From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB471C47088 for ; Fri, 2 Dec 2022 18:53:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 15BDC6B0072; Fri, 2 Dec 2022 13:53:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 10BD16B0073; Fri, 2 Dec 2022 13:53:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F157A6B0074; Fri, 2 Dec 2022 13:53:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id E376F6B0072 for ; Fri, 2 Dec 2022 13:53:57 -0500 (EST) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id B1CBCC03EB for ; Fri, 2 Dec 2022 18:53:57 +0000 (UTC) X-FDA: 80198265714.08.9520281 Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) by imf03.hostedemail.com (Postfix) with ESMTP id 4DF4F20010 for ; Fri, 2 Dec 2022 18:53:57 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=ChOQbsqj; spf=pass (imf03.hostedemail.com: domain of jannh@google.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1670007237; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=+IlkcihNFHJyA3n7MDxRBqeitYBTuuPEepu2A5KGxpo=; b=QWuDcjYrQ5v2/KcutuNjgiVr97WAu4SIOIU6K31tGx68+2+6VHDOmjSDOOw1xFGNHpRx7u QUG5wM47uv1TLbhmz/mif965sp9yKuR3oiBWo4cUKMPjPKL0J9kF7om5taJEw3ZV7TL7+n KhjfTKyhNo1+nFnw9xH1/XydRvlDnx8= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=ChOQbsqj; spf=pass (imf03.hostedemail.com: domain of jannh@google.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1670007237; a=rsa-sha256; cv=none; b=PmLFi28aUXY00kNhAe+X+TTfhUMd0D3uRKgAOpOUiYpqLru62UjLNj61LyE6FVwQIJpcHE OLUuF9w/TKAtdXimNJnoifXemE2Hv0IGD/mCgQjVla7RS7UAsb9KplmYL2JW5957tb3rtZ WLaw+ysycE8uI8u2VpdMUcDnR7tTrFU= Received: by mail-il1-f182.google.com with SMTP id g7so2461738ile.0 for ; Fri, 02 Dec 2022 10:53:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=+IlkcihNFHJyA3n7MDxRBqeitYBTuuPEepu2A5KGxpo=; b=ChOQbsqjv5s3kpubStmmCeD7p+nYw4dFq21Uq+Pn2ZWPWGP2y5GChi+rqb0ge/W0qv lXQRtP1tWLiqYErWMyuFfFcrZ8ZABBVrn4ztZB7J2OgWBEXuhsW1esZ+10XhRMTySn/T fp4WvyoUynBGtcqkSF/wjQFiKkVrgXtc2xl89Cigay+U0ZfjiYX6kuGehY8FJxGwiqYt 3QocLqiifLcpLETZitEu6IVCJjLEJi+/azAG32sN02AbHkGZNTEm1W3Xp6Oits3mUWbw c/1oWW0+jjgA1A2J2BVOjoI90D775jvoheZ5Lsmq1NWy7KGWIHGBuE31r6JrbivrliDV CaOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+IlkcihNFHJyA3n7MDxRBqeitYBTuuPEepu2A5KGxpo=; b=ysVo9NNz4D34wnA94aHbMhWFuiPJCttECeUwmVgNVj0pehN2CeKrydmRpQ7F6ZVCIu l47XCdzSPBlumvidKSHmKVMVNAjTHFPO4/6aTHaWXa1j/VsZ5t7QdsZaOvmDxwx6HCIN WKkN93DTxs96ApMBRVjwwKXMPYaZOOzmtTtbr6KFG5LjFDvpCG0LMFf84Pu9U3Kv3KtN 74/ONTl7mrJ36q4UFxAOgco2rIaaRs8DEhci94vJWrJ/WlDxHu1pjkN5dWJTns4DrYnl cvBJXfxGM1AwAaSiVrDSnOYafHRLB2SdOk2gSMIuSMBgbVb6yKu51stK1HO4gpy3eIpo D2FQ== X-Gm-Message-State: ANoB5pnhZUrUpkb0EM6EoOOPua7DecTYBk4LEKd+2R/xx04xRzgVCa7x syZjzztVB/KvcnaZ0IJhLFXL+sZUk9y8AOrlAxsZIaUdneMMzzu9 X-Google-Smtp-Source: AA0mqf68pjoJ4fPsShveu0rA+Q2e2QNgJwdW7H4KfqQ1EkpcK8XqnVRjhl/Lc3DbxUbuPp7SrHdcS4P+kwGWLKHDoP8= X-Received: by 2002:a92:6809:0:b0:2f9:4d92:5b2a with SMTP id d9-20020a926809000000b002f94d925b2amr24339211ilc.177.1670007236288; Fri, 02 Dec 2022 10:53:56 -0800 (PST) MIME-Version: 1.0 From: Jann Horn Date: Fri, 2 Dec 2022 19:53:20 +0100 Message-ID: Subject: brk() in v6.1-rc1 can expand file mappings, seemingly without taking file locks To: Linux-MM , "Liam R. Howlett" , Andrew Morton Cc: kernel list , Jason Donenfeld , Yu Zhao , "Matthew Wilcox (Oracle)" , SeongJae Park , Vlastimil Babka Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 4DF4F20010 X-Stat-Signature: t5echbtqn88sp5th6joycdcfgomngxkw X-Spamd-Result: default: False [-2.90 / 9.00]; BAYES_HAM(-6.00)[100.00%]; SORBS_IRL_BL(3.00)[209.85.166.182:from]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:+]; DMARC_POLICY_ALLOW(0.00)[google.com,reject]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_SEVEN(0.00)[9]; DKIM_TRACE(0.00)[google.com:+]; TO_DN_ALL(0.00)[]; ARC_SIGNED(0.00)[hostedemail.com:s=arc-20220608:i=1]; R_DKIM_ALLOW(0.00)[google.com:s=20210112]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[linux-mm@kvack.org]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; ARC_NA(0.00)[] X-Rspam-User: X-HE-Tag: 1670007237-35602 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: As of commit ca57f02295f, brk() can expand ordinary file mappings (but not file mappings with weird flags), and I think it does it with insufficient locks. I think brk() probably needs some extra checks to make sure it's operating on a brk-like VMA (which means it should at least be anonymous, and perhaps pass the full can_vma_merge_after() check so that we're not creating unnecessary special cases?). user@vm:~/brk_stretch$ cat brk_file.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) int main(void) { mallopt(M_MMAP_THRESHOLD, 0); void *brk_space = sbrk(0x2000); if (brk_space == NULL) errx(1, "sbrk() fail"); printf("brk_space = %p\n", brk_space); int fd = SYSCHK(open("/etc/services", O_RDONLY)); void *map = SYSCHK(mmap(brk_space, 0x2000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, fd, 0)); /* stretch */ if (sbrk(0x111000) == NULL) err(1, "sbrk"); printf("sbrk() success\n"); system("cat /proc/$PPID/maps"); return 0; } user@vm:~/brk_stretch$ gcc -o brk_file brk_file.c user@vm:~/brk_stretch$ ./brk_file brk_space = 0x557f71b5d000 sbrk() success 557f70616000-557f70617000 r--p 00000000 fd:00 2752938 /home/user/brk_stretch/brk_file 557f70617000-557f70618000 r-xp 00001000 fd:00 2752938 /home/user/brk_stretch/brk_file 557f70618000-557f70619000 r--p 00002000 fd:00 2752938 /home/user/brk_stretch/brk_file 557f70619000-557f7061a000 r--p 00002000 fd:00 2752938 /home/user/brk_stretch/brk_file 557f7061a000-557f7061b000 rw-p 00003000 fd:00 2752938 /home/user/brk_stretch/brk_file 557f71b5d000-557f71c70000 rw-p 00000000 fd:00 2621496 /etc/services 7fd67993d000-7fd67995f000 r--p 00000000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd67995f000-7fd679aa6000 r-xp 00022000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd679aa6000-7fd679af2000 r--p 00169000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd679af2000-7fd679af3000 ---p 001b5000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd679af3000-7fd679af7000 r--p 001b5000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd679af7000-7fd679af9000 rw-p 001b9000 fd:00 527268 /usr/lib/x86_64-linux-gnu/libc-2.28.so 7fd679af9000-7fd679aff000 rw-p 00000000 00:00 0 7fd679b16000-7fd679b18000 rw-p 00000000 00:00 0 7fd679b18000-7fd679b19000 r--p 00000000 fd:00 527258 /usr/lib/x86_64-linux-gnu/ld-2.28.so 7fd679b19000-7fd679b37000 r-xp 00001000 fd:00 527258 /usr/lib/x86_64-linux-gnu/ld-2.28.so 7fd679b37000-7fd679b3f000 r--p 0001f000 fd:00 527258 /usr/lib/x86_64-linux-gnu/ld-2.28.so 7fd679b3f000-7fd679b40000 r--p 00026000 fd:00 527258 /usr/lib/x86_64-linux-gnu/ld-2.28.so 7fd679b40000-7fd679b41000 rw-p 00027000 fd:00 527258 /usr/lib/x86_64-linux-gnu/ld-2.28.so 7fd679b41000-7fd679b42000 rw-p 00000000 00:00 0 7ffd58087000-7ffd580a8000 rw-p 00000000 00:00 0 [stack] 7ffd581fa000-7ffd581fe000 r--p 00000000 00:00 0 [vvar] 7ffd581fe000-7ffd58200000 r-xp 00000000 00:00 0 [vdso] user@vm:~/brk_stretch$ The codepaths that are intended to expand file VMAs do stuff like i_mmap_lock_write() and vma_interval_tree_remove(), which do_brk_flags() doesn't seem to do (because it was never intended to operate on file VMAs?).