installing dummy empty hooks. + */ +void vma_close(struct vm_area_struct *vma); + vm_fault_t do_swap_page(struct vm_fault *vmf); void free_pgtables(struct mmu_gather *tlb, struct vm_area_struct *start_vma, --- a/mm/mmap.c +++ b/mm/mmap.c @@ -180,8 +180,7 @@ static struct vm_area_struct *remove_vma struct vm_area_struct *next = vma->vm_next; might_sleep(); - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); mpol_put(vma_policy(vma)); @@ -1877,8 +1876,7 @@ out: return addr; close_and_free_vma: - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); unmap_and_free_vma: fput(vma->vm_file); vma->vm_file = NULL; @@ -2762,8 +2760,7 @@ int __split_vma(struct mm_struct *mm, st return 0; /* Clean everything up if vma_adjust failed. */ - if (new->vm_ops && new->vm_ops->close) - new->vm_ops->close(new); + vma_close(new); if (new->vm_file) fput(new->vm_file); unlink_anon_vmas(new); --- a/mm/nommu.c +++ b/mm/nommu.c @@ -652,8 +652,7 @@ static void delete_vma_from_mm(struct vm */ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) { - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); put_nommu_region(vma->vm_region); --- a/mm/util.c +++ b/mm/util.c @@ -1104,6 +1104,21 @@ int mmap_file(struct file *file, struct return err; } +void vma_close(struct vm_area_struct *vma) +{ + static const struct vm_operations_struct dummy_vm_ops = {}; + + if (vma->vm_ops && vma->vm_ops->close) { + vma->vm_ops->close(vma); + + /* + * The mapping is in an inconsistent state, and no further hooks + * may be invoked upon it. + */ + vma->vm_ops = &dummy_vm_ops; + } +} + #ifdef CONFIG_PRINTK /** * mem_dump_obj - Print available provenance information Patches currently in stable-queue which might be from lorenzo.stoakes@oracle.com are queue-5.15/mm-resolve-faulty-mmap_region-error-path-behaviour.patch queue-5.15/mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch queue-5.15/mm-unconditionally-close-vmas-on-error.patch queue-5.15/mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch