From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8966BC433ED for ; Wed, 5 May 2021 22:14:18 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 2C4F0611AD for ; Wed, 5 May 2021 22:14:18 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2C4F0611AD Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AA1EB6B006C; Wed, 5 May 2021 18:14:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A2B1E6B006E; Wed, 5 May 2021 18:14:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 87D3E6B0070; Wed, 5 May 2021 18:14:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0110.hostedemail.com [216.40.44.110]) by kanga.kvack.org (Postfix) with ESMTP id 694E26B006C for ; Wed, 5 May 2021 18:14:17 -0400 (EDT) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 1F05E988F for ; Wed, 5 May 2021 22:14:17 +0000 (UTC) X-FDA: 78108581754.24.D3417BE Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) by imf22.hostedemail.com (Postfix) with ESMTP id 5AB60C0007CE for ; Wed, 5 May 2021 22:14:09 +0000 (UTC) Received: by mail-io1-f46.google.com with SMTP id a11so3106282ioo.0 for ; Wed, 05 May 2021 15:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=k+TLJ+w/sIyEYaz/pmEc+wkQOprlg/a2eYr65RlYGlI=; b=il6GOcf+4mlMmUP2SQ/tKzjmsVW7K9lDNXsA3VcmnAxOncRFzF/7oNVC0z5vQRPkzk YdGO/H8Exps8jFuj4vhjpFIunkc+a6RgdYtAWrlkEZsmjd8Yux8vHU4BA5t2a6A1JW8M YMW1YJMPgRTrJcUW4lI9R8nGONax1TlkZZ9HrQOpW/oLvqkyBCJbIkSFLFtxpj0GwLnD oYIOaryC7HPP5FfRZ8UwihfRL0Ce2S4Uhi7U36+CUnQFcf4L+XX9Z26frWQ/U64AEBP+ tlWepwElyhIh93943l7KpfDhe5LCeXMC3n51ne/WgQ8+3m4ZXyx4aOUp2Fy4Ws74wxYq 66iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=k+TLJ+w/sIyEYaz/pmEc+wkQOprlg/a2eYr65RlYGlI=; b=j8hocHehm42pQzJbOqB6wgDcEMXUL9nM10o4r+bKWD06pDMtMx++7eXpfQEkmWtRwp MhhmMziPASRQWrcIT2DHyZt4fECguSl3NQpEFdVENZ/iCsB3SWaFpzwcvX0BvawvTpcc MTTGSz58IQoEOIW296V10Smp4/RzEVrvKDfvgA2IjaWEQsmVU2YZfO5iRj+yUdEwvwGE W2sPDqCyzymDGs+fC9GO+hp79K/v3ZXFOT8RMbjE/0r5vU4zsYd9mLeFBI+oobjW3enj KbFQG2+ZtMxWhVsrYn25Zdk7E8JMUaj7Pp0rx4VEi9dMk1ZAtgM2FMlk9dU+sncRQ7pA iL6A== X-Gm-Message-State: AOAM530Cb1Sh35/lP3zDBWdXDRlJ18nGK2iCyvoUATqjAbvRBWCK66Tw 9xc/mwTUNfA1Ir6MkTjhQrK2Q8E44RqdTJYfR4NEXA== X-Google-Smtp-Source: ABdhPJyEuVNI6YVlDbBhPd83vR7SdCCZTElgol3N+ViCnFn0vVD8EU+TF7jSbmIUTL3cr3CqNc5y/4k69h8NKEtoFus= X-Received: by 2002:a6b:cd08:: with SMTP id d8mr628898iog.86.1620252856012; Wed, 05 May 2021 15:14:16 -0700 (PDT) MIME-Version: 1.0 References: <20210428180109.293606-1-axelrasmussen@google.com> <20210428230858.348400-1-axelrasmussen@google.com> In-Reply-To: <20210428230858.348400-1-axelrasmussen@google.com> From: Axel Rasmussen Date: Wed, 5 May 2021 15:13:39 -0700 Message-ID: Subject: Re: [PATCH v2] userfaultfd: release page in error path to avoid BUG_ON To: Andrea Arcangeli , Andrew Morton , Hugh Dickins , Peter Xu Cc: Lokesh Gidra , Linux MM , LKML Content-Type: text/plain; charset="UTF-8" Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=il6GOcf+; spf=pass (imf22.hostedemail.com: domain of axelrasmussen@google.com designates 209.85.166.46 as permitted sender) smtp.mailfrom=axelrasmussen@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 5AB60C0007CE X-Stat-Signature: tyabeqb6rzozazkwei13wsqut9hx7mnc Received-SPF: none (google.com>: No applicable sender policy available) receiver=imf22; identity=mailfrom; envelope-from=""; helo=mail-io1-f46.google.com; client-ip=209.85.166.46 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1620252849-914161 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Apr 28, 2021 at 4:09 PM Axel Rasmussen wrote: > > Consider the following sequence of events: > > 1. Userspace issues a UFFD ioctl, which ends up calling into > shmem_mfill_atomic_pte(). We successfully account the blocks, we > shmem_alloc_page(), but then the copy_from_user() fails. We return > -ENOENT. We don't release the page we allocated. > 2. Our caller detects this error code, tries the copy_from_user() after > dropping the mmap_lock, and retries, calling back into > shmem_mfill_atomic_pte(). > 3. Meanwhile, let's say another process filled up the tmpfs being used. > 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and > immediately returns - without releasing the page. > > This triggers a BUG_ON in our caller, which asserts that the page > should always be consumed, unless -ENOENT is returned. > > To fix this, detect if we have such a "dangling" page when accounting > fails, and if so, release it before returning. > > Fixes: cb658a453b93 ("userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY") > Reported-by: Hugh Dickins > Signed-off-by: Axel Rasmussen Apologies, I should have added this line: Cc: stable@vger.kernel.org I believe this fix ought to go into the 4.14 and later stable branches (the commit referenced in Fixes: was introduced in 4.11). I can resend with this included, if that would be easier. > --- > mm/shmem.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/mm/shmem.c b/mm/shmem.c > index 26c76b13ad23..8def03d3f32a 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -2375,8 +2375,18 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, > pgoff_t offset, max_off; > > ret = -ENOMEM; > - if (!shmem_inode_acct_block(inode, 1)) > + if (!shmem_inode_acct_block(inode, 1)) { > + /* > + * We may have got a page, returned -ENOENT triggering a retry, > + * and now we find ourselves with -ENOMEM. Release the page, to > + * avoid a BUG_ON in our caller. > + */ > + if (unlikely(*pagep)) { > + put_page(*pagep); > + *pagep = NULL; > + } > goto out; > + } > > if (!*pagep) { > page = shmem_alloc_page(gfp, info, pgoff); > -- > 2.31.1.498.g6c1eba8ee3d-goog >