From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3398C52D70 for ; Tue, 6 Aug 2024 16:38:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 50DDD6B0089; Tue, 6 Aug 2024 12:38:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4BC416B008A; Tue, 6 Aug 2024 12:38:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 335EB6B008C; Tue, 6 Aug 2024 12:38:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 0E4776B0089 for ; Tue, 6 Aug 2024 12:38:04 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id AEC8C1C1E79 for ; Tue, 6 Aug 2024 16:38:03 +0000 (UTC) X-FDA: 82422377646.27.F85B22C Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf27.hostedemail.com (Postfix) with ESMTP id 6352240029 for ; Tue, 6 Aug 2024 16:38:01 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=glWN8HnX; spf=pass (imf27.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722962218; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ePI1FSQmHg4yk0cUcPEpiN5BvOIjO9v8m1SkN7vs4S8=; b=syF6T9l6FQqHrrOOSix/33Z5NOIXqHR4pIlf5QeQxlATY6V1X9yoDxId3w+PqZWB2nEdKw vl8b77j5vwzAGnFXIogrr4eRvAiZkHByeREogc602NseaUxJP8+NG1ZDlqnN+01l/6WwPd J6F0pqzIFcheQ7ZdpcA3xWQmG7WOGAk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722962218; a=rsa-sha256; cv=none; b=Z/5CWIyxJhDmIEqCh4S7T1EkHPUU6UxS2T9nsWH+UGIZeGsZjkZ0CeyEalkMkw2L0Vhw6N YNZIquxX9+wJu4OlruQhY8Pf8OZPSVK+hClL+isB5h4R96Tk8ZMA7wAMzyu7CaR1hwtlN+ TqUqXFTY1yGkekj1WEK/xwwAOkzDT6w= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=glWN8HnX; spf=pass (imf27.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722962280; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ePI1FSQmHg4yk0cUcPEpiN5BvOIjO9v8m1SkN7vs4S8=; b=glWN8HnXHYHmtnJg6CPy63mXIryyT1sByaXt6KtBV9GDWatTA6u7/4crtoc2qpFLa9aQfE C2LSA0HjEIRcprUfJRJ1UsyRasp4RfQAatWmysYxEfyR0fX7pZhqafsIsjOuRIsUUAP4AU 45qj3JqE+m6Qk8NAC547U4Wm2XgBbsw= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-299-UMpZB4CANS6LntmjRHmk7A-1; Tue, 06 Aug 2024 12:37:58 -0400 X-MC-Unique: UMpZB4CANS6LntmjRHmk7A-1 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-428e0d30911so6744445e9.2 for ; Tue, 06 Aug 2024 09:37:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722962277; x=1723567077; h=content-transfer-encoding:in-reply-to:organization:autocrypt :content-language:from:references:cc:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=ePI1FSQmHg4yk0cUcPEpiN5BvOIjO9v8m1SkN7vs4S8=; b=xHPQJNFgd3yTZO6sroOTRL5vXTl8+1FUxYjZTd2rQ7QrWrRduNn5UhagYvyDKSknab +XhGa/PcGh1RVNVAlS2luBoC6MbvmI+lcasyGhWfG+3E4DD9+I5nllfd/lXfJoTb52St VyEdZsPJcCYUv+6nMkjR+2jeDVaEI5MuSJg6QhpmWcQuN+edf3phzwlQtmJ82+TXNSrl UsAHhURfrR6AsB2ooO8X2sc6S8FNR7moH6JA1LUvm6hra6uh3Bmdt9Et+h05qHcd059L ZzMuQ15BXQv4k8eoDhXzwX//wasikMAmUe93b8nuCzh2WUyre53BS3oCcJuNV7iJhqpQ Zf/Q== X-Forwarded-Encrypted: i=1; AJvYcCWC2TuKuh0zSbkOpNDBZG9VtL59JYCiHwsPrb+1huKRm8lfBi7wPd7LDWZH+WSatOBdEZfo5F2jlPGEVvmO5E/vCZc= X-Gm-Message-State: AOJu0YyRcNb6wbMXKPnBxCgwYqU/XFG75xH2Jnts5HFNLga3Xund1AQt PdrqBi/vjyrRgSdLFnY8bIE3t7hzhwejypqCJiWfUYqcY2TVtH2MtGObaaHQ546Tj74abXJ5uHi 4qCrvYtAnyEPQZnokoH32EQKWyZGJn1bk8zaboTamY3sj89Ej X-Received: by 2002:a05:600c:3547:b0:426:63b8:2cce with SMTP id 5b1f17b1804b1-428e6af2fadmr110755215e9.7.1722962277289; Tue, 06 Aug 2024 09:37:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEmxV8h0qrtJN63vmets+L9110H9ihh7U32M3cVwrcNVxlwrBLXivblqgdIIYkyRqMTZ9buKw== X-Received: by 2002:a05:600c:3547:b0:426:63b8:2cce with SMTP id 5b1f17b1804b1-428e6af2fadmr110754985e9.7.1722962276749; Tue, 06 Aug 2024 09:37:56 -0700 (PDT) Received: from ?IPV6:2003:cb:c73f:8500:f83c:3602:5300:88af? (p200300cbc73f8500f83c3602530088af.dip0.t-ipconnect.de. [2003:cb:c73f:8500:f83c:3602:5300:88af]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4282b89a86dsm249725255e9.1.2024.08.06.09.37.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Aug 2024 09:37:56 -0700 (PDT) Message-ID: <520f4933-7164-4559-b6a9-8f28c1bff0d1@redhat.com> Date: Tue, 6 Aug 2024 18:37:55 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Warning on mremapped uffd-wp memory To: Ryan Roberts , Peter Xu Cc: Mark Rutland , Linux-MM References: <810b44a8-d2ae-4107-b665-5a42eae2d948@arm.com> From: David Hildenbrand Autocrypt: addr=david@redhat.com; keydata= xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzSREYXZpZCBIaWxk ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT7CwZgEEwEIAEICGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAhkBFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl8Ox4kFCRKpKXgACgkQTd4Q 9wD/g1oHcA//a6Tj7SBNjFNM1iNhWUo1lxAja0lpSodSnB2g4FCZ4R61SBR4l/psBL73xktp rDHrx4aSpwkRP6Epu6mLvhlfjmkRG4OynJ5HG1gfv7RJJfnUdUM1z5kdS8JBrOhMJS2c/gPf wv1TGRq2XdMPnfY2o0CxRqpcLkx4vBODvJGl2mQyJF/gPepdDfcT8/PY9BJ7FL6Hrq1gnAo4 3Iv9qV0JiT2wmZciNyYQhmA1V6dyTRiQ4YAc31zOo2IM+xisPzeSHgw3ONY/XhYvfZ9r7W1l pNQdc2G+o4Di9NPFHQQhDw3YTRR1opJaTlRDzxYxzU6ZnUUBghxt9cwUWTpfCktkMZiPSDGd KgQBjnweV2jw9UOTxjb4LXqDjmSNkjDdQUOU69jGMUXgihvo4zhYcMX8F5gWdRtMR7DzW/YE BgVcyxNkMIXoY1aYj6npHYiNQesQlqjU6azjbH70/SXKM5tNRplgW8TNprMDuntdvV9wNkFs 9TyM02V5aWxFfI42+aivc4KEw69SE9KXwC7FSf5wXzuTot97N9Phj/Z3+jx443jo2NR34XgF 89cct7wJMjOF7bBefo0fPPZQuIma0Zym71cP61OP/i11ahNye6HGKfxGCOcs5wW9kRQEk8P9 M/k2wt3mt/fCQnuP/mWutNPt95w9wSsUyATLmtNrwccz63XOwU0EVcufkQEQAOfX3n0g0fZz Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa N7eop7uh+6bezi+rugUI+w6DABEBAAHCwXwEGAEIACYCGwwWIQQb2cqtc1xMOkYN/MpN3hD3 AP+DWgUCXw7HsgUJEqkpoQAKCRBN3hD3AP+DWrrpD/4qS3dyVRxDcDHIlmguXjC1Q5tZTwNB boaBTPHSy/Nksu0eY7x6HfQJ3xajVH32Ms6t1trDQmPx2iP5+7iDsb7OKAb5eOS8h+BEBDeq 3ecsQDv0fFJOA9ag5O3LLNk+3x3q7e0uo06XMaY7UHS341ozXUUI7wC7iKfoUTv03iO9El5f XpNMx/YrIMduZ2+nd9Di7o5+KIwlb2mAB9sTNHdMrXesX8eBL6T9b+MZJk+mZuPxKNVfEQMQ a5SxUEADIPQTPNvBewdeI80yeOCrN+Zzwy/Mrx9EPeu59Y5vSJOx/z6OUImD/GhX7Xvkt3kq Er5KTrJz3++B6SH9pum9PuoE/k+nntJkNMmQpR4MCBaV/J9gIOPGodDKnjdng+mXliF3Ptu6 3oxc2RCyGzTlxyMwuc2U5Q7KtUNTdDe8T0uE+9b8BLMVQDDfJjqY0VVqSUwImzTDLX9S4g/8 kC4HRcclk8hpyhY2jKGluZO0awwTIMgVEzmTyBphDg/Gx7dZU1Xf8HFuE+UZ5UDHDTnwgv7E th6RC9+WrhDNspZ9fJjKWRbveQgUFCpe1sa77LAw+XFrKmBHXp9ZVIe90RMe2tRL06BGiRZr jPrnvUsUUsjRoRNJjKKA/REq+sAnhkNPPZ/NNMjaZ5b8Tovi8C0tmxiCHaQYqj7G2rgnT0kt WNyWQQ== Organization: Red Hat In-Reply-To: <810b44a8-d2ae-4107-b665-5a42eae2d948@arm.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Stat-Signature: 4xnbr7cf43dd8wpp95ipwsjja6nwzio1 X-Rspamd-Queue-Id: 6352240029 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1722962281-62156 X-HE-Meta: U2FsdGVkX19mQqjWhNDQmaAKQBVIwVTu4gNIOm0FuQy/zHDeFK4mMTXa2vGnJW0OHu6+LXmdcSOiHWLWi/IlqgruehNVW+P8nEF2WX2xYA0JQBWARgd4JB5iy7iVIjC9cdyfQffQQ4avwNb7Ea9YN7y45/h4a/6L+QZsBiFmVUmb67NqYv66vUv8+0wYUs6dTiOq9TzhXdKVJHnrov22edmw+3Z50/Jb4OWlRttxNfyJBbUm5ZaAPGxeM9VTKcD/ZotlOE4IBxQBSyxn2UG4yeU0KO4LyxtEYKXXDX64Pg6sxPBaRTTlVZJK2xiSCvw3KuTC1Tx8KlpIJjKN7TH3mK7yN8LI8zgJgcS7fHVNe3stSbJk5KJQCrzK3vewswvFSYzcXXOcGmeuUJLc65W94Uo9KQveAAjtbaJCeJXj9q8LyEoA4c190KE9ltpMnhNyGjjQyw0DOfJN884epRL69kmuWUdsye/vqRfVcBqyF8lKUmDYdkWzOKYtyr9bYywE4NJNnrXQKqFPQBJESrNxq027vEnSsjeGCcP2If6F1C9kVkmOPU5If0n7twEFZmQRZh+ij44Vs4Gd8gKP+m6HO9V8lqK2Q6C6yLEW9Q0DmBj+VGxODpbK9m6py7Lu5DbbfeeD0k8q2W9W/C6iG2ZZRc3BKPaJQGBCVzD+COQ0M87JK/zdVGUiTJX8HHyf+rLguuIsTWgLkFw/QkitUHSuCjCQnNzk+j62tX6HE0KZMn+7EoUCzD3SBSYClA6C/UHLNFjLo6MeluGNq9toK0/C4UoPgGYTKO2HRRN0iR7xqxWpk94gOSDqIMV/5BYkz6wFv2M9h6ugdyzv8WkpZcDx8frIfseswQ1Kov6QT/PjNLMKYlY5WAZX/h2GU/6GARk6lfyFBUqOTcKbP0vl4BXSEcnPNuNfT7yz4rhWGtJOsKEebtqqzVKlglxyeL1b/s6h95pIa66hPCBwfuZ16Le KSUkum9a 10knHEqxQO+KvZBb975E7ozXx6bkFIDmqS1DSI4c+ChB8pCg8uEbZR01m6yHIP2LFhet+UIkm52/Zix8saHcb9bxqkz8eK97DDzymtFQoKftntUWYZAMZZDf5dkt6DWnddqNHa4KHDIV1vKPnCX8JIOOWxI+CTLgG+v0aWyg0wKmajCr30dlvFwbD7tmfI6AO+kYfeeIWslNno8/8E0kAQlZuW5cidFXKdeIxu9SfLCJdVpnuBsBq2jWEz0y9jTcCPL7NddA0tsI0wrZ08S+mmJp9c+hNEbOSDPYfzQza+8k43I/ts8GgBQfU0tMEtrTvmax9dCDXQrrbv7J+CfCqTC8MFE5bdLECut1vvNTDztovUAmU8JYcFLXJIMrUT6nZm8EXUl3hosJvyMQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 06.08.24 17:15, Ryan Roberts wrote: > Hi Peter, David, > > syzkaller has found an issue (at least on arm64, but I suspect it will be > visible on x86_64 too) that triggers the following warning: > > [ 2291.836518] ------------[ cut here ]------------ > [ 2291.836528] WARNING: CPU: 3 PID: 9056 at mm/page_table_check.c:207 __page_table_check_ptes_set+0x22c/0x248 > [ 2291.836541] Modules linked in: > [ 2291.836549] CPU: 3 UID: 1000 PID: 9056 Comm: bug Tainted: G W 6.11.0-rc2-dirty #2 > [ 2291.836554] Tainted: [W]=WARN > [ 2291.836557] Hardware name: linux,dummy-virt (DT) > [ 2291.836559] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > [ 2291.836564] pc : __page_table_check_ptes_set+0x22c/0x248 > [ 2291.836568] lr : ptep_modify_prot_commit+0x24c/0x2b0 > [ 2291.836573] sp : ffff80008ca6ba20 > [ 2291.836575] x29: ffff80008ca6ba20 x28: ffff186392d1eb00 x27: 0000000020ffd000 > [ 2291.836598] x26: 0010000000000001 x25: 0000000000000001 x24: 0000000000000000 > [ 2291.836605] x23: 04e800018c738f43 x22: 0000000000000001 x21: ffff1863824163c0 > [ 2291.836612] x20: 04e800018c738f43 x19: 04e800018c738f43 x18: 0000fffff7f87fff > [ 2291.836619] x17: 0000000000000000 x16: 1fffe30c748d22a1 x15: 0060000000000fc3 > [ 2291.836625] x14: 0000000000000000 x13: 0000000020ffd000 x12: 0000fffff7f87fff > [ 2291.836631] x11: 0000000020ffd000 x10: 0000000000000000 x9 : ffffbcab99e3ab84 > [ 2291.836638] x8 : ffff186382b8f000 x7 : 0000000020ffe000 x6 : 0000000020ffd000 > [ 2291.836644] x5 : ffff186392d1eb00 x4 : 04e800018c738f43 x3 : 0000000000000001 > [ 2291.836650] x2 : 04e800018c738f43 x1 : ffff18639fe01fe8 x0 : ffffbcab9ce56780 > [ 2291.836657] Call trace: > [ 2291.836659] __page_table_check_ptes_set+0x22c/0x248 > [ 2291.836664] ptep_modify_prot_commit+0x24c/0x2b0 > [ 2291.836667] change_protection+0x8a0/0x1100 > [ 2291.836672] mprotect_fixup+0x124/0x2d0 > [ 2291.836675] do_mprotect_pkey.constprop.0+0x29c/0x460 > [ 2291.836679] __arm64_sys_mprotect+0x24/0xf8 > [ 2291.836682] invoke_syscall+0x50/0x120 > [ 2291.836690] el0_svc_common.constprop.0+0x48/0xf0 > [ 2291.836694] do_el0_svc+0x24/0x38 > [ 2291.836699] el0_svc+0x34/0xe0 > [ 2291.836705] el0t_64_sync_handler+0x100/0x130 > [ 2291.836709] el0t_64_sync+0x190/0x198 > [ 2291.836713] ---[ end trace 0000000000000000 ]--- > > The generated program (see below) mmaps a 16M region (RWX). It then mlocks all > current and future memory. > > Next, it registers 12K (3 pages) for use with UFFD-WP, and marks 4 pages > UFFD-WP'ed. This returns ENOENT because we only registered 3 pages, but those 3 > pages are still UFFD-WP'ed in their PTE, so this error is not relavent to the > bug. At this point, there is a single VMA covering the 12K, with VM_UFFD_WP set, > amongst other flags: > > 20ffb000-20ffe000 rwxp 00000000 00:00 0 > Size: 12 kB > KernelPageSize: 4 kB > MMUPageSize: 4 kB > Rss: 12 kB > Pss: 12 kB > Pss_Dirty: 12 kB > Shared_Clean: 0 kB > Shared_Dirty: 0 kB > Private_Clean: 0 kB > Private_Dirty: 12 kB > Referenced: 12 kB > Anonymous: 12 kB > KSM: 0 kB > LazyFree: 0 kB > AnonHugePages: 0 kB > ShmemPmdMapped: 0 kB > FilePmdMapped: 0 kB > Shared_Hugetlb: 0 kB > Private_Hugetlb: 0 kB > Swap: 0 kB > SwapPss: 0 kB > Locked: 12 kB > THPeligible: 0 > VmFlags: rd wr ex mr mw me uw lo ac > > Next we mremap the first page to the address where the last page was previously > mapped, with MREMAP_DONTUNMAP. This leads to 2 VMAs, but the new one doesn't > have VM_UFFD_WP set (Note also that the original VMA no longer has VM_LOCKED > which seems wrong to me, but I'll ignore that for now): > > 20ffb000-20ffd000 rwxp 00000000 00:00 0 > Size: 8 kB > KernelPageSize: 4 kB > MMUPageSize: 4 kB > Rss: 4 kB > Pss: 4 kB > Pss_Dirty: 4 kB > Shared_Clean: 0 kB > Shared_Dirty: 0 kB > Private_Clean: 0 kB > Private_Dirty: 4 kB > Referenced: 4 kB > Anonymous: 4 kB > KSM: 0 kB > LazyFree: 0 kB > AnonHugePages: 0 kB > ShmemPmdMapped: 0 kB > FilePmdMapped: 0 kB > Shared_Hugetlb: 0 kB > Private_Hugetlb: 0 kB > Swap: 0 kB > SwapPss: 0 kB > Locked: 0 kB > THPeligible: 0 > VmFlags: rd wr ex mr mw me uw ac > 20ffd000-20ffe000 rwxp 00000000 00:00 0 > Size: 4 kB > KernelPageSize: 4 kB > MMUPageSize: 4 kB > Rss: 4 kB > Pss: 4 kB > Pss_Dirty: 4 kB > Shared_Clean: 0 kB > Shared_Dirty: 0 kB > Private_Clean: 0 kB > Private_Dirty: 4 kB > Referenced: 4 kB > Anonymous: 4 kB > KSM: 0 kB > LazyFree: 0 kB > AnonHugePages: 0 kB > ShmemPmdMapped: 0 kB > FilePmdMapped: 0 kB > Shared_Hugetlb: 0 kB > Private_Hugetlb: 0 kB > Swap: 0 kB > SwapPss: 0 kB > Locked: 4 kB > THPeligible: 0 > VmFlags: rd wr ex mr mw me lo ac > > Finally we try to mprotect that last 4K region to remove X, and we get the > warning saying the PTE has both the UFFD-WP and WRITE bits set. > > I'm guessing this is because the VM_UFFD_WP flag got spuriously dropped when > creating the final 4K VMA and so mprotect's can_change_pte_writable() check > incorrectly allowed the pte to be marked writable. But the mremap man page is > not very clear on the semantics when interacting with uffd regions; perhaps > uffd-wp bit should have been cleared when mremapping the ptes? > > I'm hoping you can advice on the expected semantics and we can figure out how to > solve this? > > > The reproducer is as follows (with a few annotations added by me): > > """ > // autogenerated by syzkaller (https://github.com/google/syzkaller) > > #define _GNU_SOURCE > > #include > #include > #include > #include > #include > #include > #include > #include > > #ifndef __NR_ioctl > #define __NR_ioctl 29 > #endif > #ifndef __NR_mlockall > #define __NR_mlockall 230 > #endif > #ifndef __NR_mmap > #define __NR_mmap 222 > #endif > #ifndef __NR_mprotect > #define __NR_mprotect 226 > #endif > #ifndef __NR_mremap > #define __NR_mremap 216 > #endif > #ifndef __NR_userfaultfd > #define __NR_userfaultfd 282 > #endif > > uint64_t r[1] = {0xffffffffffffffff}; > > int main(void) > { > intptr_t res = 0; > > syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > > write(1, "executing program\n", sizeof("executing program\n") - 1); > > // userfaultfd(UFFD_USER_MODE_ONLY) = 3 > res = syscall(__NR_userfaultfd, /*flags=UFFD_USER_MODE_ONLY*/1ul); > if (res != -1) > r[0] = res; > > // ioctl(3, UFFDIO_API, {api=0xaa, features=0 => features=UFFD_FEATURE_PAGEFAULT_FLAG_WP|UFFD_FEATURE_EVENT_FORK|UFFD_FEATURE_EVENT_REMAP|UFFD_FEATURE_EVENT_REMOVE|UFFD_FEATURE_MISSING_HUGETLBFS|UFFD_FEATURE_MISSING_SHMEM|UFFD_FEATURE_EVENT_UNMAP|UFFD_FEATURE_SIGBUS|UFFD_FEATURE_THREAD_ID|UFFD_FEATURE_MINOR_HUGETLBFS|UFFD_FEATURE_MINOR_SHMEM|0x1f800, ioctls=1<<_UFFDIO_REGISTER|1<<_UFFDIO_UNREGISTER|1<<_UFFDIO_API}) = 0 > *(uint64_t*)0x20000000 = 0xaa; > *(uint64_t*)0x20000008 = 0; > *(uint64_t*)0x20000010 = 0; > syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc018aa3f, /*arg=*/0x20000000ul); > > syscall(__NR_mlockall, /*flags=MCL_FUTURE|MCL_CURRENT*/3ul); > > // ioctl(3, UFFDIO_REGISTER, {range={start=0x20ffb000, len=0x3000}, mode=UFFDIO_REGISTER_MODE_WP, ioctls=1<<_UFFDIO_WAKE|1<<_UFFDIO_COPY|1<<_UFFDIO_ZEROPAGE|1<<_UFFDIO_WRITEPROTECT|0x120}) = 0 > *(uint64_t*)0x20000180 = 0x20ffb000; > *(uint64_t*)0x20000188 = 0x3000; > *(uint64_t*)0x20000190 = 2; > *(uint64_t*)0x20000198 = 0; > syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc020aa00, /*arg=*/0x20000180ul); > > // ioctl(3, UFFDIO_WRITEPROTECT, 0x20000080) = -1 ENOENT (No such file or directory) > *(uint64_t*)0x20000080 = 0x20ffb000; > *(uint64_t*)0x20000088 = 0x4000; > *(uint64_t*)0x20000090 = 1; > syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc018aa06, /*arg=*/0x20000080ul); > > syscall(__NR_mremap, /*addr=*/0x20ffb000ul, /*len=*/0x1000ul, /*newlen=*/0x1000ul, /*flags=MREMAP_DONTUNMAP|MREMAP_FIXED|MREMAP_MAYMOVE*/7ul, /*newaddr=*/0x20ffd000ul); > syscall(__NR_mprotect, /*addr=*/0x20ffd000ul, /*len=*/0x1000ul, /*prot=PROT_WRITE|PROT_READ*/3ul); > > return 0; > } > """ > > I'd appreciate any thoughts you may have! Interesting. Either the vma flag shouldn't get dropped or we should un-mark the PTEs. Is the vma flag maybe getting dropped because of some weird interaction with UFFD_EVENT_REMAP? -- Cheers, David / dhildenb