From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D17CAE7717F
	for <linux-mm@archiver.kernel.org>; Tue, 10 Dec 2024 15:19:20 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 588036B0205; Tue, 10 Dec 2024 10:19:20 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 537836B0206; Tue, 10 Dec 2024 10:19:20 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3FF796B0207; Tue, 10 Dec 2024 10:19:20 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 236BC6B0205
	for <linux-mm@kvack.org>; Tue, 10 Dec 2024 10:19:20 -0500 (EST)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id DAAEAAE888
	for <linux-mm@kvack.org>; Tue, 10 Dec 2024 15:19:19 +0000 (UTC)
X-FDA: 82879407324.21.6CF4EC1
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf06.hostedemail.com (Postfix) with ESMTP id 3921618001A
	for <linux-mm@kvack.org>; Tue, 10 Dec 2024 15:19:00 +0000 (UTC)
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=fj55Kfpi;
	spf=none (imf06.hostedemail.com: domain of peterz@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=peterz@infradead.org;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1733843934;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=k0faFFEYVoBv9xcNQAGoF2CE+4Y2G63vAsBhrti6hWA=;
	b=YXQ6JpfEy5mg+HbG42lkW+s2vsjvc5gA0bZ/a8/DIoOcGonZtzB/urdClGTWP6PoL2S+ht
	TZZN1xhqLU1S5WVym93dg6HV+kNpBJ6sU1uF8KL6t5XX7f4mRXyoqOByzXkpwf/88cffT0
	nW8v0GWFhWGytI+6Jc/7oZVjzkkPd3Y=
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=fj55Kfpi;
	spf=none (imf06.hostedemail.com: domain of peterz@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=peterz@infradead.org;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733843934; a=rsa-sha256;
	cv=none;
	b=CVD8prMBZTxJ9MVai0OG3Gr1EuL1O7c4wz8Y8ZQ3PM9QByHG+8a1Wzjrf1m3sb8Wq4OyrP
	bRp04gw8EZgaTToWYJnEQnoxzruhjGSHboekyPhqJZj3wl7x2Qtcbgf4RsNbwqPYT2KzJe
	cs61sbWMqB+tQsZoQ8t2QLZBWHCLCE8=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
	References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=k0faFFEYVoBv9xcNQAGoF2CE+4Y2G63vAsBhrti6hWA=; b=fj55KfpiM0zkYOHH7CHnZEjGAk
	HedwhOG1es1tNJjEPoPJ1L6aImbPVR7mKcxzuo581jHwGd19yPa4p3+xfIfavEk6PaMdJz0gm743m
	7FRnX1en86fdVvKZlD7IqPs4UBJ93Ao2fXR2tWE0iIGdb/DIwD8ngUL4Zq+L0R2NrVpQ9HpZirE4R
	fkA7adfksP0+1LN6wZB+IXyzY72hJZEToCvVk3s7FEv6z6X9LewoX6tBp6iz8Bj42fBtoO7IqyQ3W
	e3un8CzuRGQac+UWk0s4+cP9I6DZQ9a8RkDwJTPkYKcJNCNR223JxBcec/1KQqJ/xDGMnm9qhtCtW
	IXs2KigQ==;
Received: from 77-249-17-89.cable.dynamic.v4.ziggo.nl ([77.249.17.89] helo=noisy.programming.kicks-ass.net)
	by casper.infradead.org with esmtpsa (Exim 4.98 #2 (Red Hat Linux))
	id 1tL20s-0000000A3eJ-0wQQ;
	Tue, 10 Dec 2024 15:19:02 +0000
Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000)
	id 9BFEE300402; Tue, 10 Dec 2024 16:18:59 +0100 (CET)
Date: Tue, 10 Dec 2024 16:18:59 +0100
From: Peter Zijlstra <peterz@infradead.org>
To: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>, mhiramat@kernel.org,
	oleg@redhat.com, Jann Horn <jannh@google.com>,
	syzbot <syzbot+2d788f4f7cb660dac4b7@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, vbabka@suse.cz
Subject: Re: [syzbot] [mm?] general protection fault in
 find_mergeable_anon_vma
Message-ID: <20241210151859.GW35539@noisy.programming.kicks-ass.net>
References: <4d05caee-d900-42e5-84e1-448cc62435b2@lucifer.local>
 <emgf7rbacg4jqsnyg2mgmlbbeehc34o33fpnkmlaghb3xynzjx@gmldlwjliwiv>
 <c946c9d2-aff3-4492-99d1-d50e6e2659f6@lucifer.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c946c9d2-aff3-4492-99d1-d50e6e2659f6@lucifer.local>
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 3921618001A
X-Rspam-User: 
X-Stat-Signature: ubtxxqsdhtszq8xri9kcb4xp3wr6uiaz
X-HE-Tag: 1733843940-26215
X-HE-Meta: U2FsdGVkX1/cZtrKASjLMHczffdW1VQ3FpGMbUHjmppML7LK5TaJAsDtEJ3Vez6T4AbwCH3kKGTZg1oRM9qoW6jtILm2/pM1apRkgLKzzfvmJR5wpDLcxcfQNdRq76dLkgzdWCPpgg+kxAZOzKGV780+YrBdFB3WSf9evZCJl7hKOPIfxvHE0T2Z/4BAALs3FhOuVzvxVRQvucWMgbGeURJCELWKSZc0j/CrbXESw1PrObhgjs3H0u9T/LHF5p/PM/jajNPz8nU7KcRW/Q2rlkcGX1EqI+GcXyrI8EgBMrQcF+URyCty/+wf64VvpBk6/zy/Irx6HXWJ2/UbJAAqw36uGbtVnfKbxXkEw96lwoH04oBoKP52PAP84AFtGXCepLjOsBhAJaNY2Oh+Eii2e5VGOVS2/QfKNoXTSPrbyfrehSONQp11rnkK9QuIQY8BARXBAxoZlrH4PW/kuFO/YACARApOkvE5dXIAkUdRKTKGByStziYRged3ZlI+jawvtXIdz7Jwwz1GYBh8dNZaoz0UAuWF3xre2EsuwHuA85JuAwddeqwrY1jxn9m9pg+FqVTiAuqwF9rRQwVD0h460W0Wys1zp3n7nVwyd1xhGxU2LFTWMEThIjoxVU0pUg+ozawn5VJqEq6JS9/dy+oZdNOzEXG7S779EFvJEG/sZZmPbylG821yJu/zBDZ/5gRgPeDC8XhJnj6Y3lkGj+1oNT40pEupukzsHVY4Xa3OfSQh1HpWaTVVTnPR5TbaUV0s4AIGFPiGqvzIUailioos1cZbPKM2QfR1trN/jjdlbpL6OdX05je9d0REfhcWdJumPNsq50B67/G7O349XxaI7ldHI7WGxznLS9NFlDRARlhbPqf3EUHNu0ZaVzgvpJ88DnebHLFppAh0VioFcrhHkSt2AlB77GxyfMrnRiaQ9ordOptBnIbkkZ5n/4gUVg6rpktiesq7U2nzGnp158R
 UR/iXTTO
 zYqmbcMlVKtxW1F3jUQJjBUBNK8sIEfQsGokZnO3/2RwsoCNmGgUIxUJ9mrFz/rvqyQiIQVixoBtOEVODlRCeH/pINYHMyl7JbroS+a/U+GyHRq8scCrOjwYKjCy6NdzYBnEWRp5JuYI0kjfKiUz8M68o9FWFksCOKsegPyAOr1TGqw5oDebTooO933bIShu2N7c//rG+lHjfmyaqesHyYyRY/faloPB1eEmdL6OLAzqLHJlAcGGrQtyqonC8urVOXKBlCqQFyHGSoEzTtzizfC10ZquT8pG6loYlanLYrnHKMx3auiCOQlUtBjo7iVYvMJPLhPOpm7Ry47QH32MaLOnL9B8VbtmD00Jkf+EdJFTKyXvwYxK+Hidc1sXrsK9ZPKX4hs/1xHVSLi1zEl5lBqAZrQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Dec 09, 2024 at 05:09:13PM +0000, Lorenzo Stoakes wrote:
> On Mon, Dec 09, 2024 at 11:12:52AM -0500, Liam R. Howlett wrote:
> > +Cc maintainers listed of kernel/events/uprobe.c
> >
> > TL;DR:
> > dup_mmap() fails, but uprobe thinks it's fine and keeps trying to use an
> > incomplete mm_struct.
> >
> > We're looking for a way to signal to uprobe to abort, cleanly.
> >
> > Looking at kernel/fork.c, dup_mmap():
> >
> > fail_uprobe_end:
> >         uprobe_end_dup_mmap();
> >         return retval;
> >
> > So uprobe is aware it could fail, but releases the semaphore and then
> > doesn't check if the mm struct is okay to use.
> >
> > What should happen in the failed mm_struct case?
> >
> > Thanks,
> > Liam
> >
> 
> (As discussed on IRC) how about moving up the dup_mmap_sem lock one level, we
> can put the mm before the rmap lookup in build_map_info() is able to find it,
> which should avoid the whole issue?
> 
> Untested patch attached.

Urgh, bit of a maze this. So BPF does a uprobe_register(), which walks
rmap and finds an incomplete mm.

uprobe_{start,end}_dup_mmap() serialize uprobe_register(), but are too
narrow to cover the whole fail case.

So *bang* happens.

The below moves this serialization up to cover the whole of dup_mmap(),
such that register can no longer find partial mm's in the rmap.

Which will cure problem, but it does leave me uncomfortable vs other
rmap users.

Also, you need to fix fail_uprobe_end label, that's left dangling as is.

> ----8<----
> From 629b04fe8cfdf6b4fad0ff91a316d4643ccd737d Mon Sep 17 00:00:00 2001
> From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Date: Mon, 9 Dec 2024 16:58:14 +0000
> Subject: [PATCH] tmp
> 
> ---
>  kernel/fork.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 1450b461d196..4d62e776c413 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -639,7 +639,6 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
>  	LIST_HEAD(uf);
>  	VMA_ITERATOR(vmi, mm, 0);
> 
> -	uprobe_start_dup_mmap();
>  	if (mmap_write_lock_killable(oldmm)) {
>  		retval = -EINTR;
>  		goto fail_uprobe_end;
> @@ -783,7 +782,6 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
>  	else
>  		dup_userfaultfd_fail(&uf);
>  fail_uprobe_end:
> -	uprobe_end_dup_mmap();
>  	return retval;
> 
>  fail_nomem_anon_vma_fork:
> @@ -1692,9 +1690,11 @@ static struct mm_struct *dup_mm(struct task_struct *tsk,
>  	if (!mm_init(mm, tsk, mm->user_ns))
>  		goto fail_nomem;
> 
> +	uprobe_start_dup_mmap();
>  	err = dup_mmap(mm, oldmm);
>  	if (err)
>  		goto free_pt;
> +	uprobe_end_dup_mmap();
> 
>  	mm->hiwater_rss = get_mm_rss(mm);
>  	mm->hiwater_vm = mm->total_vm;
> @@ -1709,6 +1709,7 @@ static struct mm_struct *dup_mm(struct task_struct *tsk,
>  	mm->binfmt = NULL;
>  	mm_init_owner(mm, NULL);
>  	mmput(mm);
> +	uprobe_end_dup_mmap();
> 
>  fail_nomem:
>  	return NULL;
> --
> 2.47.1