From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 282AFD44162 for ; Tue, 19 Nov 2024 14:26:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D38B56B00A8; Tue, 19 Nov 2024 09:26:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C98F76B00A9; Tue, 19 Nov 2024 09:26:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B11866B00AA; Tue, 19 Nov 2024 09:26:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 8E2A16B00A8 for ; Tue, 19 Nov 2024 09:26:00 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 2EC7C160500 for ; Tue, 19 Nov 2024 14:26:00 +0000 (UTC) X-FDA: 82803066276.13.E4E55DF Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf30.hostedemail.com (Postfix) with ESMTP id 68D5980004 for ; Tue, 19 Nov 2024 14:24:23 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=g87wmuNL; spf=pass (imf30.hostedemail.com: domain of gregkh@linuxfoundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org; dmarc=pass (policy=none) header.from=linuxfoundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732026267; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:dkim-signature; bh=wW0nWlfHy7HJwph/A67eRQLOesJGUYLHKCVYVU9l870=; b=kow5BehcwYH8iejCUNyjmaESBAj68Vld1pXmt8Hbd/26zAXHaCikhNJoLQZ3rGQ13q95pr ZmdWb4S1NdodgJ5xrNlxwVX4kIXULKr5AjI5RYKDIWMkNUZROcDM4e+q7TLs4NQfoIvg3J xBJPG9ZQwZXn2mcysO+QFKe71/ewNww= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732026267; a=rsa-sha256; cv=none; b=xSAaQJQKkVd4rSMElXthAoTv46a9bKH37vAg8QgSTTv+aVTi2N4hP/kWdrhv1s0Xc+7TEQ U7Ejwq18c9L9krMw4YymuJMAfnOGNOlDsVpaz0Tu66bmUJuTyUwt2CUo7fbJiU+FjOulzy VrcV+U3znY1Qu6VyFRfHJIEbueB7aSg= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=g87wmuNL; spf=pass (imf30.hostedemail.com: domain of gregkh@linuxfoundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org; dmarc=pass (policy=none) header.from=linuxfoundation.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id B0E9B5C021B; Tue, 19 Nov 2024 14:25:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5DE61C4CECF; Tue, 19 Nov 2024 14:25:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1732026357; bh=8s58yz1INz/Ic2RdSp3YMWJd9/4hz6YbI87VDPkYD9s=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=g87wmuNL6NLofnf231mftNIKzOf7PXfHHa3+Lp4Z4AqIE2W9k4x5ssIq0KFY0d2AK L+bc7HYXrv2Du42jSTOUyV8X/ePne341heWS0aHCOGU5A2Biffd0lZGbvmYkNzhPVG nmmbm1jvI+lMDoQLQdG0H85hL/GSjnwrxxuOiza0= Subject: Patch "mm: unconditionally close VMAs on error" has been added to the 6.1-stable tree To: James.Bottomley@HansenPartnership.com,Liam.Howlett@oracle.com,akpm@linux-foundation.org,andreas@gaisler.com,broonie@kernel.org,catalin.marinas@arm.com,davem@davemloft.net,deller@gmx.de,gregkh@linuxfoundation.org,jannh@google.com,linux-mm@kvack.org,lorenzo.stoakes@oracle.com,peterx@redhat.com,torvalds@linux-foundation.org,vbabka@suse.cz,will@kernel.org Cc: From: Date: Tue, 19 Nov 2024 15:25:25 +0100 In-Reply-To: Message-ID: <2024111925-emit-bannister-7bff@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore X-Rspamd-Server: rspam10 X-Stat-Signature: qhae4iwpsgpni7wg95bfwohe1e6da3uh X-Rspamd-Queue-Id: 68D5980004 X-Rspam-User: X-HE-Tag: 1732026263-920066 X-HE-Meta: U2FsdGVkX19APpxD9Ahkn+miZ70FTBtXXaPilOtM3iPsXDhJsQDNTyb9AIPjXKHUitWP+AXWZzCvGahAoheDhRIw5OxBVb6oHzo/PbN3MwXljnaORue9XXMsaeutGLpdPc5sSR88KULMCzw//Wg47GD3WwmGTNFcpLD8bgaPHJZjRcmDKwLAoP0vbh0HYuBXG5xGGrojcJ6rFM/Bu5C2rh2d2t3bjYFno/g4hrgVjg9Z9pYd6RAyOtZL5DvETwwd7z0IspQQ4L6E+IxPWlCyRYi0ShwXg4KsPMx+tqAkb7kaQ1EAT++OjY3p6GJ/q2pW0VhHGNvNg3zTQ4MSGTmH/ELLz1Vcm7ljUTuFBk4n86jUAs8WD3ydvWcb6Ld+IKCIbwkp7MNv4TE2k9pM+IRZxdlqfm/voZD5w1sNlkKzvi/h7SkbVYbGtMh1sh3K1BUoLvYhc2lT83/vQX9lSwnWT+RM1jUJqTEo5j4T7/uD0mwGGAsnZ46V93e/Y8xnE+KLwW7jhob/TbVXOK1Iw8Ke9zRyUKlEWUeyj8qdia4tu1oMk/HY3478hY+5VnxlBal4UOyTd8lpR0qhK05Y007GXfNQ7p/9TCNUVyA5Itymnvb1fAiTxPJeSXoW5pxM1Vb0HfMPNl7i0jzE82DwmnBSOgUTgf6vKU4uKJnBO8HSqs+qItDC/o2tBDxqQsLJT60s7lTpQ4DxvvV6tKjs4JFHo2iDIN1ffTCttAx6eAbtvDVGVme6hACtAc3v+qMkdBQl2tyYmc0JyAb+mBLRUG48bKdXnhfr6JfHS12pcE7tCU38YVDYo0zTtHTbJQSeeViPBfPdfSZCe5Nw5nId2nEvm0HJRgug9sWnKMqZgVt3CgNYLRXZxUySDDJipm12/+dsz7dr2Tu2LPW6jhO2y6TOdHbRG56TbH+PndLb33fTsVBSZgOhEpjU3TOjB4kMbQ3cA9J20h+MrmVcbGhOIl5 M+NinAme Nr2x21ewJyDs+HU48AU07dQMbxEeBM6gVLvz3SGYEkdIPH3vt4iLekv1n7GRfhwtuakgV/K5YDkzqFQKcq5V4CTKHSJiUT/OhhDMOdOyZqa1ISbIpHkyhWYpnyH5aZE9sVZrzQ9cV/NOs9qiMm93FHUuPJbcd1EZsMQ22YwFg044JEf/cSTrP8FgdNOwjYNUlwBa79oEtyp41IUPqxHJ2CZnjZ/+Kq2/ZgmNRsnSvAr5445EUit7vC0QIOxYRI/JsZVvlmPsYy7HPvFW4i9MfrgWIgShlcqU/iC08bBy+aUKPAT0Glhz7Ptf1U+4G8KUxQIyYTwDbK6Q/+J6Uvbmf0cY5w2QPcc1N7kKYmPTK3PEq8/pw8moxv0nnzTnl1HRWHwgDC3pDYWSI8N+k6REVcvTwYgRlQ7fHS8uMtS61krh53CkvnhTQ7HktFukD1nYAtQ0PtaRdRQY/8o5chkdEgfRZDVMYIkaYg4mUwNh+hSjzeSPN4LYk5Df8EsVlShVnJNskC3/qFffj96ovrAq7X0ZGypdQJuHZkoTMv3iFXwF683eSqz9QQOhVsQlcS0KRFSRDee75WyuT5qqBy85rVaqIxCD/t3AwQW1WmdexYOgUl+KaBnqcWpLbOc0H9T1mXWbRFb+SudbCGz7472kyNt8AVwsNXgljtnNjGhOyRrx+BCygy2wlGGng06YVyziUFbZVOeTAyy9Qk4KDSYHwL6sBjjFepc/nZacDPTv3AkLj48N2mG+/otlKxlJYttLWOmP8IPfeXnxZ9R1klf9+sm6A7IgDdS2e/O1TdiiIiSqtULx8NuG+bhDcHVAE1eE7KCIMZdOhLzB/soo7n8pAeshwTRwCupYjYMP44XPMtI9GJvw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This is a note to let you know that I've just added the patch titled mm: unconditionally close VMAs on error to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mm-unconditionally-close-vmas-on-error.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lorenzo Stoakes Date: Mon, 18 Nov 2024 16:17:26 +0000 Subject: mm: unconditionally close VMAs on error To: stable@vger.kernel.org Cc: Andrew Morton , "Liam R . Howlett" , Vlastimil Babka , Jann Horn , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Linus Torvalds , Peter Xu , Catalin Marinas , Will Deacon , Mark Brown , "David S . Miller" , Andreas Larsson , "James E . J . Bottomley" , Helge Deller Message-ID: From: Lorenzo Stoakes [ Upstream commit 4080ef1579b2413435413988d14ac8c68e4d42c8 ] Incorrect invocation of VMA callbacks when the VMA is no longer in a consistent state is bug prone and risky to perform. With regards to the important vm_ops->close() callback We have gone to great lengths to try to track whether or not we ought to close VMAs. Rather than doing so and risking making a mistake somewhere, instead unconditionally close and reset vma->vm_ops to an empty dummy operations set with a NULL .close operator. We introduce a new function to do so - vma_close() - and simplify existing vms logic which tracked whether we needed to close or not. This simplifies the logic, avoids incorrect double-calling of the .close() callback and allows us to update error paths to simply call vma_close() unconditionally - making VMA closure idempotent. Link: https://lkml.kernel.org/r/28e89dda96f68c505cb6f8e9fc9b57c3e9f74b42.1730224667.git.lorenzo.stoakes@oracle.com Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Vlastimil Babka Reviewed-by: Liam R. Howlett Reviewed-by: Jann Horn Cc: Andreas Larsson Cc: Catalin Marinas Cc: David S. Miller Cc: Helge Deller Cc: James E.J. Bottomley Cc: Linus Torvalds Cc: Mark Brown Cc: Peter Xu Cc: Will Deacon Cc: Signed-off-by: Andrew Morton Signed-off-by: Lorenzo Stoakes Signed-off-by: Greg Kroah-Hartman --- mm/internal.h | 7 +++++++ mm/mmap.c | 12 ++++-------- mm/nommu.c | 3 +-- mm/util.c | 15 +++++++++++++++ 4 files changed, 27 insertions(+), 10 deletions(-) --- a/mm/internal.h +++ b/mm/internal.h @@ -64,6 +64,13 @@ void page_writeback_init(void); */ int mmap_file(struct file *file, struct vm_area_struct *vma); +/* + * If the VMA has a close hook then close it, and since closing it might leave + * it in an inconsistent state which makes the use of any hooks suspect, clear + * them down by installing dummy empty hooks. + */ +void vma_close(struct vm_area_struct *vma); + static inline void *folio_raw_mapping(struct folio *folio) { unsigned long mapping = (unsigned long)folio->mapping; --- a/mm/mmap.c +++ b/mm/mmap.c @@ -136,8 +136,7 @@ void unlink_file_vma(struct vm_area_stru static void remove_vma(struct vm_area_struct *vma) { might_sleep(); - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); mpol_put(vma_policy(vma)); @@ -2388,8 +2387,7 @@ int __split_vma(struct mm_struct *mm, st new->vm_start = new->vm_end; new->vm_pgoff = 0; /* Clean everything up if vma_adjust failed. */ - if (new->vm_ops && new->vm_ops->close) - new->vm_ops->close(new); + vma_close(new); if (new->vm_file) fput(new->vm_file); unlink_anon_vmas(new); @@ -2885,8 +2883,7 @@ expanded: return addr; close_and_free_vma: - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); unmap_and_free_vma: fput(vma->vm_file); vma->vm_file = NULL; @@ -3376,8 +3373,7 @@ struct vm_area_struct *copy_vma(struct v return new_vma; out_vma_link: - if (new_vma->vm_ops && new_vma->vm_ops->close) - new_vma->vm_ops->close(new_vma); + vma_close(new_vma); if (new_vma->vm_file) fput(new_vma->vm_file); --- a/mm/nommu.c +++ b/mm/nommu.c @@ -650,8 +650,7 @@ static int delete_vma_from_mm(struct vm_ */ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) { - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); put_nommu_region(vma->vm_region); --- a/mm/util.c +++ b/mm/util.c @@ -1121,6 +1121,21 @@ int mmap_file(struct file *file, struct return err; } +void vma_close(struct vm_area_struct *vma) +{ + static const struct vm_operations_struct dummy_vm_ops = {}; + + if (vma->vm_ops && vma->vm_ops->close) { + vma->vm_ops->close(vma); + + /* + * The mapping is in an inconsistent state, and no further hooks + * may be invoked upon it. + */ + vma->vm_ops = &dummy_vm_ops; + } +} + #ifdef CONFIG_PRINTK /** * mem_dump_obj - Print available provenance information Patches currently in stable-queue which might be from lorenzo.stoakes@oracle.com are queue-6.1/mm-resolve-faulty-mmap_region-error-path-behaviour.patch queue-6.1/mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch queue-6.1/mm-unconditionally-close-vmas-on-error.patch queue-6.1/mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch