From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79267C433EF for ; Wed, 29 Jun 2022 16:30:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EEC828E0016; Wed, 29 Jun 2022 12:30:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E9C558E0015; Wed, 29 Jun 2022 12:30:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D658C8E0016; Wed, 29 Jun 2022 12:30:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id BE0548E0015 for ; Wed, 29 Jun 2022 12:30:50 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay13.hostedemail.com (Postfix) with ESMTP id 907FF609CB for ; Wed, 29 Jun 2022 16:30:50 +0000 (UTC) X-FDA: 79631812260.16.F039BC0 Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by imf19.hostedemail.com (Postfix) with ESMTP id 0F8431A0031 for ; Wed, 29 Jun 2022 16:30:49 +0000 (UTC) Received: by mail-io1-f54.google.com with SMTP id m13so16603395ioj.0 for ; Wed, 29 Jun 2022 09:30:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=urSCakkuKR1dt/ZcgxiRZK1VHLhZ1Vgqb0nqcHcJeAo=; b=CylnOPyYtqAtDcxsdxMkimwon6DQm10OXv8wgLqgxgbvq+wMS1q7f3TxdB0N3DUhnc IdYczx1tYxzyeD39MFhPrg6/GsWlhYdsduh4S/ScolbgbezPYuUrpfN/+Ab4A6sB4dP6 s6Sd1+UihVHIJDW6jSc1w1ANRJk8xbPm1QHknRuN6FxqHsHGQDshD6xWB17pNxbsoOLS VaWkVyjBwhw86DNC9KjGcrL1J10urNJAzjKFvWx3Bm8YkeoEUjx6+HBUFb6FSRKdbqLg p8+Mu+7CTD4Yyp126t4I0i6PVidhl7JNWGFFtak0/b0NTF5tz9tyUEQOM6eByCIt1Y2z v/Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=urSCakkuKR1dt/ZcgxiRZK1VHLhZ1Vgqb0nqcHcJeAo=; b=sZnTVxdooo74ab0rNLI1Q9MMw3xR6SlMIE4L1Tna1ZM3AfYpzyYx3+KG3VoZ6OziGv 1qypkrVrh9qot4/ZbRP86V94M7/5+uCchh8dSzL91/d9aHioar4KLkR5Eg5TgbvPza1G xcmTmR4IN4ZeE+AK+9a9FTn0IU9ozyWCSlO/Nj1Wn94zopILasQkRq9uh9Ox3PEBzK3L m9RpamkyBN49one77pGqKg1mFJfGxBPoViDJ6b/d1XcEcXdZRY3dL1gUCxLRtOCyU1pi Y7H+BzXo3kiTDHXOAACn0PHgD+cFfBk14CU1nlS/uPLupk7YVjfcB6dGX/0pFhTPg1RS qTWg== X-Gm-Message-State: AJIora97xurJyMbdeldxj1qODR7HxTGaIoaZNOBwVO02AHAUt9Jj+/Ld pV9PzzavM/rhs4nAnpupnltCoQDcgOTftItXnFkk8BteO5M= X-Google-Smtp-Source: AGRyM1viihcd3UtQWMr7sk/0qehuojqPYfOkQU8D4Pz3Rzuar8kTHP2ia3rPvD1ZBUR3eag3RO1NwZIR2/gkWHJxOfQ= X-Received: by 2002:a05:6638:25cd:b0:33c:b17e:d621 with SMTP id u13-20020a05663825cd00b0033cb17ed621mr2342529jat.61.1656520249163; Wed, 29 Jun 2022 09:30:49 -0700 (PDT) MIME-Version: 1.0 References: <000000000000f94c4805e289fc47@google.com> In-Reply-To: From: Axel Rasmussen Date: Wed, 29 Jun 2022 09:30:12 -0700 Message-ID: Subject: Re: [syzbot] BUG: unable to handle kernel paging request in truncate_inode_partial_folio To: Eric Biggers Cc: Mike Rapoport , Andrew Morton , linux-fsdevel , LKML , Linux MM , syzkaller-bugs@googlegroups.com, syzbot , Matthew Wilcox Content-Type: text/plain; charset="UTF-8" ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1656520250; a=rsa-sha256; cv=none; b=UGZXN43dvWmnhHxFnqNYAg9IyJfkdMBg6lzR1d36SsS5ksIZlWMJ9w3K0Cmm4LtkzvhdZN uLrpMrtC8vCpANOnYVnjfeSjJIEgFTDJre27K9YtVlcjJabpB8m/cPZ5Iye5XNkR5wQdqS EP/35F04TGHwc0GIOOurrHks5Umxl90= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=CylnOPyY; spf=pass (imf19.hostedemail.com: domain of axelrasmussen@google.com designates 209.85.166.54 as permitted sender) smtp.mailfrom=axelrasmussen@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1656520250; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=urSCakkuKR1dt/ZcgxiRZK1VHLhZ1Vgqb0nqcHcJeAo=; b=lytz+P/oaOCBtv3WRArlPljA9k5+3jYIeHSlYjKQYAlAZeqim62TIugBykkOYJ+a077lb9 rIZUl3/1vRcq67l4S7pIg3D97XPZJl19M4yHq2VM7tkTIFdxwb3J/Lzv2dshsfrIl6ZuAc n5Te+AiwwSJD9PUKdIZosWw2kgcDr94= X-Rspam-User: Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=CylnOPyY; spf=pass (imf19.hostedemail.com: domain of axelrasmussen@google.com designates 209.85.166.54 as permitted sender) smtp.mailfrom=axelrasmussen@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam02 X-Stat-Signature: 9mggz7ccyjzbzood3xgoq9r565myppq9 X-Rspamd-Queue-Id: 0F8431A0031 X-HE-Tag: 1656520249-587304 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jun 28, 2022 at 9:41 PM Eric Biggers wrote: > > On Tue, Jun 28, 2022 at 03:59:26PM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 941e3e791269 Merge tag 'for_linus' of git://git.kernel.org.. > > git tree: upstream > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1670ded4080000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=833001d0819ddbc9 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9bd2b7adbd34b30b87e4 > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140f9ba8080000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15495188080000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+9bd2b7adbd34b30b87e4@syzkaller.appspotmail.com > > > > BUG: unable to handle page fault for address: ffff888021f7e005 > > #PF: supervisor write access in kernel mode > > #PF: error_code(0x0002) - not-present page > > PGD 11401067 P4D 11401067 PUD 11402067 PMD 21f7d063 PTE 800fffffde081060 > > Oops: 0002 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 3761 Comm: syz-executor281 Not tainted 5.19.0-rc4-syzkaller-00014-g941e3e791269 #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:64 > > Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01 > > RSP: 0018:ffffc9000329fa90 EFLAGS: 00010202 > > RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000ffb > > RDX: 0000000000000ffb RSI: 0000000000000000 RDI: ffff888021f7e005 > > RBP: ffffea000087df80 R08: 0000000000000001 R09: ffff888021f7e005 > > R10: ffffed10043efdff R11: 0000000000000000 R12: 0000000000000005 > > R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000000ffb > > FS: 00007fb29d8b2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: ffff888021f7e005 CR3: 0000000026e7b000 CR4: 00000000003506f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > > > zero_user_segments include/linux/highmem.h:272 [inline] > > folio_zero_range include/linux/highmem.h:428 [inline] > > truncate_inode_partial_folio+0x76a/0xdf0 mm/truncate.c:237 > > truncate_inode_pages_range+0x83b/0x1530 mm/truncate.c:381 > > truncate_inode_pages mm/truncate.c:452 [inline] > > truncate_pagecache+0x63/0x90 mm/truncate.c:753 > > simple_setattr+0xed/0x110 fs/libfs.c:535 > > secretmem_setattr+0xae/0xf0 mm/secretmem.c:170 > > notify_change+0xb8c/0x12b0 fs/attr.c:424 > > do_truncate+0x13c/0x200 fs/open.c:65 > > do_sys_ftruncate+0x536/0x730 fs/open.c:193 > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > > entry_SYSCALL_64_after_hwframe+0x46/0xb0 > > RIP: 0033:0x7fb29d900899 > > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > RSP: 002b:00007fb29d8b2318 EFLAGS: 00000246 ORIG_RAX: 000000000000004d > > RAX: ffffffffffffffda RBX: 00007fb29d988408 RCX: 00007fb29d900899 > > RDX: 00007fb29d900899 RSI: 0000000000000005 RDI: 0000000000000003 > > RBP: 00007fb29d988400 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29d98840c > > R13: 00007ffca01a23bf R14: 00007fb29d8b2400 R15: 0000000000022000 > > > > Modules linked in: > > CR2: ffff888021f7e005 > > ---[ end trace 0000000000000000 ]--- > > I think this is a bug in memfd_secret. secretmem_setattr() can race with a page > being faulted in by secretmem_fault(). Specifically, a page can be faulted in > after secretmem_setattr() has set i_size but before it zeroes out the partial > page past i_size. memfd_secret pages aren't mapped in the kernel direct map, so > the crash occurs when the kernel tries to zero out the partial page. > > I don't know what the best solution is -- maybe a rw_semaphore protecting > secretmem_fault() and secretmem_setattr()? Or perhaps secretmem_setattr() > should avoid the call to truncate_setsize() by not using simple_setattr(), given > that secretmem_setattr() only supports the size going from zero to nonzero. >From my perspective the rw_semaphore approach sounds reasonable. simple_setattr() and the functions it calls to do the actual work isn't a tiny amount of code, it would be a shame to reimplement it in secretmem.c. For the rwsem, I guess the idea is setattr will take it for write, and fault will take it for read? Since setattr is a very infrequent operation - a typical use case is you'd do it exactly once right after opening the memfd_secret - this seems like it wouldn't make fault significantly less performant. It's also a pretty small change I think, just a few lines. > > The following commit tried to fix a similar bug, but it wasn't enough: > > commit f9b141f93659e09a52e28791ccbaf69c273b8e92 > Author: Axel Rasmussen > Date: Thu Apr 14 19:13:31 2022 -0700 > > mm/secretmem: fix panic when growing a memfd_secret > > > Here's a simplified reproducer. Note, for memfd_secret to be supported, the > kernel config must contain CONFIG_SECRETMEM=y and the kernel command line must > contain secretmem.enable=1. > > #include > #include > #include > #include > #include > #include > > static volatile int fd; > static jmp_buf jump_buf; > > static void *truncate_thread(void *arg) > { > for (;;) > ftruncate(fd, 1000); > } > > static void handle_sigbus(int sig) > { > longjmp(jump_buf, 1); > } > > int main(void) > { > struct sigaction act = { > .sa_handler = handle_sigbus, > .sa_flags = SA_NODEFER, > }; > pthread_t t; > void *addr; > > sigaction(SIGBUS, &act, NULL); > > pthread_create(&t, NULL, truncate_thread, NULL); > for (;;) { > fd = syscall(__NR_memfd_secret, 0); > addr = mmap(NULL, 8192, PROT_WRITE, MAP_SHARED, fd, 0); > if (setjmp(jump_buf) == 0) > *(unsigned int *)addr = 0; > munmap(addr, 8192); > close(fd); > } > }