From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52801C43334 for ; Thu, 21 Jul 2022 15:59:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8C9E16B0071; Thu, 21 Jul 2022 11:59:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 878918E0003; Thu, 21 Jul 2022 11:59:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6F29A8E0002; Thu, 21 Jul 2022 11:59:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 5F38F6B0071 for ; Thu, 21 Jul 2022 11:59:31 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 316CFA0170 for ; Thu, 21 Jul 2022 15:59:31 +0000 (UTC) X-FDA: 79711566942.21.6799E0B Received: from mx0b-00364e01.pphosted.com (mx0b-00364e01.pphosted.com [148.163.139.74]) by imf14.hostedemail.com (Postfix) with ESMTP id 95A2E100090 for ; Thu, 21 Jul 2022 15:59:30 +0000 (UTC) Received: from pps.filterd (m0167076.ppops.net [127.0.0.1]) by mx0b-00364e01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26LFvvb4008226 for ; Thu, 21 Jul 2022 11:59:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=columbia.edu; h=mime-version : reply-to : from : date : message-id : subject : to : cc : content-type; s=pps01; bh=LVuMHEAShv7yYHt2wP3tyjiruWKBJmOVa2SP5tSiduU=; b=S9K9fN7o3iwgJyqNO7o3MMNQ7Sv4vFhAOP0cXT4Vcd/EsFVK3qOK91NOdtOEB3SeO53i zK6B3XFw7rJ6eUt39f+v5mDZCSsA1GsAjdv5gdG/S3pj+VW3HWz281GVhfAVxAKRXOcf vDOyvvM8QfRSThsr1lfyVUlbVJbiJFJlH58CirY5iSHXIQJFdjp9BouYqc9g4nG4tIAY 5lJGsffOGC9XXoi3Kmwk4PE6PwgK5X+ECDv2XyKGi425SeSjEYWB2ID6GZvmMUFyh88A LsFGSbVPd0DShCOwi8hm6XqrkOB2mz5J9mUd3W5Yw0VTPRfFmjN5Hbfk9ZQM8L3xZXQL pg== Received: from sendprdmail20.cc.columbia.edu (sendprdmail20.cc.columbia.edu [128.59.72.22]) by mx0b-00364e01.pphosted.com (PPS) with ESMTPS id 3hcwjfup7g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 21 Jul 2022 11:59:29 -0400 Received: from mail-vs1-f70.google.com (mail-vs1-f70.google.com [209.85.217.70]) by sendprdmail20.cc.columbia.edu (8.14.7/8.14.4) with ESMTP id 26LFxSTZ051265 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 21 Jul 2022 11:59:28 -0400 Received: by mail-vs1-f70.google.com with SMTP id p11-20020a056102200b00b0035755aee599so168163vsr.17 for ; Thu, 21 Jul 2022 08:59:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to:cc; bh=LVuMHEAShv7yYHt2wP3tyjiruWKBJmOVa2SP5tSiduU=; b=3unwnvcsxhu7Orfa0Dns3RMi/beUobi1vxQ5FOWLEug3fIs9cdMI9U18j7fgcEChkJ swOmQl0W9h4cyvrcH0YlxsbhXFNFMRaIPTGRzKhZBRcm+f/qftca7dP4w0C+bItCboK8 14Uwl5d6SlCFL9JpRM8Jr0zUOeOBOGskmEHg8VHDmPtNvd3lTROB1Eg5vkHFKkxq7yp1 D0qxiLHCr/DqZLdiCOyg10gfQUN2IrZhMgQCf0UPfTkVk/HnQcTnI2O8zroIbOXzqjrH cNkansqhPH0OwuMx2BjIn8WmqOoDBU7Yb2HxIUAebNIWTCNh+KbEPcxhk3wdKki6NshI y2mQ== X-Gm-Message-State: AJIora+JLwTSsTaNODjA3IMQIFtydx7Ny/wUZSZhMBf3ScfR7+vhSJRR dLwKlZQQpZMy9hyFCeeFRRcwVX/5h2WcDefcCLrwBS0gvNCCAMmZyrfxtBOz8UBXP4XtFkvgQrc WixhwLRfEW73SP+7JCaaTmxgQIio9TlvdsT8= X-Received: by 2002:ab0:288d:0:b0:384:2640:81b with SMTP id s13-20020ab0288d000000b003842640081bmr5209823uap.36.1658419168349; Thu, 21 Jul 2022 08:59:28 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uhmrbxv76EVsq4iD4QuU/dLyzCZFfpz7s/VemAXzMDPbOElsec3hiJmQ1l6mTY+Gqn9YNiI4IR8V3CsGZ0m5M= X-Received: by 2002:ab0:288d:0:b0:384:2640:81b with SMTP id s13-20020ab0288d000000b003842640081bmr5209815uap.36.1658419167971; Thu, 21 Jul 2022 08:59:27 -0700 (PDT) MIME-Version: 1.0 Reply-To: abhishek.shah@columbia.edu From: Abhishek Shah Date: Thu, 21 Jul 2022 11:58:52 -0400 Message-ID: Subject: Race in mm/ksm.c To: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Gabriel Ryan Content-Type: multipart/alternative; boundary="000000000000655d2305e452cd86" X-Proofpoint-GUID: jtSuPi3uDY7MJdN8_2JsZq8Pjh6LXHJB X-Proofpoint-ORIG-GUID: jtSuPi3uDY7MJdN8_2JsZq8Pjh6LXHJB X-CU-OB: Yes X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-21_18,2022-07-20_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=718 lowpriorityscore=10 adultscore=0 impostorscore=10 spamscore=0 clxscore=1011 phishscore=0 priorityscore=1501 malwarescore=0 mlxscore=0 suspectscore=0 bulkscore=10 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207210062 ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658419170; a=rsa-sha256; cv=none; b=IJq/TRptIwS9jJv7Y4oN+5nit03jf36OTsK4VGFasq/fpHGuFiXSMODEcCTOkhPCV+7H+H CPXfEzSyqtiye63GCHWb1M0Ot8er19Lce6zxOdV3Ax/N08VMeO5QkhJAWxagTaBfGJxzbX L99pfgZUGw9vw3t5HIdm9cHcDVdMkXc= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=columbia.edu header.s=pps01 header.b=S9K9fN7o; dmarc=none; spf=pass (imf14.hostedemail.com: domain of as5258@columbia.edu designates 148.163.139.74 as permitted sender) smtp.mailfrom=as5258@columbia.edu ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1658419170; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=LVuMHEAShv7yYHt2wP3tyjiruWKBJmOVa2SP5tSiduU=; b=MIPHUibWVAvpAyB9SyXq3Y0HZ8J/MREqeFFCnUkf6dNG7wO8rhvOSTJ6u10P+fC9bbk5vM scem3hu4fWVTiDuzw31p0Mm4mkqvNzA/v57Q6jvuemCtPhoAAzDs7B5/qhbcCw/anA2HLp bE4Dfy77lYQ82AWZ6gFe5wlJ0Au3jpA= Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=columbia.edu header.s=pps01 header.b=S9K9fN7o; dmarc=none; spf=pass (imf14.hostedemail.com: domain of as5258@columbia.edu designates 148.163.139.74 as permitted sender) smtp.mailfrom=as5258@columbia.edu X-Rspam-User: X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 95A2E100090 X-Stat-Signature: kktwjr6hhfacb1y7ow1k88u3dcg5af1t X-HE-Tag: 1658419170-113098 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000655d2305e452cd86 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear Kernel Maintainers, We found a race in mm/ksm.c. During the execution of the function *__ksm_run* which uses variable *ksm_run* to decide the list insertion point, the variable *ksm_run* can be concurrently modified in the function *run_store*, which we thought could be undesirable since =E2=80=9CKSM pages= in newly forked mms can be missed=E2=80=9D (See comment here: https://elixir.bootlin.com/linux/v5.18-rc5/source/mm/ksm.c#L2498). We would also like your thoughts on the security impact given it is a TOCTOU bug. We provide more details below including the trace and reproducing test cases. *Trace* BUG: KCSAN: data-race in __ksm_enter / run_store write to 0xffffffff881edae0 of 8 bytes by task 6542 on cpu 0: run_store+0x19a/0x2d0 mm/ksm.c:2897 kobj_attr_store+0x44/0x60 lib/kobject.c:824 sysfs_kf_write+0x16f/0x1a0 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x2ae/0x370 fs/kernfs/file.c:291 call_write_iter include/linux/fs.h:2050 [inline] new_sync_write fs/read_write.c:504 [inline] vfs_write+0x779/0x900 fs/read_write.c:591 ksys_write+0xde/0x190 fs/read_write.c:644 __do_sys_write fs/read_write.c:656 [inline] __se_sys_write fs/read_write.c:653 [inline] __x64_sys_write+0x43/0x50 fs/read_write.c:653 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff881edae0 of 8 bytes by task 6541 on cpu 1: __ksm_enter+0x114/0x260 mm/ksm.c:2501 ksm_madvise+0x291/0x350 mm/ksm.c:2451 madvise_vma_behavior mm/madvise.c:1039 [inline] madvise_walk_vmas mm/madvise.c:1221 [inline] do_madvise+0x656/0xeb0 mm/madvise.c:1399 __do_sys_madvise mm/madvise.c:1412 [inline] __se_sys_madvise mm/madvise.c:1410 [inline] __x64_sys_madvise+0x64/0x70 mm/madvise.c:1410 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 6541 Comm: syz-executor2-n Not tainted 5.18.0-rc5+ #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 --------------------- *Inputs * Input CPU 0: r0 =3D openat$sysctl(0xffffff9c, &(0x7f0000000100)=3D'/sys/kernel/mm/ksm/run\x00', 0x1, 0x0) write$sysctl(r0, &(0x7f0000000000)=3D'2\x00', 0x2) Input CPU 1: madvise(&(0x7f0000ffc000/0x4000)=3Dnil, 0x4000, 0xc) mlock2(&(0x7f0000ffe000/0x2000)=3Dnil, 0x2000, 0x0) madvise(&(0x7f0000ffd000/0x3000)=3Dnil, 0x3000, 0x12) clone(0x0, 0x0, 0x0, 0x0, 0x0) --000000000000655d2305e452cd86 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear=C2=A0Kernel Maintainers,

We found = a race in=C2=A0mm/ksm.c.=C2=A0During the execution of the function=C2=A0__ksm= _run=C2=A0which uses variable=C2=A0ksm_run=C2=A0to decide the li= st insertion point, the variable=C2=A0ksm_run=C2=A0can be concurrent= ly modified in the function=C2=A0run_store, which we thought could b= e undesirable since =E2=80=9CKSM pages in newly forked mms can be missed=E2= =80=9D (See comment here:=C2=A0https://elixir.bootlin.com/linux/v5.18-rc5/source/mm/ksm.c#L2498<= /span>). We would also like your=C2=A0thoughts on the security impact given = it is a TOCTOU bug.=C2=A0=C2=A0

We provide mor= e=C2=A0details=C2=A0below including the trace and reproducing test=C2=A0cas= es.=C2=A0


Trace
=
BUG: KCSAN: data-race in __ksm_enter / run_store
write to 0xfffffff= f881edae0 of 8 bytes by task 6542 on cpu 0:
=C2=A0run_store+0x19a/0x2d0 = mm/ksm.c:2897
=C2=A0kobj_attr_store+0x44/0x60 lib/kobject.c:824
=C2= =A0sysfs_kf_write+0x16f/0x1a0 fs/sysfs/file.c:136
=C2=A0kernfs_fop_write= _iter+0x2ae/0x370 fs/kernfs/file.c:291
=C2=A0call_write_iter include/lin= ux/fs.h:2050 [inline]
=C2=A0new_sync_write fs/read_write.c:504 [inline]<= br>=C2=A0vfs_write+0x779/0x900 fs/read_write.c:591
=C2=A0ksys_write+0xde= /0x190 fs/read_write.c:644
=C2=A0__do_sys_write fs/read_write.c:656 [inl= ine]
=C2=A0__se_sys_write fs/read_write.c:653 [inline]
=C2=A0__x64_sy= s_write+0x43/0x50 fs/read_write.c:653
=C2=A0do_syscall_x64 arch/x86/entr= y/common.c:50 [inline]
=C2=A0do_syscall_64+0x3d/0x90 arch/x86/entry/comm= on.c:80
=C2=A0entry_SYSCALL_64_after_hwframe+0x44/0xae

rea= d to 0xffffffff881edae0 of 8 bytes by task 6541 on cpu 1:
=C2=A0__ksm_en= ter+0x114/0x260 mm/ksm.c:2501
=C2=A0ksm_madvise+0x291/0x350 mm/ksm.c:245= 1
=C2=A0madvise_vma_behavior mm/madvise.c:1039 [inline]
=C2=A0madvise= _walk_vmas mm/madvise.c:1221 [inline]
=C2=A0do_madvise+0x656/0xeb0 mm/ma= dvise.c:1399
=C2=A0__do_sys_madvise mm/madvise.c:1412 [inline]
=C2=A0= __se_sys_madvise mm/madvise.c:1410 [inline]
=C2=A0__x64_sys_madvise+0x64= /0x70 mm/madvise.c:1410
=C2=A0do_syscall_x64 arch/x86/entry/common.c:50 = [inline]
=C2=A0do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
=C2= =A0entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported by Kernel Concu= rrency Sanitizer on:
CPU: 1 PID: 6541 Comm: syz-executor2-n Not tainted = 5.18.0-rc5+ #107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), = BIOS 1.15.0-1 04/01/2014
---------------------
I= nputs=C2=A0
Input CPU 0:
r0 =3D openat$sysctl(0xffffff9c, = &(0x7f0000000100)=3D'/sys/kernel/mm/ksm/run\x00', 0x1, 0x0)
= write$sysctl(r0, &(0x7f0000000000)=3D'2\x00', 0x2)

Input CPU 1:
madvise(&(0x7f0000ffc000/0x4000)=3Dnil= , 0x4000, 0xc)
mlock2(&(0x7f0000ffe000/0x2000)=3Dnil, 0x2000, 0x0)madvise(&(0x7f0000ffd000/0x3000)=3Dnil, 0x3000, 0x12)
clone(0x0, 0= x0, 0x0, 0x0, 0x0)
--000000000000655d2305e452cd86--