From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DC8DC001E0 for ; Thu, 10 Aug 2023 15:53:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E944C6B0071; Thu, 10 Aug 2023 11:53:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E1D2C6B0072; Thu, 10 Aug 2023 11:53:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CBE2E6B0075; Thu, 10 Aug 2023 11:53:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id B8D846B0071 for ; Thu, 10 Aug 2023 11:53:43 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 38A1D1409EA for ; Thu, 10 Aug 2023 15:53:43 +0000 (UTC) X-FDA: 81108640326.27.44302A4 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf20.hostedemail.com (Postfix) with ESMTP id DB5131C0012 for ; Thu, 10 Aug 2023 15:53:40 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=none; spf=pass (imf20.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com; dmarc=pass (policy=none) header.from=arm.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1691682821; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tckrT/91SaqKXO0BlR37sofHjw5RZvPHOQwvh8DOPL8=; b=W2025HPual85TgSAjtxelL6ck3yPN+g/lfhhM9MRjEcic3JCkeB64xKA3D5S5r10EIJUPm Wq+UOdxLjIGMsKQMBiWsP+PzMhidkvakX4ATibpvFdNfAiHjtiNSk2dNysTsZItO31zjZ/ 9cyEHgEqytMBsA4EPzhE0WcGkwCrVgk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1691682821; a=rsa-sha256; cv=none; b=t5xASGtjkORsp2VklGNlJK4Ur8OnZE5TDnpnsmA+vBzHRcOn9YS8e/eJxe5rp5XtW+QVxZ nuemE0KbjnHJizbtbzp4msGLHzLNUlB6+RygNcz4r0zey+nYIApWAsVH7si4U6Rtgrfw8i 18FCgY63bnyM/Jq3YM/H6pCL1Lgf+UU= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=none; spf=pass (imf20.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com; dmarc=pass (policy=none) header.from=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 59F86D75; Thu, 10 Aug 2023 08:54:22 -0700 (PDT) Received: from [10.1.27.169] (XHFQ2J9959.cambridge.arm.com [10.1.27.169]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6A0653F6C4; Thu, 10 Aug 2023 08:53:35 -0700 (PDT) Message-ID: <8fbb5965-28f7-4e9a-ac04-1406ed8fc2d4@arm.com> Date: Thu, 10 Aug 2023 16:53:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH mm-unstable fix] mm: userfaultfd: check for start + len overflow in validate_range: fix Content-Language: en-GB To: Axel Rasmussen , Alexander Viro , Andrew Morton , Brian Geffon , Christian Brauner , David Hildenbrand , Gaosheng Cui , Huang Ying , Hugh Dickins , James Houghton , Jiaqi Yan , Jonathan Corbet , Kefeng Wang , "Liam R. Howlett" , Miaohe Lin , Mike Kravetz , "Mike Rapoport (IBM)" , Muchun Song , Nadav Amit , Naoya Horiguchi , Peter Xu , Shuah Khan , Steven Barrett , Suleiman Souhlal , Suren Baghdasaryan , "T.J. Alumbaugh" , Yu Zhao , ZhangPeng Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, syzbot+42309678e0bc7b32f8e9@syzkaller.appspotmail.com References: <20230714182932.2608735-1-axelrasmussen@google.com> From: Ryan Roberts In-Reply-To: <20230714182932.2608735-1-axelrasmussen@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: DB5131C0012 X-Rspam-User: X-Stat-Signature: 5gjkyunxrofow5hyu8xqprgmuw6h41at X-Rspamd-Server: rspam03 X-HE-Tag: 1691682820-673022 X-HE-Meta: U2FsdGVkX18r8IEWSDEbX6YijcRxDsKoykEhoeAzb21NWdida4NwljoTYTk89a8Rkpk5l9280pcQAGYaNfpDxEZwpIiFnR8eZ2v/e31jlxjQjs2WBAyjeFKxEoluMRtFYVbEStVeiZOxU3GhwtAXqDjbshNE4MFT/Jw5dysRrgTv3ohR4dNdtVN0pFVDNl/TboCHs3fhKfdbmnc1XBcQJ8c11fNIyvna/ZP+/p/9oY8mogjd0n++DJwluODp48FOWDMdx7GSd4rkK1npTkV73Nm+QMCQLu/+xg8X4iA0beCU8NVXB/Q03fuDgr3XmxpHhhJSKpWSlYo42thhOCbV3ZYtwpTpWiywhmoVdzwb1/ShSTp1YsfdNyfRxj9uGq8Id8I2ifKr/rtmkE2NSAGqK/Mlg415MHBQhGqebBmvrmml2xC5K4sIN7CQvEiBHkQ2E+kboP62vXoxN/6c+RKy+7pXFR3Xp8OqN5O4emX0cbHPfLqXH6pBKP8fMPyvhtkn/e6nhQ76fNphATSbfyJN1SMODdvuUXR7layME8WNEDFnpmYnPws+MX7la/iywzRh4uqCimrH1IoQOPYmXzfahc+dk0Oys/GDHn2HL6MOplriupra2dgtiISALlT2tamvV/zu6AygSg9T4H3la5wfnBtjDUKzM0nox9No4Omc0BAG0tpGKQnam5QJcnseVecIPYQUvu85HlzDIW9ExZUl8lZ88VYFiZjbSVD+hHrzl+/+U3HXWmsK1fsvGLcDaPlXSXUV9V4TmczCSah8XjTdfWdK+f+sLb2kbplDs7wl5qlFTHi2KnjGL5EZpG7AJATetlFSqh+sB3eB7tV2F3lVxRQIX0VKQSNgnIsPAF7Afi+iGp7FlVSQpMRh9JeafMTOLJM+vItxTSYzuCORYqRVWe2FXK9+AKTcDrXZN6uwUXquAJIRRzo1EheTq/vYncFD7MLO6UjczU76ZqIVAKr 6nWu9ijy JkGgK2GP3bVtYni/QghxoNsqr1XrJI+ZY/P8DIkOfTe79zABNw5ozLXzzlGP5Qt0quO8zvnUFkycZe9++EORAJOwQNjDxaLlD95ZS7ao+2IgXnkN6DUWgQs6dR+XavYo2kjIPP+rxk85valrSKyUbc+SYWDB5A1l7W7GhEwa3YGZN92Vfs3Me8w9mDqL7WQmftFWcoyekQxvbyCNrBRggrR9BstK6L8xCBSXcqv/Bicp0eMv6z8fBPd3ADoxbDDjk41MzTgc333qL+X2Tjb6ZcBcVRY4SaJG7e68VLcR2rnXDWD1Y6GRjwbqXkNCqcTn1JNpVCnfhKdYpyRe8gXGg89yaNmkyr3meiSmuZ3Ti9RBQgZmKb8g8dhCWzx+uvPGLTNwxzwBM0IOtTql7NhbHjJ4AxSTF89/W8rUpUEfQz56cOV8rBJ2ueNg3Kw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 14/07/2023 19:29, Axel Rasmussen wrote: > This commit removed an extra check for zero-length ranges, and folded it > into the common validate_range() helper used by all UFFD ioctls. > > It failed to notice though that UFFDIO_COPY *only* called validate_range > on the dst range, not the src range. So removing this check actually let > us proceed with zero-length source ranges, eventually hitting a BUG > further down in the call stack. > > The correct fix seems clear: call validate_range() on the src range too. > > Other ioctls are not affected by this, as they only have one range, not > two (src + dst). > > Reported-by: syzbot+42309678e0bc7b32f8e9@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=42309678e0bc7b32f8e9 > Signed-off-by: Axel Rasmussen > --- > fs/userfaultfd.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 53a7220c4679..36d233759233 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -1759,6 +1759,9 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, > sizeof(uffdio_copy)-sizeof(__s64))) > goto out; > > + ret = validate_range(ctx->mm, uffdio_copy.src, uffdio_copy.len); > + if (ret) > + goto out; > ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len); > if (ret) > goto out; Hi Axel, I've just noticed that this patch, now in mm-unstable, regresses the mkdirty mm selftest: # [INFO] detected THP size: 2048 KiB TAP version 13 1..6 # [INFO] PTRACE write access ok 1 SIGSEGV generated, page not modified # [INFO] PTRACE write access to THP ok 2 SIGSEGV generated, page not modified # [INFO] Page migration ok 3 SIGSEGV generated, page not modified # [INFO] Page migration of THP ok 4 SIGSEGV generated, page not modified # [INFO] PTE-mapping a THP ok 5 SIGSEGV generated, page not modified # [INFO] UFFDIO_COPY not ok 6 UFFDIO_COPY failed Bail out! 1 out of 6 tests failed # Totals: pass:5 fail:1 xfail:0 xpass:0 skip:0 error:0 Whereas all 6 tests pass against v6.5-rc4. I'm afraid I don't know the test well and haven't looked at what the issue might be, but noticed and thought I should point it out. bisect log: git bisect start # bad: [ad3232df3e410acc2229c9195479c5596c1d1f96] mm/memory_hotplug: embed vmem_altmap details in memory block git bisect bad ad3232df3e410acc2229c9195479c5596c1d1f96 # good: [5d0c230f1de8c7515b6567d9afba1f196fb4e2f4] Linux 6.5-rc4 git bisect good 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4 # bad: [aa5712770e3f0edb31ae879cd6452d5c2111d4fb] mm: fix obsolete function name above debug_pagealloc_enabled_static() git bisect bad aa5712770e3f0edb31ae879cd6452d5c2111d4fb # bad: [bef1ff8723df303a06cdaffe64d95db2f7e7d4f6] mm: userfaultfd: support UFFDIO_POISON for hugetlbfs git bisect bad bef1ff8723df303a06cdaffe64d95db2f7e7d4f6 # good: [4f4469463e8571012d2602b39f14ed3e3dbd972a] selftests/mm: add gup test matrix in run_vmtests.sh git bisect good 4f4469463e8571012d2602b39f14ed3e3dbd972a # good: [5c0d69839ef4f560679919f3483a592741df74f8] memcg: drop kmem.limit_in_bytes git bisect good 5c0d69839ef4f560679919f3483a592741df74f8 # good: [b75f155a299729dc62de0ce6a9400d076298aa4c] mm: compaction: skip the memory hole rapidly when isolating free pages git bisect good b75f155a299729dc62de0ce6a9400d076298aa4c # good: [12b13121d9f4487301dd9fb765265b642b2f6d5d] mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX git bisect good 12b13121d9f4487301dd9fb765265b642b2f6d5d # bad: [c9c368e75919c105aae072896e58d0ad4639e505] mm: userfaultfd: check for start + len overflow in validate_range: fix git bisect bad c9c368e75919c105aae072896e58d0ad4639e505 # good: [9e707995021bbdfc67ad83a985f7796bba580bed] mm-make-pte_marker_swapin_error-more-general-fix git bisect good 9e707995021bbdfc67ad83a985f7796bba580bed # good: [46b66377b696c43c89ed4b1cb3f56b64e8fd475b] mm: userfaultfd: check for start + len overflow in validate_range git bisect good 46b66377b696c43c89ed4b1cb3f56b64e8fd475b # first bad commit: [c9c368e75919c105aae072896e58d0ad4639e505] mm: userfaultfd: check for start + len overflow in validate_range: fix Thanks, Ryan