From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E07B5C369D7 for ; Thu, 24 Apr 2025 21:57:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A55756B00B8; Thu, 24 Apr 2025 17:57:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9E0AC6B00BA; Thu, 24 Apr 2025 17:57:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 76CF56B00BB; Thu, 24 Apr 2025 17:57:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 4FCDA6B00B8 for ; Thu, 24 Apr 2025 17:57:38 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 4176F160B61 for ; Thu, 24 Apr 2025 21:57:39 +0000 (UTC) X-FDA: 83370299838.28.7F96309 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf07.hostedemail.com (Postfix) with ESMTP id 361454000C for ; Thu, 24 Apr 2025 21:57:37 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=XLTQ5R4+; spf=pass (imf07.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1745531857; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=c/P/wUaBAruINwfJFucR06lbEXL7rTIXf+J016W0OcU=; b=eVtY+E2zJjd5FpYbGz7Kocn5RWdfbKOYG/p3qR0PaSUX7QhIzm2LS8/K6BgrckSDDhOBAi pZ0DU9wQSLGNg5bv8Gyh8SR0z1bHwzd4VwVqZAikOiJpN554MjzNDkiNhazXkjlQLsqyZR O6JTF4huuTuS1DLapleSNFwQXof+cOo= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=XLTQ5R4+; spf=pass (imf07.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745531857; a=rsa-sha256; cv=none; b=M2rb0B+U+xTlBCkqbvfUoCyUBGAWEKt2miQ/Unk4QePRXbUKpacKll2CBrfXIllBPuPxla b4dSWhk+BER+1+TfElC8nNxaHtFabqnNsl075L5LTBSMtnUPm+V4EtLFbp8sKLceDhOHwF yaVZ46oylW97+CT9AAHhMT5wQwmbfec= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1745531856; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=c/P/wUaBAruINwfJFucR06lbEXL7rTIXf+J016W0OcU=; b=XLTQ5R4+/bPpyAXIiCDrofmY9siZuwOO8c7HMrD8EPP+1vdCq3HBBqRfpJuAdRaFJCVaR6 NvWeBSC+V5x7bBvnE5KMJpiA7lSRc2K7nV6LwrWvxqChC76ej6aA1a59i6MLcpPxXd7fN1 neVbG1T/CzdZ1DSPQ/HzHf2IihL+I24= Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-434-DfCe1dnHP6OtuMKUIC6KPQ-1; Thu, 24 Apr 2025 17:57:35 -0400 X-MC-Unique: DfCe1dnHP6OtuMKUIC6KPQ-1 X-Mimecast-MFC-AGG-ID: DfCe1dnHP6OtuMKUIC6KPQ_1745531855 Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-7c92425a8b1so258591885a.1 for ; Thu, 24 Apr 2025 14:57:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745531855; x=1746136655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c/P/wUaBAruINwfJFucR06lbEXL7rTIXf+J016W0OcU=; b=JRLAq0d4xDvKebS/cdzRtw5I2eHLFlS5dtW4mnyOwc67CXNvV0duCo1QZUO86l2uWI Xhw0peRTzwtcP8R/+wByNnkc9xjkEwpirtSY6iP5JTMGfXDzqVKjC9/79ortlU0PnkRt TVBt29MUYX/DX2yD652SsVFAd5RTmsfd/4G2Iutac6xPeozEt/Gio+V0ugDCC3oTaJn7 z16Eo6/lTcclQSBALV7bK51uLqp+UBNpV3qQl3WL/y7kl6/KDzWe2vpStSEwELaoENLf ZNmHoZvDJNXjx3GsG357uwz2BPG0QnZVHUKkgb1D2Q1iufKqfyImnFh0DODKypYej1DI XNxQ== X-Forwarded-Encrypted: i=1; AJvYcCX6pKuFmCnAuowtR5Moui12CfRyW64qlnf8Edo3F/qT3kOrZ0MAklE+Oa5eQhjS58dqAVX52BtyfQ==@kvack.org X-Gm-Message-State: AOJu0YwWL/oOucfllOu70RLbepZvxTGAVSzPXTyruqr17o6/ifHprZ35 krJ9GjMyjV0NkcXY3dpdAch2xj3ZHwnXs1XvWLaK4osw9Rvj96YVGLQ9CtJshjzqNF1MT/enS0m HoOBJArhKPovlufIWvgKjMXEekaFrCDCA7kAf3SB4gGIy26aw X-Gm-Gg: ASbGncs5cJl9wleOEVSntJfdVg/4IERqJygHy2ih2ziHyphnkUZ0V2EYO+FpuTM79L3 fjXe1NtAZPWnJROkpAovMNJ9O9yJn6el8NN4HDsA9Pd27ZS3aTQ0P6/6zuP+wdlQiMk1bpJsDQJ AWrUmzP+njcbaUl5/QNcZAE2kvLSSt/MbozLtmpezw5Uf6TkbIP5nA2Bz6o7wu5sNe4x7OhqZED 66/Q5tREh2IFsSafShuenk/lSpOzNUqf1UTqI58Jh3Q4ziWFT3iL5+5r4YIaKPZykKIBa/TM6Zm X-Received: by 2002:a05:620a:414c:b0:7c9:574d:a344 with SMTP id af79cd13be357-7c958659e5amr515885385a.25.1745531854711; Thu, 24 Apr 2025 14:57:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH1iex2yj7RJMZCAOmnWtzoov0phuvCk1qVkZv1VYXxZqfMBp7AortWZytLmA8d5ROfiO8xYQ== X-Received: by 2002:a05:620a:414c:b0:7c9:574d:a344 with SMTP id af79cd13be357-7c958659e5amr515882385a.25.1745531854314; Thu, 24 Apr 2025 14:57:34 -0700 (PDT) Received: from x1.com ([85.131.185.92]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c958ea2a6dsm138737085a.106.2025.04.24.14.57.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Apr 2025 14:57:33 -0700 (PDT) From: Peter Xu To: linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Mike Rapoport , James Houghton , David Hildenbrand , Suren Baghdasaryan , Axel Rasmussen , Andrew Morton , peterx@redhat.com, linux-stable , Andrea Arcangeli Subject: [PATCH 1/2] mm/userfaultfd: Fix uninitialized output field for -EAGAIN race Date: Thu, 24 Apr 2025 17:57:28 -0400 Message-ID: <20250424215729.194656-2-peterx@redhat.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250424215729.194656-1-peterx@redhat.com> References: <20250424215729.194656-1-peterx@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: veKcWGHR12Lkk73mlaYzrN5YLWEdfxVQVuRUaxz-p3I_1745531855 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit content-type: text/plain; charset="US-ASCII"; x-default=true X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 361454000C X-Stat-Signature: 4a3xmgpfkoqsd6z3nixq1zexext5utog X-HE-Tag: 1745531857-773682 X-HE-Meta: U2FsdGVkX18j+kqfli48OgRX6BcidDw+KGQS4OI8bkntOFaz7Iw4GjJNFtIKuKBvMIKeHHJYLigeqJ0/pGnjrdUe1mkIADiMxFQ33MrivBfH9QSWfJpwG8mIZJ/2UxD0y4aj2Kwgghi7rQoOfVowaAuvPcpoftwQ/tz0vsvKwmcdfflkYf/wtx4IJsOGxPdmt35TENmeKc6TRUhIirk2kj0HwOBSiw+6S8f8s7pcbZvUQX0eA1nbP8gDhFGr9lR0DTK6bGmISBz1G9kCDdcaUrZw5v4LgrL5R//mF1TAoXQtu1DXg+fIqR0gxh7NmR7brYouIf3/OeNppW5E56QbSRK3JGaWtmVi5Sy2n6cNO3BPSbi8Iwt4V1dFZfulYjR1v3DY975fAB7cOQAibSxOwx/7DSDRyFVFB27Ogq7qdiB3mqHfS6NPfC1O05Clzl4Fm4WxZAUM/2CCIK6FX39lMfwvl7MmBT/5XKfx1bWC2cNC59sA3Y5fBYaE0TYs1QkPqmLvjYAlAnkX1XNOvPuBszwH8UDhdjMJSFUn6erjH/Yt+ShPRq+uHCrd13/NoMCd3AxfbS7C4w5pQeebhuxCkponC3dHzebvIOpeKazHcbKXvammX4npxuIWzJ5sYx6xjkytCJZsPfc+I6xIbbOuB23UPhpdjyoh85noBSsv0OpmD6aaxCzrq7JbGwzY4X7lAyt7h04zOMC3F/WiZCSNuF5tto24n2sXeY5FWxqYm4DTZDOPcXaKBNRPbVPlMGPhsouUgyq21DI+WmaLd6rYzENsbR8RK/afNSKAVdp5RnGlL7ZSOMzfX38iPX7oAKQkb2FJK4qVmflP2pZNERzh+ezgfkANwiRPVACJHe7p3Xvdf6AP+Vel6VDNrTGTKNyrIhuZCoO8/hpkEHcgEVe2Qh2YG9Ef+SnRXP7s9GlYleQIWjEe+RmZANXw2CliOo4Dul6uuJSQNoaikb1yGIa 78FscQga i2L9H42esoiEuLP1Y7Mn69Mes+eoVFSdW04LgchHp61Rw0nH/EOVLg5VYCqMV0f0tOVKHeB/LUegVdm9qjyN4s2Ae0E7ebM5sBZjj X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Cc: linux-stable Cc: Mike Rapoport Cc: Axel Rasmussen Cc: Suren Baghdasaryan Reported-by: Andrea Arcangeli Suggested-by: Andrea Arcangeli Signed-off-by: Peter Xu --- fs/userfaultfd.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */ -- 2.48.1