From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41DBED0D795 for ; Fri, 11 Oct 2024 14:26:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 841D96B00A0; Fri, 11 Oct 2024 10:26:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7CB2C6B00A2; Fri, 11 Oct 2024 10:26:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5810F6B00A3; Fri, 11 Oct 2024 10:26:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 307B46B00A0 for ; Fri, 11 Oct 2024 10:26:42 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id D06451A1353 for ; Fri, 11 Oct 2024 14:26:33 +0000 (UTC) X-FDA: 82661547402.14.F49A68C Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by imf01.hostedemail.com (Postfix) with ESMTP id C406C4000D for ; Fri, 11 Oct 2024 14:26:35 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=hcmVIyku; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=A6WdCfXh; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=oracle.com; spf=pass (imf01.hostedemail.com: domain of liam.howlett@oracle.com designates 205.220.177.32 as permitted sender) smtp.mailfrom=liam.howlett@oracle.com ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1728656685; a=rsa-sha256; cv=pass; b=lLhhvBHsQnADWo5zulKZ00YaGCzbhyyHZPl2fggDiF9dG/zUKYxfAG/2FK9YZYspAhX1I7 WX9Y8Mr9I/gghtt/Cd0gPy3h02M7DYzBVmoC4LJ+C3mNpoeku7o6+326n89jNhvf2Uu9EV yFb0LvDf0m7MbHrzqeLrBXTvPYzrY20= ARC-Authentication-Results: i=2; imf01.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=hcmVIyku; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=A6WdCfXh; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=oracle.com; spf=pass (imf01.hostedemail.com: domain of liam.howlett@oracle.com designates 205.220.177.32 as permitted sender) smtp.mailfrom=liam.howlett@oracle.com ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728656685; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=D+pSdrJViu53z+Q5qV4ndBp2YZg9kZKf7lv37Z2TbkE=; b=EMP64lqv0XVE0nwYaxzmkR0qJpF/Czhm0OHu0kmtph1GnOo5MLZtRczJET/gaicOG4/7wf eoGa4YA1spR57qOrkcffNpyOp+nJ5vht4BgPxRDyfti/zB/jbN4ZkJYjwVwW8yGPelAmz/ 40ymMgxbeHYUsy4MX6AO1K8MFLGdLdA= Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49BCpX67010300; Fri, 11 Oct 2024 14:26:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=corp-2023-11-20; bh=D+pSdrJViu53z+Q5qV 4ndBp2YZg9kZKf7lv37Z2TbkE=; b=hcmVIykuA6PuqYXDc3L3qM0o1sXs05DRnh nqyRYpmOJbOD6N6CQ4JrQ4Lgd0WRiyktesuaRvqhA1FeBe0UCWZNmj3D82Lqwc+s RU9y/RsYrLW//m9Gn4SgHwDxPmsLgiU4kAhh531rMzBv2wDgynGLrBqcozgTxL/t uPhBi98IziS8tKXApnLosKcBjBnClFOhLP2fWeMPXbbE63DHZBJeAG9y10bvpFif vnJdARApclWRI/x9ENn47xJxRMVigA5Cw39crm1VZv5vjc2rgy203PBspGnDmcZN IB5ULFO2OM2V1LaDru6M6GdbcYHXcwkcC9mMofZACGS2fGLq77iQ== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 423063vxsa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 11 Oct 2024 14:26:29 +0000 (GMT) Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49BE3tpM040314; Fri, 11 Oct 2024 14:26:29 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2044.outbound.protection.outlook.com [104.47.73.44]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 422uwhpxg5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 11 Oct 2024 14:26:29 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kyOzIwN7l9jcg8ItwBZe9k4YpiCTiPkHWj/08Q+v5ePsXEpZn+RvzAUdTdfwCt33tQbFVV42hYtK8h0mclWRs17QGxA1cx064zCc7Z11pDWu7JsgZ2T+dyGPCbfxZF7Ho1TY6TuUikJHHVTXpE1XlKAfCYrofScE8iseVqov4vILf8ARJlbOgvcM5J5Ik6FjrGWX35pHt76O3Mv30eeKC2fmn33u4PGXZtIJRZY4D8/11xYWtT7LKtMCyVZPLQJ07AejPeQGNsfI+UBc2Aq31m1c8E3bzsFBDz4TRShPp53FXiRsz6mLBPDOyMOoviUA/ElcjBsCoXkunSkHmBkb+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D+pSdrJViu53z+Q5qV4ndBp2YZg9kZKf7lv37Z2TbkE=; b=JQiJ0EMEKlcA0lutrNvC86UtY5WdJLeiT9SWxbM9pLYLWzWUs/B2CCoxK03JQA13ha2//0fsdJThqcztFQlON7odtERGrOCZmjNHoXpwEe2/yZnZxwRdAOe3Wv7FIGN/slFANkCNjkx7QGweuAXVjfJfUAO443U4XmsZmInGsEbCMYG3YYIg9YEII23yHBaAGCNSm709WOl5jZAIpDDEp2zDZRrERnfuOx+/4Z8q1Ls6LWXnbEWDAEm5oPuA2L/eyRMKaovbVrz1Sr6r5kjOFBqL8+Bz+tadWOETsDhpgMq+6fsmN9Vmf2qX/wERSdDMYoFeqPfYFfj4mdEkmrW+/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D+pSdrJViu53z+Q5qV4ndBp2YZg9kZKf7lv37Z2TbkE=; b=A6WdCfXhF3YktP4VFP3XjwAkScFu3Os0lhJPfGBtX1MfjcEqu/CUT44skPn94WJqORdBkAnPF8TiwUdFUf+hqA3+a//GcEGh3+uMgCaCPm/sgEE/EnUbsvDc//GR6d/XIhMirop9qSJr6FQO/4nOc+mVo1AkAUUnGL0UwI3PXAE= Received: from DS0PR10MB7933.namprd10.prod.outlook.com (2603:10b6:8:1b8::15) by DM4PR10MB6862.namprd10.prod.outlook.com (2603:10b6:8:105::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8048.18; Fri, 11 Oct 2024 14:26:26 +0000 Received: from DS0PR10MB7933.namprd10.prod.outlook.com ([fe80::2561:85b0:ae8f:9490]) by DS0PR10MB7933.namprd10.prod.outlook.com ([fe80::2561:85b0:ae8f:9490%6]) with mapi id 15.20.8048.017; Fri, 11 Oct 2024 14:26:26 +0000 Date: Fri, 11 Oct 2024 10:26:24 -0400 From: "Liam R. Howlett" To: Jann Horn Cc: Andrew Morton , Lorenzo Stoakes , Linux-MM , kernel list , Suren Baghdasaryan , Matthew Wilcox , Vlastimil Babka , Sidhartha Kumar , Bert Karwatzki , Jiri Olsa , Kees Cook , "Paul E . McKenney" , Jeff Xu , Seth Jenkins Subject: Re: [BUG] page table UAF, Re: [PATCH v8 14/21] mm/mmap: Avoid zeroing vma tree in mmap_region() Message-ID: <2rdgyyn36yn7ey5oopynmkerpfx4ghdazhgwh7p53z7oaf646h@7hahj6yyowgv> Mail-Followup-To: "Liam R. Howlett" , Jann Horn , Andrew Morton , Lorenzo Stoakes , Linux-MM , kernel list , Suren Baghdasaryan , Matthew Wilcox , Vlastimil Babka , Sidhartha Kumar , Bert Karwatzki , Jiri Olsa , Kees Cook , "Paul E . McKenney" , Jeff Xu , Seth Jenkins References: <20240830040101.822209-1-Liam.Howlett@oracle.com> <20240830040101.822209-15-Liam.Howlett@oracle.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20240425 X-ClientProxiedBy: YT1PR01CA0063.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:2e::32) To DS0PR10MB7933.namprd10.prod.outlook.com (2603:10b6:8:1b8::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR10MB7933:EE_|DM4PR10MB6862:EE_ X-MS-Office365-Filtering-Correlation-Id: efb2c566-229b-4376-c5a2-08dcea00b096 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|7416014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?yMoc7n57r7Utl4eJ1EmKfyWHQa6pRlDX3vHSZE0JGbnMUTxpkvjBvk9osOBf?= =?us-ascii?Q?dBjZMIXZC6gLYzfJghrR9hgLODqg7eFrNL87+KhNxwgKSZMxZf/ehXbgJiwH?= =?us-ascii?Q?Divnkc0gBYFiSQWr2eCeDFt1/4LVfaJB7xSOWyZE2oo/r6Z9IBzjwpJfbsqf?= =?us-ascii?Q?IDKAUhTaYpfmc/ia/+hpK7RNphQk1ZVSfBX8d17COvakw4GNtrABRE8lew7B?= =?us-ascii?Q?XUmg69P7gj3ZZ0aDRETQMIAYqtI2gHa/XcXd+DyFl/srPfc3NtnTEGdCJolV?= =?us-ascii?Q?QyOHaKwjnd3be2vstsBcIGjrSucyn+ZwF9e7FiBN9eYCiACqviblX8J7Tnvh?= =?us-ascii?Q?TYDlN8xHueN8RjLM/kwg7W6GQeHa63cDqNLKtc9GXwes8bNGiy1dkGfd34/V?= =?us-ascii?Q?VXSLzolRgnURsiPHiU8MooNGPetHS7n474bl/+Y2FTeTuVtpCjaAioYO6ooY?= =?us-ascii?Q?ToT8OFp2fkKFq5TE9Lecnpi722fKSRzNLjw4cTtykjfFBMmTytbxL94pTQwZ?= =?us-ascii?Q?OERlFZV7IXCyLVlC6+4QgN8pwf2h9W/kNG4Ap4MR5Tx0Ouoty56gFvu27Ecz?= =?us-ascii?Q?DTPAjwjBDzQY3qwGL//T5RnivvnM0KQT+NGX7nTVLcJIDLNgRaOdHkyqVl4S?= =?us-ascii?Q?k869/Ayt266sk7C2ybjCz5wv+lCnAz1N0HQFQESOTRdPcpzi3IZGxKUasijC?= =?us-ascii?Q?xXvLTwVDiKZIAFEIz298+DhEQKQVfzK0YqXsQ+KeHCJpRtracn/G/Hb9BW2V?= =?us-ascii?Q?O7B6iIzbwrp4B91dCtL9rvvm7tef+DzyY3KQNfz+GVhA0QniRaa4l7JsXC4/?= =?us-ascii?Q?RE+BX6zcd2i//F40I90MvgUgmxgIRSM5TACkY9GP2yTliU9ZSWEI64yArW8q?= =?us-ascii?Q?ONN1EquN3TOqrGQyg7RmyPwPQlPHWCbaPO2owWmXWtxFDu2ffcnkm9Dj6fR6?= =?us-ascii?Q?T+IgaCklKwcWghey0zzivA6A9+/GwNyJecFi0R4Zpqn//A5w9Xqm9/7DOAIW?= =?us-ascii?Q?h2ff86X7h7VaoxcHdFMVtfG0mouRGjRfEc/x81Xc3xutJL9ogkEprw+S0nmc?= =?us-ascii?Q?LVi83nkhiovuhcnAg8FYrgJ23Duwp6vc+Mei/1qc3sE9qoU1Sqfw7dHPrMys?= =?us-ascii?Q?f72d65HR6NGBrq9mdT67Oec7X+7fj0Lb7BKDSX4uYbEyhtBkLJ3aTyO8SOzE?= =?us-ascii?Q?xELrmjht15JoHwFM+WJuzTyILXn7okK5Pf2DwXxR7oqzpAsQ9eq4J0usD4uz?= =?us-ascii?Q?77D6T1WnVGpXpNvFEUF4ct/+bXKtWAunje+XjimRaQ=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR10MB7933.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(7416014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?X8L1yZ3Vp9SdDTnKDMSYT8q+GR/oeD2SWU8w3KbwjVCAaV3U74mlxeFKK54I?= =?us-ascii?Q?j4bECDkozdQsxjPUmveGTOB/kzpPs1n/8QXB+g9QAseYNSx1zppgNO9svFI0?= =?us-ascii?Q?hpGIgP4H0U8+GpBS5KIB3HqBzkfV/nOo6PD7S0Ac7V+57uB1ylXtTFpXO0lm?= =?us-ascii?Q?Gnryr5lSLE/RKSirIuqJNjmg9PePXjzV9/F+zQz197dc/wKJvPyusQr+WkMT?= =?us-ascii?Q?SLCQSwFT6tEMY7euAduJjN+IlA7JsOZ2lQNQ1m+uPUNLgtljy14Ns8eNl0yC?= =?us-ascii?Q?4TwNf+RIDUrD6dAxgWLWH1M4tbwxBXljXxPdnoiBe0AWmF1BAq9YP72c39KB?= =?us-ascii?Q?3JYr1i8dPZuj7N+FTOlnGzhHAjN3PjJd7lYmxw9zEkYj9VaRjtG1fPtGD6oK?= =?us-ascii?Q?taOP2hVLh1fXwtHzlGugKx9zhiFlwpYoQFDoqI3+WmqQXyNkgaooB505ZJlM?= =?us-ascii?Q?Zz8kUAiSI0DBbEcFF1pgr10eey7W53px/vxPCwf/ss8PN5/ST5yE7+vsNSTr?= =?us-ascii?Q?mr9y8+akhxkHdCSQ73EUCZDdxRpEuPySddkj74tp45I29QjHuQkERZcZuDIt?= =?us-ascii?Q?C9ZyzCi0VGmSX74tR2Gps0Kyc/nfJcNA5Dd7k79kSOvWX5TX7Y5iB9EdCBWZ?= =?us-ascii?Q?bHIZRVoXuJwY63LZYMRP7LzGDNHvsR7z5SeuCVjzAqK6dNqIMEArig2EAGsl?= =?us-ascii?Q?bcXuItU5EaGMyUNEzWJmmJ2R9bxJkQ7+Vuqzc2ivRpiWuD8Sf7vXvQO6HcZb?= =?us-ascii?Q?TAAai8FYf+B4FOkXL3EuhbL14VuMyXKP6jDsbjYi6n3EC2SU0kBa9GsAyqLj?= =?us-ascii?Q?pg2TKtOEV1Xg35d0hKG7TRnqel7k/b0hyiQPu3WlFfo+TUOTcd8LeIgNRGHa?= =?us-ascii?Q?dTKqywQGz4M3NUnWSfrKMiLa8e/Ffi4WUbyANNQuLFZBUa07tKG1hosplZyc?= =?us-ascii?Q?RIb6egfD1DvFwRKP3J8SvwP6Lqv41lUhCMro/uexapVLkJo66sBlUaVCmF1Q?= =?us-ascii?Q?wad2xCXEkh//yeMjoFUhg4PYMultRG3/fTvr40C88dJF0yc1lK06GFR/e0Xx?= =?us-ascii?Q?AZHSCANPH1Qhl32D1bmUeHlNTIukol1Yegyo1BI98turHAAPwQwLWMce/2iQ?= =?us-ascii?Q?Ji90Vphyveqsb6Wi92r2cEtq1a84yq/lqSxbj8wRE3FjRt1t/5APZYNJxBKc?= =?us-ascii?Q?oxpF2TIJ84g661vSb3RgJISfD4yatXGwXqLReNxv3RPYNeykhm2fG6S7Fll+?= =?us-ascii?Q?5k7faSkdZPArsVUQLpddY/xkNdluqbPtftvHgnARU8x99PfVQKJ1jslBE3zA?= =?us-ascii?Q?qPHMeto1pDL0aZzaMvvVqiLYjxGW/v4COMe7/Bvpi2VBGL9duJiHn0xbcp2R?= =?us-ascii?Q?ABc6c7OoX2DfFTLFzzjqFgp2mxdh5PtvBwACkjX4kEjP7r9383p3fGb8VlXf?= =?us-ascii?Q?Qg3/ccHzIRkatZkJ5pX1NR6wLHa7RDLFW6m4gk/94ZOpFNlqFHr/6VQjKoR9?= =?us-ascii?Q?JPpatliATFxUc8pjXFn7Dob6/Ui7naXneDZrtUg9o6i0kuCF0NShBT1hgLHt?= =?us-ascii?Q?097YhUk/a/9uMU1ERt4dRUQsgew+dcXz0MEomgI+?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: W82Xj4NoF5mTUqc/Ik/OunoXLJY6afzO/sKGWGklR5HqsiyW04Nagd0JpnVs2ZPKGBOJDWqxMyUp6xaOP6AMLMI3sAiT6B9QSEEyb0gXz/PGfzxlIUHrkX9btaCE7Yi257/Ysjskeg5cqvcWPCtJIV9+jKZaI3MvCQrs78YNPj9Ntt0g97ea9CNRPCRZ2LQe+O4AVBpEPpa61iwVzulSeyayPVmaqwBcwSoO3ryJZdEwj7R80bUk0CMSV1IR+lQLVjkAjwXf36z6rMc3QKX1glG6U3QRlAHJQlw8dZCtMAv7fNisfwK908uZI8FAH80zMI4Wm5B+oCx89vUlTYLdeXDozcqDQ1rcW9GyMh/E74AOR1dOBKtrC2Nw0yNFAzpCS7W9/bg9J4s+ch1NjlHD4kcP+tPlKSVsmvPdrEGPP3Oa7bBnEiWuhRCsBPsqHDcxJjTpvqbf6bPJlHxKs6I0U1qfyA98+sDgjmhzR4JoIJI9Dpw3tewcUU7s2lT2C8CDu1w1DKLnTVeuwHcdxUNJUunaBXPAwsO1Ks1jFt7QvIxMUVE1w98YZ2aX7TTamX0U2Vmol9rFUiUvuPjlStShduThSvWaDVAgbqSKYbpkg+4= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: efb2c566-229b-4376-c5a2-08dcea00b096 X-MS-Exchange-CrossTenant-AuthSource: DS0PR10MB7933.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Oct 2024 14:26:26.5961 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LfX3aMf4cqFpqUjBhdJsARdZl5T6iRwjAgEC6R4Tm9hU9ZNK0Gxf5YwujZw/5hD9buRG24a2N4DvwdpBydiWkQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR10MB6862 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-11_12,2024-10-11_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxlogscore=923 spamscore=0 adultscore=0 phishscore=0 suspectscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410110100 X-Proofpoint-ORIG-GUID: DiDZtHD9a5IqiWJYecj5RDAyniOJGb_5 X-Proofpoint-GUID: DiDZtHD9a5IqiWJYecj5RDAyniOJGb_5 X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: C406C4000D X-Stat-Signature: y4dh3b6si8a8uh8eeaf64gkc6t5wrqq5 X-Rspam-User: X-HE-Tag: 1728656795-357266 X-HE-Meta: U2FsdGVkX1/ER0sOxX9D75TgYx9tfVmXL5MMOcaRO8Sk1u0SybjUgES0EiBy3yg1/Dh7W2WTSMIS1vTnMbiO0tk4dAEO/GU02b6zLJ8I8hLd6UPD70DWEQ33DxIuSqgYeZyJKOxyULe+PAf3CQyRc7j/shLKWorSIHaXVs4gisK0qjByp6iAybE+jEr728KS85M4ztlXIS9g+slfopyeJsp8Ug8iTsBjk4mdCqCMnWGiapZwP4/3/ZAptAfAoOt6daDnKmPLSGGX+0FDRJJovundvOTnghPWdKuoJ7sZTvvzNf8CjkNjpMkQpezcUUy3WIH40euiOUfdk26GhNn2FixJaZ3VJmUYIo1Ozzx4bErIy/DjoLIpPgkz9/vhYGabZmC3mPmDV+lwQTRl8ZhlFXJbpUG/BuNAk8PKBdFxszMAJlsBMPjMajmgnUaf2wvfpNKNAEXqVYGF5GYs8fztKteh8FTLF0o06dL3kwwVU7tnSdR/CH8bxhD5d3Je80xof6rEPO2wpnBOASbpOgGdjiAZEf2v1jFl3ukkWRFGkTh5tdtD8fhS2qrGc9CAz7qrHnBQmUG8ci4AqRd7GLsKV3D9wPi5SFM6NC3d9nIdlDXm83G46xrCz6mPGLsOMSIXJUjxNs6e4UFNWmVkNc4cYjzlZC4JwKKBO21Ufuc/xBgxc0M0eUgiZZayw7FvPsUksTrWSXFkv5/wLvi7Wo8YbTDXqU7AZLL5Ad5bRA/ITvxI0MnxsEAy24krocYyN4e6oYKo77ifZEgmMhVvEvN07SKXk7fga5rhUy86uN4wwuO9wLTvmrl2kZRKo0vTqZJ/yYNMXRms4hwZm3X3p+Ap9Iob/czgwv6R/SGS3n6KM1l/GFBFS8i3Xbnf+voDfpvyN8J1QUPHgBYSbfy4+zFQ7R+JlWEmbkh4dP58bLGkazOqD3R+Gx1S8SWJPm3rTSn3EoEV0JeaMmnidTknYz3 brG8pRDn TiBtff1t325vFDc5QQjfV7hfGhWHVxQQ91iRW2SWb8+Cwuj07mDHkBNQgxnS6Dro8vzSWtmocvMG86ecvWwzahaxVEnPOaeH3hPVk7jOgTF0829noWH80dosNUIWc41QKxRQE6RLiL1wji7+cHzTEdkBkZZ8OczLX5/py/uTNE2rJePJbwz2FfXEmUnpCdXAOUY7oMJS3Or++eUKLfwqtX77bgffXeB2Wfjbdy5sKFm07FUVOJoeWkF2jmkb1n15/XzCZV/arFD/pYCecmbNJ1lpeh2ID+jjQS0gYA1eOXMyj7fGAf/sWAc4QB71TXpPQhh7TS4sOZnvumhunOaxLA9SkvhsXl6H7QJYaTvZVMMQLYIF/PVcVRclZHBpGxqRZOtvxzdddskeBahn9qdGd0t0PdvXXYB05U7Hb+9mDrZbGJ0sYWOiLXEnrbUMeB4w9hwU56Rr7BQuyl3kcj18ec9einFCiPlkDVF1Pu02dFg52PbVrjGDGaVWUyVgs1C14kEpG3/U3oeVkomwmO9RvVWhtJRhp+g1jsMi6Xx1mx10nTnni9L1mj3hM33ZQqPNrt2VhRmSWmYlNHXI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: * Jann Horn [241008 13:16]: ... > > > > > > > > > > task 1 (mmap, MAP_FIXED) task 2 (ftruncate) > > > > > ======================== ================== > > > > > mmap_region > > > > > vma_merge_new_range > > > > > vma_expand > > > > > commit_merge > > > > > vma_prepare > > > > > [take rmap locks] > > > > > vma_set_range > > > > > [expand adjacent mapping] > > > > > vma_complete > > > > > [drop rmap locks] > > > > > vms_complete_munmap_vmas > > > > > vms_clear_ptes > > > > > unmap_vmas > > > > > [removes ptes] > > > > > free_pgtables > > > > > [unlinks old vma from rmap] > > > > > unmap_mapping_range > > > > > unmap_mapping_pages > > > > > i_mmap_lock_read > > > > > unmap_mapping_range_tree > > > > > [loop] > > > > > unmap_mapping_range_vma > > > > > zap_page_range_single > > > > > unmap_single_vma > > > > > unmap_page_range > > > > > zap_p4d_range > > > > > zap_pud_range > > > > > zap_pmd_range > > > > > [looks up pmd entry] > > > > > free_pgd_range > > > > > [frees pmd] > > > > > [UAF pmd entry access] > > > > > > > > > > To reproduce this, apply the attached mmap-vs-truncate-racewiden.diff > > > > > to widen the race windows, then build and run the attached reproducer > > > > > mmap-fixed-race.c. > > > > > > > > > > Under a kernel with KASAN, you should ideally get a KASAN splat like this: > > > > ... > > Or you could basically unmap the VMA while it is still in the VMA tree > but is already locked and marked as detached? So first you do > unmap_vmas() and free_pgtables() (which clears the PTEs, removes the > rmap links, and deletes page tables), then prepare the new VMAs, and > then replace the old VMA's entries in the VMA tree with the new > entries? I guess in the end the result would semantically be pretty > similar to having markers in the maple tree. > After trying a few other methods, I ended up doing something like you said above. I already had to do this if call_mmap() was to be used, so the code change isn't that large. Doing it unconditionally on MAP_FIXED seems like the safest plan. The other methods were unsuccessful due to the locking order that exists in fsreclaim and other areas. Basically, the vma tree will not see a gap, but the rmap will see a gap. Unfortunately this expands the number of failures which cannot be undone with my design but still less than existed before. Most errors will generate the historic vma gap, sadly. Thanks, Liam