From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C421EC0218F for ; Fri, 31 Jan 2025 14:59:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4D5D16B0082; Fri, 31 Jan 2025 09:59:01 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 45F1A6B0083; Fri, 31 Jan 2025 09:59:01 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B1ED6B0085; Fri, 31 Jan 2025 09:59:01 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 0AF896B0082 for ; Fri, 31 Jan 2025 09:59:01 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B897EC0E99 for ; Fri, 31 Jan 2025 14:58:56 +0000 (UTC) X-FDA: 83068054272.10.C8541E3 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) by imf24.hostedemail.com (Postfix) with ESMTP id BF3D5180014 for ; Fri, 31 Jan 2025 14:58:54 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=osGqXY5Y; spf=pass (imf24.hostedemail.com: domain of rcn@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738335535; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:dkim-signature; bh=Zwu5Hitv4/1a67lggN6GEML6nle7odGui4zBbtRSaLw=; b=FLSkhKQp0NcBBRSsQlPtCM9M7na1BDFJ0nmExy5OqBGfVNcoILF/sX3eeGpJQzq03D61D0 bntRhtcoFEZC3+5o9PAXWhS9hVgeOrebcgrpBN0xDAvtC8PEQKsd10SGw+ohtgwtunxbMk ZjtiT3x23+1IKajKIIkp2sSLvxcssQE= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=osGqXY5Y; spf=pass (imf24.hostedemail.com: domain of rcn@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738335535; a=rsa-sha256; cv=none; b=py0qL91Gps2ggZnDndhJEMdYWc4LziE9ZiLoMhaL9Bxj1TZ5hHhak2Bz4cr1fcJqMYw9Zy eCd0aHdQaly8PwYlsrOUyS5Uy0VMyVEy0XRNw/onO5QH2LwIi+7b+Vdazq7WyVytSrQfk5 B1cfxlCKbZSa6RHrld+gNl4x73MIUP8= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Type:MIME-Version:Message-ID:Date:In-Reply-To:Subject: Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Zwu5Hitv4/1a67lggN6GEML6nle7odGui4zBbtRSaLw=; b=osGqXY5Yhp/3betjjQN3iGpsKK +BsShqKY1BFhdk7dAKvK3MaS6MnyJbxgg/nBDMmQABeBpztuZahifhG6AMCMxcvqJGnm+/YZGYNTd LC0T64ebtuusrtKoXlcP15qgcoJM81W3suyvyEBR/n8N/goQ2XqSKi0PHvuycbp0XkE81BitWU60v OEmYoQO2den62GFoXca39stFfhZnyf6LawyrWj4Oo2cZWvpf3R3InGh0XraiT+l52L82wyhf2UVej GXA4desNZ9E/+lWm2RLFJI7fb1+/mBN0McNxTbmYx6uj78Sv3tsMLlT0k3+f4OzwdrmlQ1EAWFhdi KZz95xmA==; Received: from 253.red-79-144-234.dynamicip.rima-tde.net ([79.144.234.253] helo=localhost) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1tdsTi-001WLc-67; Fri, 31 Jan 2025 15:58:48 +0100 From: =?utf-8?Q?Ricardo_Ca=C3=B1uelo_Navarro?= To: Ricardo =?utf-8?Q?Ca=C3=B1uelo?= Navarro Cc: akpm@linux-foundation.org, riel@surriel.com, linux-mm@kvack.org, stable@vger.kernel.org, kernel-dev@igalia.com, revest@google.com Subject: Re: [PATCH] mm,madvise,hugetlb: check for 0-length range after end address adjustment In-Reply-To: <20250131143749.1435006-1-rcn@igalia.com> (message from Ricardo =?utf-8?Q?Ca=C3=B1uelo?= Navarro on Fri, 31 Jan 2025 15:37:49 +0100) Date: Fri, 31 Jan 2025 15:58:41 +0100 Message-ID: <87plk3xc66.fsf@igalia.com> MIME-Version: 1.0 Content-Type: text/plain X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: BF3D5180014 X-Stat-Signature: q9xeojnixe317yjj5ecnnhuy4y9g1d3s X-Rspam-User: X-HE-Tag: 1738335534-118342 X-HE-Meta: U2FsdGVkX18Wj7PpIDuwYGxJ0KF7appGRaWj3AP0Ib94Hro0mLjyYcMGejarpzGKiOLZclS1oCcrSy2Cuns8DLKmhLds1AmZSy9MS9BCapF5D+/6reJyqgPM5WrXa5xnismELnG3NzZHwtf17jxSqoopX8YmTpAgOB3GSQ8yXJSU90d0RmbHJL7twH2d4VExNoKDgcs7ILwY7O++dxmxnAH7RA4u633HzhhEEA6aGbBCeKMVZ2SP0j9OODBEyDPOsHCAgVm+QZR4C9VjgoWaINA0nUZ+Fk6XtfFW/Pn3zdxPIgviOyppgnQqo3NNlWtuX6Hc7DXGAs9g2Twp6KNCzMDTpDZsnBqAwFpfz4EUiXlZDuzZ/d/YWF3WjQV7DA6YXz/wXSBfyQyuiWFTSymty3DAAoDNelF69rvJS34O/KvNhv7XML6pHrd8MfWkJCOHL8eruKu/Ye7LXFkqUGIG/OI7hfjLsJhYOcTTHIFDcGY8dGqaoIw57X5ZMCe43G/S2+78iEAzMmgV1LzmEGT4SEh+PwBy+Da1PQzCJXADWYBd7QTWjtUeKfDccN9oa4gqdUBFmxyhFGVcVXXs7fnfjlR5DkUOVjsp8zZNugQtmGYRw+cjHF4Fv/3iGTURtD/ybhwraZYQd2XcWj2+q1DFQ8pi2eyxWJIdybscbgInZHnof6vTySaycjfjAmD7C3ta96/ypzPMstMvZR5ATRQ3z0yD94gKZz4qhD50Mfs8ZfaQGM4mmdB9jBCtIiXWxjDSkeOrI0fXDrcdr3R8GuEgj2b/HTkBsmjAGXaJq6TzPy6NZWGArdjBpkNQs97N/OxKf7e+GuIq1+u6IsvS5MRwNTYoFsDJNHbTu19pGPW+Dmv2jeDAFiWXN0qaBy7BfCbKSJGWbs62S9m8mZL6MMgONc2pq7d+U5AeNWpecut7w94eU8HvKW3Ht1UuZbxUoJyEyxB7fPIHZnJMIiPW3tk UaAHmbYG Iqh0qUuvCvKYn4H7R1eLLl1QiFt26iEuu8sjAHr816AhKnocggSL/LoogpF2Nk8JDL4h3drFHYOrDhSOnn0NT8VlE9E+gLPeadYmrwrR6WmaeMD4sijJ/DQ3KDQxoJbvXlGJdESQzKJrzV0WAjghtXAbbKKBboCFGNpuNJe+MggoC1Qq3wzr0TFHvW1eVGGjwuWzheg7KxF2zyKlGXxajyCnzPUdH2QygK74USBlgoW5YoWc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi all, Some more context about the patch. The issue (WARNING in madvise_vma_behavior) was found by a private syzbot instance, so I can't share the link, but it can be triggered by an unprivileged user with this reproducer: --8<------------------------------------------------------------------ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_userfaultfd #define __NR_userfaultfd 323 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 8; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000040 = 0x20000004; *(uint32_t*)0x20000048 = 4; *(uint32_t*)0x2000004c = 2; *(uint32_t*)0x20000050 = 0; syscall(__NR_mq_notify, /*mqd=*/-1, /*notif=*/0x20000040ul); break; case 1: syscall(__NR_mremap, /*addr=*/0x20002000ul, /*len=*/0x3000ul, /*newlen=*/0x4000ul, /*flags=MREMAP_FIXED|MREMAP_MAYMOVE*/ 3ul, /*newaddr=*/0x20422000ul); break; case 2: res = syscall(__NR_userfaultfd, /*flags=UFFD_USER_MODE_ONLY|O_CLOEXEC*/ 0x80001ul); if (res != -1) r[0] = res; break; case 3: *(uint64_t*)0x200000c0 = 0xaa; *(uint64_t*)0x200000c8 = 0xc; *(uint64_t*)0x200000d0 = 0; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc018aa3f, /*arg=*/0x200000c0ul); break; case 4: *(uint64_t*)0x20000140 = 0x200e2000; *(uint64_t*)0x20000148 = 0xc00000; *(uint64_t*)0x20000150 = 1; *(uint64_t*)0x20000158 = 0; syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xc020aa00, /*arg=*/0x20000140ul); break; case 5: syscall( __NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x400000ul, /*prot=PROT_GROWSUP|PROT_SEM|PROT_WRITE|PROT_READ|PROT_EXEC*/ 0x200000ful, /*flags=MAP_SYNC|MAP_NONBLOCK|MAP_HUGETLB|MAP_FIXED|MAP_ANONYMOUS|0x2*/ 0xd0032ul, /*fd=*/-1, /*offset=*/0ul); break; case 6: syscall(__NR_madvise, /*addr=*/0x20000000ul, /*len=*/0x600003ul, /*advice=MADV_DONTNEED*/ 4ul); break; case 7: syscall( __NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xff5000ul, /*prot=*/0ul, /*flags=MAP_POPULATE|MAP_NORESERVE|MAP_NONBLOCK|MAP_HUGETLB|MAP_FIXED|0x2000000000821*/ 0x200000005c831ul, /*fd=*/-1, /*offset=*/0ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); loop(); return 0; } --8<------------------------------------------------------------------ Cheers, Ricardo