From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3BF8C5AD49 for ; Mon, 2 Jun 2025 19:35:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4E7B86B031F; Mon, 2 Jun 2025 15:35:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 499B46B0320; Mon, 2 Jun 2025 15:35:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3AEDA6B0321; Mon, 2 Jun 2025 15:35:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 1BA436B031F for ; Mon, 2 Jun 2025 15:35:36 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B291C141116 for ; Mon, 2 Jun 2025 19:35:35 +0000 (UTC) X-FDA: 83511465030.05.BAF8C56 Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) by imf19.hostedemail.com (Postfix) with ESMTP id C40E91A0002 for ; Mon, 2 Jun 2025 19:35:33 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ZtlXj5kn; spf=pass (imf19.hostedemail.com: domain of jannh@google.com designates 209.85.208.42 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748892933; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Xq5vMjsqAUNangGbAlIpkpc5137EXp7JGDYqS/RcZw8=; b=F1T2+E2kjpPPOO8lOdaSa5FECqXt+vjbEpABfiIuXpANYIzM4ONSAzrHNaOx7VfVGXSMpx Ykt/42vEqO7f5TAzAwoP9xd8rYasF1ifvtX2BWEQ1YdIsblTTKeGQKTmhIRIaGug1neZ89 eXIyK03/XUUWv+FnjSoEjFed3yAkaio= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ZtlXj5kn; spf=pass (imf19.hostedemail.com: domain of jannh@google.com designates 209.85.208.42 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748892933; a=rsa-sha256; cv=none; b=1GBaTO5OiWAGKS/fyBO1mLchzjr2DqPg+KkSo5VDEv8NUvlMc3eS+oOay++jmPBRox4QwE bV54Z7ZvdQ3DWHaQjO7sycqbQ+N+yQM1AJ56sNtaF+KNGLrArz0AiLQ8jpdZ7IPPssy4EY piAuIrKW0Nm/Smvws4914//3n7t5oTQ= Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-601a67c6e61so2546a12.0 for ; Mon, 02 Jun 2025 12:35:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1748892932; x=1749497732; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Xq5vMjsqAUNangGbAlIpkpc5137EXp7JGDYqS/RcZw8=; b=ZtlXj5knGKKV2mfeAFzXrntgWnSIdcjWWzwjV7L+XJQf+H5ulnMA1sFvlKw/vVzZtj M+zgauFsOSMWlTnTLAcjmuXATFwRlf4pLV+4GJhDblj78Q9xObikLK2iXzpGvmkA0+MG Q0cx/l14ob1NHdq1oy/BfpXrITGnT8oJjy9rdKrWH0jLTK2uQQODL+JZuSlmUHgLJZjw ehJLfja32iFiN6zwGdInIqJaVt7alIwHaujrC45M2ag9T7xgYjTcFfoZAyOHKIaBsQ6f siU2zlXVNj10mwqHiXkrCPUMJdCcH//dLeRcOaH8NwHphniLBl498mQYlad+moExUfSb oMCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748892932; x=1749497732; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xq5vMjsqAUNangGbAlIpkpc5137EXp7JGDYqS/RcZw8=; b=cl1iPYdE/E/Ufp7rlUJ64CP+qyOqvnYpC5WAnrEt31JhfQ7P2WHVhz03QPPThw70u9 hD4ZU+oemxRIt7gOs+e31LdAscoAZ0X+NtbqulbgBLp/DyXUt2Vldjb6+buNgDoh9hmN EawVoQAIHjPU3viin04WJbP/Lp30WxYTyzPqCiEdZqBssj2xvGkHreFPH86TOltS0CD7 HU3ki58AsCkyD6aT2rjCkz4UmUhh+fS7SnsJedY4q8+y7qR6KvGd97VNRmAgUX/i5PPw tl5qYmXCy4cDxCTu00MSFsT1S5oWzsnNZtx/yiygdamAyA9O8wBQl83shX4JBjxpoNST cqkg== X-Forwarded-Encrypted: i=1; AJvYcCVkpxb46lo0vqa10omciv09GMXjuDB7L58fGQ37bP8ffpi/RIcxA8KiJemv42IJW67ILGYf237lQA==@kvack.org X-Gm-Message-State: AOJu0YxtfAaNse+dn6N5uKVt8ywtE/SKiUvCIqCKXAx6ITOqlvN0fswF 4NgsTny9RdPiXzSJC5LMr/jKtGnviO4vUdR/xLE0YJfWOygQnfpfzDHhpZuJAqcz3/Z15iZwjG3 PpXrxnZIye71NGzL0l5XkUUSUeVTrEqSmXcpZQH6h X-Gm-Gg: ASbGncuAyfYayGhpj5CK0uUTPLZMRLxmdul+B2B/I3oxtMCOT9qgQR4JMfpFm4EkSHq XsfJRE1eMM1drnx8Xk/CJQ1t3zrxQwHFmikUNB+uSlCE0IPhmZSB021kcNrKEpU51woynutsAtD OFYWVVegr/Jhw7jQmjuontK1ylWNG41alNKyHqYEUFp1/nWNBS13cAHvHKftW8/7gfUHSNN6LN X-Google-Smtp-Source: AGHT+IH/OfyeabSFfBxmGtqCZD31NM2l2uVsn+0dyvf/XN8aRWzTWDtW1x5ZwP8piDACek9NUiwnpZIDCWRy98uG9PI= X-Received: by 2002:aa7:d748:0:b0:602:3bf:ce73 with SMTP id 4fb4d7f45d1cf-606a957be48mr16288a12.1.1748892931922; Mon, 02 Jun 2025 12:35:31 -0700 (PDT) MIME-Version: 1.0 References: <20250602174926.1074-1-sj@kernel.org> In-Reply-To: From: Jann Horn Date: Mon, 2 Jun 2025 21:34:55 +0200 X-Gm-Features: AX0GCFvNl-0UEi8K7w4Xh_QBm_v4ESFeF-ysLJPT9_tjiwJjA2Xpjf0BxgDgNfI Message-ID: Subject: Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding To: Lorenzo Stoakes Cc: SeongJae Park , Andrew Morton , "Liam R. Howlett" , David Hildenbrand , Shakeel Butt , Vlastimil Babka , linux-kernel@vger.kernel.org, linux-mm@kvack.org, stable@kernel.org, Barry Song <21cnbao@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Queue-Id: C40E91A0002 X-Rspamd-Server: rspam09 X-Stat-Signature: peyek3sqenxjb38fh6kjthmg8wtrscqk X-HE-Tag: 1748892933-393412 X-HE-Meta: U2FsdGVkX1+bUxEZ/mJ+L57NbDkSE5NohG0Shhs/s7VB0iy6YZvKI7lAu9m01cHTy/QsGFr5ILwUQJGpLYb7UilCswuh0YwxTr2GeohwaIfyTzZk/UqDFc2/LFaT1eJZYaNBoq4xgY9G/6smrLt/4M0eU+p0lF+5XuxBXTtNC8lRFMTWgVZR4jGicIHILHRg+UDMa/xSKYMjC8Tkil46eSm8jVyXQRRCfRXCg018arFlbFnjFuRW5HPUJ9sxY6URkf3u4wGoHr+pefT7zf+cBFndirwRlyHMUXHcSDXCqj6dIdsjGdCEV4stZdKRL6VY+CfFDbqeJTZcU+LiP5JQM2ueeYUk+Vm2PO3y25P5e5rD0/083jMOm6t4hIszBybUNt27Fmjh5d+N/COUwPh/A54QT8s++fZg2bUt7eP6obLZSJ0ZLbm+JUNsyobwE2Um3gLB5Cy3YVIA3lOGr/oDiNlkAL+vMXn2m4EAURoAB8hZNm3UMfBw+4DeQqBAWh3nq68jOKe//gwu5vhvzCi8KrDzvVoMpJZsbPc1qh9GoA9we+FXZ2wLsd+GAAq3UXKQHUUITAmwq6RZdh+EbINiFYv/03JSX4VocqZSqeUVuFHDyqNXmoHuT6dL5qrA7EcejsJD4w5LQqKNew0BbDnVn6CrXVYQVy+BRf/HrY+uBGpgQvh7KQr35KvEGudTP9lJ/2/JklhjEBzPJOCjhi3FcuPoxvCXw0aJpZTquaAGFAcZW0nEYzoTS9ovKirbOYkBhUhpxjZw5lWavbt406XzGRO7PVVjUFTkQFxa2Whd7hBsEqqVapetiQglB5pNXt2y8OD8/fRwps7Ebct8cEISPYTa9sxec7fi6fiFp6KLVDg3tW3ZOjQYFbbSBWzi0AG97Zay3/LYl8rGMaABWkbPOGOYJrnZ5FYuN86tBtGSqlMKUvO40ogVC+FEoRNxE7yMgDC4l7QA1OQU4hfNrUl s4tZmMSa axvn9UoQKT2kDbByb3ac6TvJqh0yRQWutIynr2Pk9wGFQEvokQFXbw6G+GmDEy2lUZ9miY/MydkSc4Z+MndlBVpqwk0BhgdtPDHj4pZOUzcNZknJIMjyyn+a7wuaEaalsFGd2Aw+m9LVDhMUHvFLft0uftBsQky4SQjx4vz2Z+58ARpfwLW4YOH9+7wf+e6VLzSOlteMZqfuZdT4aapVmkpezGVllzSTkFv1K11VSOukF+roLO3G80FXrNjwNxBMIHISjCQQF+kcQ/bQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jun 2, 2025 at 9:28=E2=80=AFPM Lorenzo Stoakes wrote: > On Mon, Jun 02, 2025 at 09:20:14PM +0200, Jann Horn wrote: > > @akpm FYI, this looks like it fixes a security bug in 6.15 (probably > > leads to UAF of VMA structs and page tables by racing madvise(..., > > MADV_GUARD_INSTALL) with concurrent faults) > > Hmm MADV_GUARD_INSTALL / MADV_GUARD_REMOVE require only a read lock, so > madvise_lock() will be: > > > if (madvise_need_mmap_write(behavior)) { <--- nope > if (mmap_write_lock_killable(mm)) > return -EINTR; > } else { > mmap_read_lock(mm); <---- this branch > } > return 0; > > So for guard install, which is the only thing that can return -ERESTARTNO= INTR > madvise_lock() ignoring the return value is essentially a no-op no? > > Am I missing something? ... you're right, of course. please ignore my needlessly alarmist comment. (I think it is surprising that the write lock is killable while the read lock isn't but that's another story)