From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=AeVH=PN=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 41C52C433F5
	for <linux-mm@archiver.kernel.org>; Mon, 25 Oct 2021 06:37:59 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id D03F360F22
	for <linux-mm@archiver.kernel.org>; Mon, 25 Oct 2021 06:37:58 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D03F360F22
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 40232940007; Mon, 25 Oct 2021 02:37:58 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3B0646B0072; Mon, 25 Oct 2021 02:37:58 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 277EB940007; Mon, 25 Oct 2021 02:37:58 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0002.hostedemail.com [216.40.44.2])
	by kanga.kvack.org (Postfix) with ESMTP id 1600F6B006C
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 02:37:58 -0400 (EDT)
Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id B90B2181FE08F
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 06:37:57 +0000 (UTC)
X-FDA: 78734004594.29.CB3F161
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172])
	by imf09.hostedemail.com (Postfix) with ESMTP id 5C7A53000103
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 06:37:57 +0000 (UTC)
Received: by mail-oi1-f172.google.com with SMTP id o204so14152265oih.13
        for <linux-mm@kvack.org>; Sun, 24 Oct 2021 23:37:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=uPpEb1n5zsr4bfcN2qUMVNqzU/tSK0OigA3PBd9KLm8=;
        b=GJxz+ZoGxmSVqIJqzm/VCqaaXqd3MzI8xjT7vrHCTkE8bDHhkxRoR5m0SgcgdulTAe
         YUYKwKsUI69s19grHN6YX0H/SfdUmew4gFXoACHsnuoBGzyp+lXP87FWQqzmMlFNIBnf
         walR7Jlj03G65Lzm43AMmcjYBSmVU30On+88VcRLq3Gqj4WP2hbE8j4bbZCWMkL5TtO+
         ipbYUqZsq5ncdR1oupQ818eVTdb2uCi/+/hHUejKbgUs27cK/euCJtyuY0GsbVQ9j3eS
         gnqub0Cf/3hIjsSmh0BcnjzTqwEN+PcwZifc8vXUAz0WaE1e5XaOcuB/c9SsxmKAFc/V
         KL+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=uPpEb1n5zsr4bfcN2qUMVNqzU/tSK0OigA3PBd9KLm8=;
        b=DResoGsSrUK4lNyzrbJ72E6ssFWZZRnDX/VHMgKVkymwYrIIeILVvukRpDj8pGuQW+
         oRFn1P6uy5fXf2PBZ2YBdHlJaqQw43jZZo3zSRIu3lNHTJFqT5CnDx0IozQw8O7iAb/E
         APuozh1f5M7uo9791eri0PQNk95y6L7c6Jec9eRv4SSFTyMdxaDXjC+7yuOz/8v0HJtW
         HRzCVaUk1cXENW73DvT40fti4KSYaXnSrdAY+alHZyoVzlOdyCItX53Uz2UqEw2jjtck
         b94mGdd93RNFwxUTs6VkSnH00DQrrmdksaxh6yebuXL+chxqK1ABsDB5k3q44bE2zXCd
         6+NA==
X-Gm-Message-State: AOAM53188stCtmmN/j9cLMdmotfHgH7LiW0DX6ElIj8NA8qd1EqOPXKu
	p97pLeBqSk1GtHz7drUFjht/1zAbdZBKl3VSR8Sbyw==
X-Google-Smtp-Source: ABdhPJwnqmxUqlHFwoeDbGrAVb2Iwe5aVKW3sq4NyJn9WG599mNgBsrZtqjVaRHJDMT5R3HqZ4psua8FKKexgB27QpQ=
X-Received: by 2002:a05:6808:ec9:: with SMTP id q9mr20768923oiv.160.1635143876338;
 Sun, 24 Oct 2021 23:37:56 -0700 (PDT)
MIME-Version: 1.0
References: <00000000000064451505cf0a3aa2@google.com> <CAHk-=wj=jthBt0XOjqstiYYROGhJAM0xrsWBVQgGMk79JBaKDg@mail.gmail.com>
 <YXW9lmQVx1PLX9aj@casper.infradead.org>
In-Reply-To: <YXW9lmQVx1PLX9aj@casper.infradead.org>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Mon, 25 Oct 2021 08:37:45 +0200
Message-ID: <CACT4Y+YZ-JR0iOX8MP9rnoYCwfz=9a+aM4L2LoUtJVko3=CkRQ@mail.gmail.com>
Subject: Re: [syzbot] WARNING: refcount bug in memfd_secret
To: Matthew Wilcox <willy@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>, 
	syzbot <syzbot+75639e6a0331cd61d3e2@syzkaller.appspotmail.com>, 
	Andrew Morton <akpm@linux-foundation.org>, jordy@jordyzomer.github.io, 
	jordy@pwning.systems, 
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>, 
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: edt7tp5o7bagmmneutscc3jhyshjt74j
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=GJxz+ZoG;
	spf=pass (imf09.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.172 as permitted sender) smtp.mailfrom=dvyukov@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 5C7A53000103
X-HE-Tag: 1635143877-41187
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Sun, 24 Oct 2021 at 22:12, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Sun, Oct 24, 2021 at 09:54:22AM -1000, Linus Torvalds wrote:
> > On Sat, Oct 23, 2021 at 9:35 AM syzbot
> > <syzbot+75639e6a0331cd61d3e2@syzkaller.appspotmail.com> wrote:
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    9c0c4d24ac00 Merge tag 'block-5.15-2021-10-22' of git://gi..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=115a0328b00000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=75639e6a0331cd61d3e2
> > > compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13a035c2b00000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ae869f300000
> > >
> > > The issue was bisected to:
> > >
> > > commit 110860541f443f950c1274f217a1a3e298670a33
> >
> > I think that commit is actually just buggy.
> >
> > "secretmem_users" is not actually a reference count. There's no "magic
> > happens when it goes down to zero".
> >
> > It's purely a count of the number of existing users, and incrementing
> > it from zero is not a probolem at all - it is in fact expected.
> >
> > Sure, zero means "we can hibernate", so zero and overflow are somewhat
> > special, but not special enough to cause these kinds of issues.
> >
> > I have reverted this commit in my tree, because honestly, the whole
> > "try to overflow exactly, and hibernate" threat model just isn't worth
> > this all.
> >
> > If people really care, I can suggest
> >
> >  - use "atomic_long_t" instead. Let's face it, 32-bit isn't
> > interesting any more, and 64-bit doesn't overflow.
> >
> >  - make up some new "atomic_inc_nooverflow()" thing or whatever.
> >
> > but for now this is just reverted.
>
> There was a separate thread on an earlier version of this report.

gcc and clang somehow produce different frames (I guess a tail call).
Need to fix parsing.

#syz dup: WARNING: refcount bug in sys_memfd_secret


> https://lore.kernel.org/linux-mm/YXU7%2FiRjf9v77gon@casper.infradead.org/
> I agree with you and suggested that if anybody really cares (I mean,
> you need a multi-TB machine to produce this problem) that we simply do
> what we did with the page refcount:
>
> +++ b/mm/secretmem.c
> @@ -203,6 +203,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags)
>
>         if (flags & ~(SECRETMEM_FLAGS_MASK | O_CLOEXEC))
>                 return -EINVAL;
> +       if (atomic_read(&secretmem_users) < 0)
> +               return -ENFILE;
>
>         fd = get_unused_fd_flags(flags & O_CLOEXEC);
>         if (fd < 0)
>
> Mike didn't particularly like that answer though.