From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94BFCC433F5 for ; Wed, 22 Sep 2021 09:07:11 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 06E966105A for ; Wed, 22 Sep 2021 09:07:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 06E966105A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 827306B006C; Wed, 22 Sep 2021 05:07:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B0296B0072; Wed, 22 Sep 2021 05:07:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 629C1900002; Wed, 22 Sep 2021 05:07:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0113.hostedemail.com [216.40.44.113]) by kanga.kvack.org (Postfix) with ESMTP id 546C96B006C for ; Wed, 22 Sep 2021 05:07:10 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 100AF8249980 for ; Wed, 22 Sep 2021 09:07:10 +0000 (UTC) X-FDA: 78614630220.39.A2C097E Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by imf28.hostedemail.com (Postfix) with ESMTP id A592A90000A5 for ; Wed, 22 Sep 2021 09:07:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1632301629; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nGk074TnvwQW8RbpOZJ0ijooLJetqVgYh0vB77IzAPc=; b=RFdYjWaq9KfLlzVLswOfGM5Knhe7BJj5N0Ogq2tOIGAfYhPqersVKpg3qn9jsoZxPkv8iq Zj0v3/CNxLy9YtTNEJC4EoceAbfxH5aGOKXa99NDdFwC34g4wH6zOJjiRtdNbCUXTzUJ2F LojP3VEECskQejz4uBa6vI3MQfB/Dpg= Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-211-SRyifQPnNAWhdgY1w7czUQ-1; Wed, 22 Sep 2021 05:07:05 -0400 X-MC-Unique: SRyifQPnNAWhdgY1w7czUQ-1 Received: by mail-qt1-f197.google.com with SMTP id o7-20020ac86d07000000b002a69537d614so6447169qtt.21 for ; Wed, 22 Sep 2021 02:07:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nGk074TnvwQW8RbpOZJ0ijooLJetqVgYh0vB77IzAPc=; b=sojvXv83zOn5oca0J5AglFja7DQkH2BdMbb7LU5U/iqZOaA4u0z9R7YlUE+SYs0fqb DtiHe5NnH/AdQAkv+ovzWEucrA5gq1uPwYMqlRIdyYyQ98tk8D4qMMgcstu0sJYCZfby tg2OluCfb8E7UA24YVmmmrCjx2ZiHf0P547Lss5T5WJ/tf3kwGbNF6EuFdtgzQrWoF41 BpPi5A9AVMSyQeVcxWXjuE0+LrNV5TlLGgwHBQnQh0t/E5+mdOSE2ZV6j5Wd+/SJt6yS mqN2LL5IATdfmkBQH/rqczFbJUplk05rDxb3aZdyhuulR6sz2IVrFh2lf96GOdKFE6KR s//A== X-Gm-Message-State: AOAM531kjBjmoQci5KZi8LX0LJtu69MdGblMu9iklmTclIKALKQ1MnmU T0c1FLovF7Dn4ZTuYisDqvMs+WMFrXYXDNT4ochTqDSOJVIiaeoCeD2qOmB+9BMUnCGgnJGXj+T iKEYmSavysVM26Xrs9phsleA7lWE= X-Received: by 2002:a25:94e:: with SMTP id u14mr19534126ybm.425.1632301625433; Wed, 22 Sep 2021 02:07:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5atnVWuXfO3BrK0Q+GIfn07kkc6o/Gv14eoV6tCO7PcbE3AKOqqVqSvUxfwL9RDEC87yM7Qd5Yq2E4NKxpeA= X-Received: by 2002:a25:94e:: with SMTP id u14mr19534084ybm.425.1632301625118; Wed, 22 Sep 2021 02:07:05 -0700 (PDT) MIME-Version: 1.0 References: <20210921200247.25749-1-namit@vmware.com> In-Reply-To: <20210921200247.25749-1-namit@vmware.com> From: Li Wang Date: Wed, 22 Sep 2021 17:06:53 +0800 Message-ID: Subject: Re: [PATCH] userfaultfd: fix a race between writeprotect and exit_mmap() To: Nadav Amit Cc: Andrew Morton , linux-kernel , Linux-MM , linux-fsdevel@vger.kernel.org, Nadav Amit , Peter Xu , Andrea Arcangeli , stable@vger.kernel.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/alternative; boundary="000000000000882ef005cc91d600" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: A592A90000A5 X-Stat-Signature: wyn46q7867t3f3ere7bdpx48e15pkuzu Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=RFdYjWaq; spf=none (imf28.hostedemail.com: domain of liwan@redhat.com has no SPF policy when checking 216.205.24.124) smtp.mailfrom=liwan@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-HE-Tag: 1632301629-362721 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000882ef005cc91d600 Content-Type: text/plain; charset="UTF-8" Hi, I confirmed this patch (applied on 5.14) gets rid of the below userfaultfd test failure. # ./userfaultfd anon 16 2 nr_pages: 4096, nr_pages_per_cpu: 256 bounces: 1, mode: rnd read, userfaults: 313 missing (51+34+37+26+41+28+15+20+16+12+13+7+10+2+0+1) 995 wp (121+79+96+53+90+104+48+61+56+82+56+41+49+26+11+22) bounces: 0, mode: read, userfaults: 64 missing (15+8+10+6+5+2+4+3+3+1+4+0+0+2+0+1) 2157 wp (223+274+189+141+116+132+203+153+143+126+110+114+101+66+42+24) testing uffd-wp with pagemap (pgsize=4096): done testing uffd-wp with pagemap (pgsize=2097152): done testing UFFDIO_ZEROPAGE: done. testing signal delivery: done. testing events (fork, remap, remove): ERROR: nr 3933 memory corruption 0 1 (errno=0, line=963) ERROR: faulting process failed (errno=0, line=1117) On Wed, Sep 22, 2021 at 11:34 AM Nadav Amit wrote: > From: Nadav Amit > > A race is possible when a process exits, its VMAs are removed > by exit_mmap() and at the same time userfaultfd_writeprotect() is > called. > > The race was detected by KASAN on a development kernel, but it appears > to be possible on vanilla kernels as well. > > Use mmget_not_zero() to prevent the race as done in other userfaultfd > operations. > > Cc: Peter Xu > Cc: Andrea Arcangeli > Cc: stable@vger.kernel.org > Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to > userfaultfd ioctl") > Signed-off-by: Nadav Amit > Tested-by: Li Wang > --- > fs/userfaultfd.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 003f0d31743e..22bf14ab2d16 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -1827,9 +1827,15 @@ static int userfaultfd_writeprotect(struct > userfaultfd_ctx *ctx, > if (mode_wp && mode_dontwake) > return -EINVAL; > > - ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, > - uffdio_wp.range.len, mode_wp, > - &ctx->mmap_changing); > + if (mmget_not_zero(ctx->mm)) { > + ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, > + uffdio_wp.range.len, mode_wp, > + &ctx->mmap_changing); > + mmput(ctx->mm); > + } else { > + return -ESRCH; > + } > + > if (ret) > return ret; > > -- > 2.25.1 > > > -- Regards, Li Wang --000000000000882ef005cc91d600 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I confi= rmed=C2=A0this patch (applied on 5.14) gets=C2=A0rid of the below userfault= fd test failure.

# ./user= faultfd anon 16 2
nr_pages: 4096, nr_pages_per_cpu: 256
bounces: 1, m= ode: rnd read, userfaults: 313 missing (51+34+37+26+41+28+15+20+16+12+13+7+= 10+2+0+1) 995 wp (121+79+96+53+90+104+48+61+56+82+56+41+49+26+11+22)
bo= unces: 0, mode: read, userfaults: 64 missing (15+8+10+6+5+2+4+3+3+1+4+0+0+2= +0+1) 2157 wp (223+274+189+141+116+132+203+153+143+126+110+114+101+66+42+24= )
testing uffd-wp with pagemap (pgsize=3D4096): done
testing uffd-wp= with pagemap (pgsize=3D2097152): done
testing UFFDIO_ZEROPAGE: done.testing signal delivery: done.
testing events (fork, remap, remove): ER= ROR: nr 3933 memory corruption 0 1
=C2=A0(errno=3D0, line=3D963)
ERRO= R: faulting process failed (errno=3D0, line=3D1117)


On Wed, Sep 22, 2021 at = 11:34 AM Nadav Amit <nadav.amit@= gmail.com> wrote:
From: Nadav Amit <namit@vmware.com>

A race is possible when a process exits, its VMAs are removed
by exit_mmap() and at the same time userfaultfd_writeprotect() is
called.

The race was detected by KASAN on a development kernel, but it appears
to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd
operations.

Cc: Peter Xu <pet= erx@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@vger= .kernel.org
Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to us= erfaultfd ioctl")
Signed-off-by: Nadav Amit <namit@vmware.com>
=C2=A0
Tested-by: Li Wang <= ;liwang@redhat.com>

=C2= =A0
---
=C2=A0fs/userfaultfd.c | 12 +++++++++---
=C2=A01 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 003f0d31743e..22bf14ab2d16 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1827,9 +1827,15 @@ static int userfaultfd_writeprotect(struct userfault= fd_ctx *ctx,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (mode_wp && mode_dontwake)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return -EINVAL;

-=C2=A0 =C2=A0 =C2=A0 =C2=A0ret =3D mwriteprotect_range(ctx->mm, uffdio_= wp.range.start,
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0uffdio_wp.range.len, mode_wp,<= br> -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&ctx->mmap_changing); +=C2=A0 =C2=A0 =C2=A0 =C2=A0if (mmget_not_zero(ctx->mm)) {
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ret =3D mwriteprote= ct_range(ctx->mm, uffdio_wp.range.start,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0uf= fdio_wp.range.len, mode_wp,
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&a= mp;ctx->mmap_changing);
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0mmput(ctx->mm);<= br> +=C2=A0 =C2=A0 =C2=A0 =C2=A0} else {
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0return -ESRCH;
+=C2=A0 =C2=A0 =C2=A0 =C2=A0}
+
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (ret)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return ret;

--
2.25.1




--
Regards,
Li = Wang
--000000000000882ef005cc91d600--