From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D614C5B543 for ; Wed, 4 Jun 2025 12:38:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2BD958D0018; Wed, 4 Jun 2025 08:38:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 294EC8D0007; Wed, 4 Jun 2025 08:38:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 15C078D0018; Wed, 4 Jun 2025 08:38:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id E5D548D0007 for ; Wed, 4 Jun 2025 08:38:57 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 9501A5BC84 for ; Wed, 4 Jun 2025 12:38:57 +0000 (UTC) X-FDA: 83517672714.26.4BA4A0D Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) by imf29.hostedemail.com (Postfix) with ESMTP id AD4EF120004 for ; Wed, 4 Jun 2025 12:38:55 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazoncorp2 header.b=ODZWi0KT; spf=pass (imf29.hostedemail.com: domain of "prvs=243efc650=acsjakub@amazon.de" designates 52.95.49.90 as permitted sender) smtp.mailfrom="prvs=243efc650=acsjakub@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749040735; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=QB2tbGuwmI6AHcPbvKEwX83qrUu7uj2dcJ4E09VP1iE=; b=tNm0LwCocZJNfQmZLQ+M2LGTuNpiHt1gnOTi29XB0457dFuApNkGSts7UMnYY0vMCPAgQW 4uxTlitbqioXH9jdRbG/Emub77TpeslWo/NXMnU/CIvkz7MqANdy6F3TwRLA2OhyLQlJH5 53iUTzgHsBzBYFZ29qxsq7wIpxvJuC8= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazoncorp2 header.b=ODZWi0KT; spf=pass (imf29.hostedemail.com: domain of "prvs=243efc650=acsjakub@amazon.de" designates 52.95.49.90 as permitted sender) smtp.mailfrom="prvs=243efc650=acsjakub@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749040735; a=rsa-sha256; cv=none; b=qQa+wMoYpQ8pU3lpJ18W+LhbjFLbi/uBzTE1qtVi14d9xKrNQjkJDMSl1/JhWeBnm+x77p 11WXS7u9K2UV6DGqtza9iyDV1Vf6dodOvdVIz6Flw2h1oOoNNOeIOt20l4iFWVKONn+DnO DozH/zUB+Uf3oe/ysuIaO1E5fBGjRec= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazoncorp2; t=1749040735; x=1780576735; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=QB2tbGuwmI6AHcPbvKEwX83qrUu7uj2dcJ4E09VP1iE=; b=ODZWi0KTLRi0mH2D3oP0ZOlP0DDxl5c7mdvLsu/YLMoEgaktRUurB4GU v5gMoWPyB2tQhSEeR4vkHzkZoNYAj41s8e/MzpeCyDkWye7flKeehEo39 aSdkkxwpy6ppnm3NjqHap4HFZ/ZPa4pU5vdYHWMTgYAJebxWhZ0dUebCk nGoQSbmxDy9feAgPp7ZgbQZTmVuNPOMRlMeRU9cbyWyTnlmhCg/MpGG/O yWy5rkQmEvNjwRSqEZeDFVOit33wrIfNHOac4ci/b1eaiiGBLf8+wsjbI QGtoq0CJgCkeOI9WO1NwxD9W5nHxLKk1CIdVsohsEbkuRbqteLjR3/ZDw g==; X-IronPort-AV: E=Sophos;i="6.16,209,1744070400"; d="scan'208";a="505907041" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2025 12:38:50 +0000 Received: from EX19MTAEUA001.ant.amazon.com [10.0.17.79:52925] by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.8.118:2525] with esmtp (Farcaster) id 431190b7-a98a-4e45-9f87-8492c13c1c06; Wed, 4 Jun 2025 12:38:49 +0000 (UTC) X-Farcaster-Flow-ID: 431190b7-a98a-4e45-9f87-8492c13c1c06 Received: from EX19D019EUB003.ant.amazon.com (10.252.51.50) by EX19MTAEUA001.ant.amazon.com (10.252.50.192) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1544.14; Wed, 4 Jun 2025 12:38:46 +0000 Received: from dev-dsk-acsjakub-1b-6f9934e2.eu-west-1.amazon.com (172.19.75.107) by EX19D019EUB003.ant.amazon.com (10.252.51.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1544.14; Wed, 4 Jun 2025 12:38:43 +0000 From: Jakub Acs To: CC: , Peter Xu , Mark Rutland , Lorenzo Stoakes , "Liam R. Howlett" , "Mike Rapoport (IBM)" , Andrew Morton , Jakub Acs , Subject: [PATCH 6.1] Mm/uffd: fix vma operation where start addr cuts part of vma Date: Wed, 4 Jun 2025 12:38:30 +0000 Message-ID: <20250604123830.61771-1-acsjakub@amazon.de> X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 X-Originating-IP: [172.19.75.107] X-ClientProxiedBy: EX19D038UWB002.ant.amazon.com (10.13.139.185) To EX19D019EUB003.ant.amazon.com (10.252.51.50) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: AD4EF120004 X-Stat-Signature: nbwrgttobz8rwpfs3z3o4bpm6rbkmanf X-Rspam-User: X-HE-Tag: 1749040735-285878 X-HE-Meta: U2FsdGVkX19uKHs5MyhMhHkE6ZJ0ITTb++XU2iuTgKsPuBygN6SbgxAoZ7GUlqIA88Wx1MiW4sbqTBI8GV7ppr0tGqibiyv1qIM0TRWJV45ys5ylKwY9Pbg3uUOnIngip4P4UKvCOS0hUZFuipzAPq7Aexgu3jC9yvWskwE9+BQpTTrCrU/hwLQzarhAb06dNSxaNRTWrj7Xd4ZkU46j4bqY5THboDEfnPTU/20KqiWP7lXaBbhdSIb1T00WYnBHLvEsy7nQfgnkXTpCip5auhbccO/kB/nUotrZVGExrGINSVNGfBvdXH6gW+lp38u1jPltNpcC3g3kRatTDNCB2mQ28RyQekHGvMjchVUsudKxOf1+8cxndNKnDNduQiKajL2sntoSm9I07WJvhA5xEFQOlGJq2In6vuKiQ0cqzadCRmQ3RcBXpnlpGPsMDgOilp5LLVDoazcHr2baNw/glrW9117JUWW1sLid/yeFzNs24JJ984YMDWTiv/fECOkkLKaSoNiy9bvxwL/tbNPuCWZpp9wPEufqnMuKQBgP4qTA8Nx12120y9+QPTB1xlADMHvtwPUFTbCquc+bJDefTvIE2d325p2bdgRyNsds864tU59tyVEUk8my2ZNvcHlj8J6ry1Lyal1BNgCduLNm1M4Id7kAafuwmRta5n9w0C0FiU9VL3ojdrwOrwnF2JvSFTbBli31n56mQNeKfaqyjX4CYcYiwceCXezAOx9uPHCQXvxbWqNip7w5Kcns6C+3ZpclLSWRp0Jfnf+LatJzVoXIBtyTO8pOE6GwiyOJRBPT1RnaQHYAU2hXb1ESbS0lZEFB0IWtj81w2Goi71SsczW7xp9w3jbb1JQpYWRNdoMfJlg3XfPtNAbbeEcP5Xmh0H2NMDPCM5BZMe+UNG+UCefOjvGLEHfYQOQpCb6VuFOatgZHWphjFa1tpajD9JOxIKkqfRKeJbJ0oDhRUjR CHYxT7SH FQw1ZLrQicTvc2nAsGMPZMTx8H8OAvnX1jWIiMhu1T8klitViNjfUiGH9pDPDLz3X/tO+fB+V7asHJayUP0vztu1bwuQC0fMGJo2a8JBlVS+w+O7xn+JoKdHRGRf+qgQc23PuqJUyK4aGEM9X9me6z0AsxGhAgXChtXQfErDtO78aDQtbIgBAlHukKO5D8fWKhvH5jI791eFJEEpHLw9c6iVA6/7IrYU8lpLZxNQRjVsNYnhgl5KsRvtNcNOlXT/tHB9f1TKnaWIueLbgkW31rwDdnAT9Z75nVwBLiTcXsqvjd1xfsKzC5cDK1kZTc9mFD0IG0z52AcBEi5H/ktdG7U8wJ2YPHGkUHMdHkXtj1YW5IXHkN/BaWZh+nOhvIGFNxLv149XuYZ4U3FXilEIZhJzfg6d2JU3n7Wpz9cHM+ChLzqxrlofSFMvInZbdyIS4piiLQwYob5XfUKUxX3VARnrWyQtRp8CLV/2EjRzpcziIjFnAsHf08I+a3xb/y1P3X1VrQnvps3tXM4brL33BKgyvfZaUijZqixaxuEEDTRXiSxxidFvdxMQhPQzyybo3o8jjw2QFvnGj9qK4GXHBY2rGOfzkIu0NnwraOl8nvDyuPopZbAu7ReV+iCBZtytB7HSO8E8njoHWi4KELjIFaWu/aGTeIRA1wSZNLKQ0s8jR9vH0CcWdRjq7WboCfUS6NRadpkac0qMYa7V3LS0JuwoUAJnNEx/HkQacPGFEDeaMfQwhlmNJPhpVZ02qPRYnowPU4upLP531QEmFMHK2n8ML1poITPaQd/10NO092oPVchhCUj8q1pSTCmacck0kpB9RrGKvnJOV1IEqeSWG6GBRUw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream. Patch series "mm/uffd: Fix vma merge/split", v2. This series contains two patches that fix vma merge/split for userfaultfd on two separate issues. Patch 1 fixes a regression since 6.1+ due to something we overlooked when converting to maple tree apis. The plan is we use patch 1 to replace the commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring uffd vma operations back aligned with the rest code again. Patch 2 fixes a long standing issue that vma can be left unmerged even if we can for either uffd register or unregister. Many thanks to Lorenzo on either noticing this issue from the assert movement patch, looking at this problem, and also provided a reproducer on the unmerged vma issue [1]. [1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e This patch (of 2): It seems vma merging with uffd paths is broken with either register/unregister, where right now we can feed wrong parameters to vma_merge() and it's found by recent patch which moved asserts upwards in vma_merge() by Lorenzo Stoakes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ It's possible that "start" is contained within vma but not clamped to its start. We need to convert this into either "cannot merge" case or "can merge" case 4 which permits subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA will be clamped to the start. This patch will eliminate the report and make sure vma_merge() calls will become legal again. One thing to mention is that the "Fixes: 29417d292bd0" below is there only to help explain where the warning can start to trigger, the real commit to fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the issue, but unfortunately we may want to keep it in Fixes too just to ease kernel backporters for easier tracking. Link: https://lkml.kernel.org/r/20230517190916.3429499-1-peterx@redhat.com Link: https://lkml.kernel.org/r/20230517190916.3429499-2-peterx@redhat.com Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") Signed-off-by: Peter Xu Reported-by: Mark Rutland Reviewed-by: Lorenzo Stoakes Reviewed-by: Liam R. Howlett Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ Cc: Lorenzo Stoakes Cc: Mike Rapoport (IBM) Cc: Liam R. Howlett Cc: Signed-off-by: Andrew Morton Signed-off-by: Jakub Acs [acsjakub: contextual change - keep call to mas_next()] Cc: linux-mm@kvack.org --- This backport fixes a security issue - dangling pointer to a VMA in maple tree. Omitting details in this message to be brief, but happy to provide if requested. Since the envelope mentions series fixes 2 separate issues I hope the patch is acceptable on its own? fs/userfaultfd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 82101a2cf933..fcf96f52b2e9 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1426,6 +1426,9 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, if (prev != vma) mas_next(&mas, ULONG_MAX); + if (vma->vm_start < start) + prev = vma; + ret = 0; do { cond_resched(); @@ -1603,6 +1606,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, if (prev != vma) mas_next(&mas, ULONG_MAX); + if (vma->vm_start < start) + prev = vma; + ret = 0; do { cond_resched(); -- 2.47.1 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597