From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75717D44161 for ; Tue, 19 Nov 2024 14:26:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 79E5C6B00AE; Tue, 19 Nov 2024 09:26:13 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 742B86B00AF; Tue, 19 Nov 2024 09:26:13 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 56E886B00B0; Tue, 19 Nov 2024 09:26:13 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 31B016B00AE for ; Tue, 19 Nov 2024 09:26:13 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id E7C75C046E for ; Tue, 19 Nov 2024 14:26:12 +0000 (UTC) X-FDA: 82803066822.13.6F890D6 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf12.hostedemail.com (Postfix) with ESMTP id 8AAA140017 for ; Tue, 19 Nov 2024 14:25:48 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=chDO42z0; spf=pass (imf12.hostedemail.com: domain of gregkh@linuxfoundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org; dmarc=pass (policy=none) header.from=linuxfoundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732026169; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:dkim-signature; bh=fhmj1WwdW4mbrMFafhnGAcjiA1ffUqQWCMhMCNG4Tc0=; b=34uUy/cbYJk0cGuuP/N53SGmyE7fjZBy4mJl8amR6vaSoFRsBnVNMDePjaJ9ESHI8IX7h6 cv2CKc3FZGDJgtJpNc1KR5/zr9FRNM4O7e2hBYnPh3amzmFHXNmAi3nlsEY7FiEVG1eGAU 6DfGKvbbxZxmy5zVQ1EY5cjeWsKHdeQ= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=chDO42z0; spf=pass (imf12.hostedemail.com: domain of gregkh@linuxfoundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org; dmarc=pass (policy=none) header.from=linuxfoundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732026169; a=rsa-sha256; cv=none; b=loyEf+ffrWR2sW/+YlhSoDqWhCP2ZZeKpvAaZCaC7oK7vIl5WvkX0fXBHiCNLk0IciDgnm NrOHLe0p5dUcKNe0Rsb5aHkXhyqYUNq7ztEvH3JhOlwDpACoQx1EdkdN1AZHoyym0pnNcx oWiFDdb2y6q39+7pv62I7O7cJZjmiF4= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 3F11B5C0513; Tue, 19 Nov 2024 14:25:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0144C4CECF; Tue, 19 Nov 2024 14:26:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1732026370; bh=K6htCujxQZiiupLL1YP6qova4Ow5v6tjlXVXcMMtHLo=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=chDO42z0wrSq7DHAjue5SIMGHHkJeviKMm9A0Bnq33vEJsyovf/JdYJZsH0dds6et vjLqHV+U/tlUCGwiwr28GhMDblPVUE5KahZMw4RIsL7gvRU0dV4+C5XnP1TsKvKehl GTWCX4yLT4xzPgFp2VH9jYZQ2GyPs1Z8F8JbBERk= Subject: Patch "mm: avoid unsafe VMA hook invocation when error arises on mmap hook" has been added to the 6.6-stable tree To: James.Bottomley@HansenPartnership.com,Liam.Howlett@oracle.com,akpm@linux-foundation.org,andreas@gaisler.com,broonie@kernel.org,catalin.marinas@arm.com,davem@davemloft.net,deller@gmx.de,gregkh@linuxfoundation.org,jannh@google.com,linux-mm@kvack.org,lorenzo.stoakes@oracle.com,peterx@redhat.com,torvalds@linux-foundation.org,vbabka@suse.cz,will@kernel.org Cc: From: Date: Tue, 19 Nov 2024 15:25:46 +0100 In-Reply-To: <33d70849ec62ba738ca2f8db58fe24076d5282bf.1731672733.git.lorenzo.stoakes@oracle.com> Message-ID: <2024111946-shampoo-repose-3316@gregkh> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit X-stable: commit X-Patchwork-Hint: ignore X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 8AAA140017 X-Stat-Signature: 365g5mribsu4gijx36ujcyk7jrgsgute X-Rspam-User: X-HE-Tag: 1732026348-356239 X-HE-Meta: U2FsdGVkX18BpLB3h8WJ+jPk3bBHTXmhiF8B4tSuIXIA7cRBQa2auGCMiL0vJBYoBPCac471ghONxeQ438wy3K+XbNOK47e7eXBi3+W4EY+vB8yx8nLkmj3e9ONbFn6+rBTCw13f5CUieqKYiKj2mzWgZFotflTv3EJsUjrL0obxcnZkebgCCFL4wHHD556EoQPBjFPKQ39/15oRZHHXL7bqwbk0hs+2o72o8uFzXBoAeFpwwZfKZcekpBdB8CrcJzvGCroFumhaW/3IemtG/tsZkvn2bdZ6AJX/Plx5x/3NSeAEieYFNAQ65u1Isz7PzQWa6MXZS3Gn2vokkp/l6XR8XYSkV+Ud8y5Y7M67Vyc7GtpltwpaX04asCYCiJR5mTmK+kFvlzwq/rfS+ZlBft9AEBcuIUEEWEPwsHTOW0VO94BcT4ajGOIewt0xGrVBcvmxND+0G3bA6gdiZX+/5xUVWA2GUnbiWIp1O9m4bvhDoDM0EXvUfYRZ/APTqwH5h51q8GWXAmcXGmmz3jOYVZU9cdI0RsNESHiYe3XB1VCmLkubqfIm39SLNod1uYJ8TlBTs6OdR6K69uaWKbwTsegdwJXKXQTc1VeWC/1+d3P5EY/3C6BDk3VJKPplGR7c5QFZ64hpYKJoIGgBDcFiPAsFpWFPqjyqyC6pZm5CXBHp5exU1YnytBT0g1xlDZq+DE1AmCtMBjxEUdj0Iuy24b0gIFw5jq+We7urWWfVEezkZ68a6ZxC8Js+L6yeF5Z2oh5mNKES2rEixJooM6zBO9YiF7rj3+gdhiM6a0/ydys5+Z95Q7U8EzJtSojvN91mM/ArHXebNv06QEjIrhDkDFBLKokvJo0oz9q8e3vWjxl+3SfoSeboTAdg2aoXMU6hQCMtqktlv5uYMc7nKzMxS8uVRMVdZgtfMjCkQjk8HLQiRR9g5Rsu76UgmsFYIFhDywoumH5ZaBPjio6tB1r MCSu02+Q dbIe5UxW5vQh7qQ645LL5PiT7c98+25KpIoEHq8hZDIXFdvx3P4jSW+y3P5WXdUPswyUa3gxVFDAsfjabvQRY5rabkgJPnCHiSU+zc+pyV6B0g7J//hPHspSwS4I0gjywKiCJSxIHu1zzpBQXHRxyzi3eqhwpq1T1SYOZfq85/jXsv5jdXd8AnwMpyUKfUAEt1s2iLcnrrVZrB+PCPYvCIqPdML7qYd1Drb1MqGYQJHNi1Og8OB5kb6WDuE9KjrijPmJf0uig8br6RELQuEGZ/pLNMFr5r95STw1M7Tyiim7uqkhfsap6jiCSNXa35FpCNrePW58NXcVzX+tKOU/P3vNnMRGkrjIMZ+3w8/ILz6fZvC4R9Asa4K0rMp29+F31fQuy7t2yMTr+NezpBjrI1rJI8D0s2Ne5g3oeSfcfV9wVLukt1Tz2YZ8bI08K+r/57OPIqRen9GIUgE24Vu1edujuJ5fCsm9Lb5c5SJzkljWrcaWTRdLWFr+wVnGymHBZ10pxi/dU9Ud8pBR6qzvq1igaSNxJzirwEcPx6PYfYGKm/LUcL9jmh9PAG3Ugqqstp2DoN10O8mWQieir7v9KG/wEbRBLiKHqWeYTX9GuDfZ7rLOjmTzrppsWaqtYMDTwfyvI0PQSaAgrEXGpnpoftyj8oN3j2ebxpVq+LNyItzwpOLu8icZHNluEEDLUV5wewIrYhrAZ3qMNYGBUP6cXkm50OIr31FHVZ3ZviXQcIrC4nE7Ce466E8y8s1Jc0U5w7rFY7DdJJP9gcdNUBv2q9urCxa9vX+xIATtb8lfgiqE04QKrPJ/Kc6X8WCOLGyq2nZr++3An+iWXofs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This is a note to let you know that I've just added the patch titled mm: avoid unsafe VMA hook invocation when error arises on mmap hook to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From stable+bounces-93535-greg=kroah.com@vger.kernel.org Fri Nov 15 13:42:51 2024 From: Lorenzo Stoakes Date: Fri, 15 Nov 2024 12:41:54 +0000 Subject: mm: avoid unsafe VMA hook invocation when error arises on mmap hook To: stable@vger.kernel.org Cc: Andrew Morton , "Liam R . Howlett" , Vlastimil Babka , Jann Horn , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Linus Torvalds , Peter Xu , Catalin Marinas , Will Deacon , Mark Brown , "David S . Miller" , Andreas Larsson , "James E . J . Bottomley" , Helge Deller Message-ID: <33d70849ec62ba738ca2f8db58fe24076d5282bf.1731672733.git.lorenzo.stoakes@oracle.com> From: Lorenzo Stoakes [ Upstream commit 3dd6ed34ce1f2356a77fb88edafb5ec96784e3cf ] Patch series "fix error handling in mmap_region() and refactor (hotfixes)", v4. mmap_region() is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. This series goes to great lengths to simplify how mmap_region() works and to avoid unwinding errors late on in the process of setting up the VMA for the new mapping, and equally avoids such operations occurring while the VMA is in an inconsistent state. The patches in this series comprise the minimal changes required to resolve existing issues in mmap_region() error handling, in order that they can be hotfixed and backported. There is additionally a follow up series which goes further, separated out from the v1 series and sent and updated separately. This patch (of 5): After an attempted mmap() fails, we are no longer in a situation where we can safely interact with VMA hooks. This is currently not enforced, meaning that we need complicated handling to ensure we do not incorrectly call these hooks. We can avoid the whole issue by treating the VMA as suspect the moment that the file->f_ops->mmap() function reports an error by replacing whatever VMA operations were installed with a dummy empty set of VMA operations. We do so through a new helper function internal to mm - mmap_file() - which is both more logically named than the existing call_mmap() function and correctly isolates handling of the vm_op reassignment to mm. All the existing invocations of call_mmap() outside of mm are ultimately nested within the call_mmap() from mm, which we now replace. It is therefore safe to leave call_mmap() in place as a convenience function (and to avoid churn). The invokers are: ovl_file_operations -> mmap -> ovl_mmap() -> backing_file_mmap() coda_file_operations -> mmap -> coda_file_mmap() shm_file_operations -> shm_mmap() shm_file_operations_huge -> shm_mmap() dma_buf_fops -> dma_buf_mmap_internal -> i915_dmabuf_ops -> i915_gem_dmabuf_mmap() None of these callers interact with vm_ops or mappings in a problematic way on error, quickly exiting out. Link: https://lkml.kernel.org/r/cover.1730224667.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/d41fd763496fd0048a962f3fd9407dc72dd4fd86.1730224667.git.lorenzo.stoakes@oracle.com Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Liam R. Howlett Reviewed-by: Vlastimil Babka Reviewed-by: Jann Horn Cc: Andreas Larsson Cc: Catalin Marinas Cc: David S. Miller Cc: Helge Deller Cc: James E.J. Bottomley Cc: Linus Torvalds Cc: Mark Brown Cc: Peter Xu Cc: Will Deacon Cc: Signed-off-by: Andrew Morton Signed-off-by: Lorenzo Stoakes Signed-off-by: Greg Kroah-Hartman --- mm/internal.h | 27 +++++++++++++++++++++++++++ mm/mmap.c | 4 ++-- mm/nommu.c | 4 ++-- 3 files changed, 31 insertions(+), 4 deletions(-) --- a/mm/internal.h +++ b/mm/internal.h @@ -83,6 +83,33 @@ static inline void *folio_raw_mapping(st return (void *)(mapping & ~PAGE_MAPPING_FLAGS); } +/* + * This is a file-backed mapping, and is about to be memory mapped - invoke its + * mmap hook and safely handle error conditions. On error, VMA hooks will be + * mutated. + * + * @file: File which backs the mapping. + * @vma: VMA which we are mapping. + * + * Returns: 0 if success, error otherwise. + */ +static inline int mmap_file(struct file *file, struct vm_area_struct *vma) +{ + int err = call_mmap(file, vma); + + if (likely(!err)) + return 0; + + /* + * OK, we tried to call the file hook for mmap(), but an error + * arose. The mapping is in an inconsistent state and we most not invoke + * any further hooks on it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + + return err; +} + void __acct_reclaim_writeback(pg_data_t *pgdat, struct folio *folio, int nr_throttled); static inline void acct_reclaim_writeback(struct folio *folio) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2779,7 +2779,7 @@ cannot_expand: } vma->vm_file = get_file(file); - error = call_mmap(file, vma); + error = mmap_file(file, vma); if (error) goto unmap_and_free_vma; @@ -2793,7 +2793,7 @@ cannot_expand: vma_iter_config(&vmi, addr, end); /* - * If vm_flags changed after call_mmap(), we should try merge + * If vm_flags changed after mmap_file(), we should try merge * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && prev)) { --- a/mm/nommu.c +++ b/mm/nommu.c @@ -896,7 +896,7 @@ static int do_mmap_shared_file(struct vm { int ret; - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); if (ret == 0) { vma->vm_region->vm_top = vma->vm_region->vm_end; return 0; @@ -929,7 +929,7 @@ static int do_mmap_private(struct vm_are * happy. */ if (capabilities & NOMMU_MAP_DIRECT) { - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); /* shouldn't return success if we're not sharing */ if (WARN_ON_ONCE(!is_nommu_shared_mapping(vma->vm_flags))) ret = -ENOSYS; Patches currently in stable-queue which might be from lorenzo.stoakes@oracle.com are queue-6.6/mm-resolve-faulty-mmap_region-error-path-behaviour.patch queue-6.6/mm-refactor-arch_calc_vm_flag_bits-and-arm64-mte-handling.patch queue-6.6/mm-unconditionally-close-vmas-on-error.patch queue-6.6/mm-avoid-unsafe-vma-hook-invocation-when-error-arises-on-mmap-hook.patch queue-6.6/mm-refactor-map_deny_write_exec.patch