From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C355EB64DA for ; Thu, 20 Jul 2023 16:52:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 77ABB280143; Thu, 20 Jul 2023 12:52:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 72AA828004C; Thu, 20 Jul 2023 12:52:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5F28E280143; Thu, 20 Jul 2023 12:52:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 4C13028004C for ; Thu, 20 Jul 2023 12:52:14 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 0C4EF160237 for ; Thu, 20 Jul 2023 16:52:14 +0000 (UTC) X-FDA: 81032582988.12.1079432 Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) by imf24.hostedemail.com (Postfix) with ESMTP id BE022180016 for ; Thu, 20 Jul 2023 16:52:10 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=cTwEcR3d; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf24.hostedemail.com: domain of surenb@google.com designates 209.85.219.178 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689871930; a=rsa-sha256; cv=none; b=wj6ikJyni71/52dlkrv2qRUaGLnH2PqWTI06WIG2vnQBwNFL/twjcoLTLhKFbVkzh9GAVm tbDD4W03LN4aUbHoFsqNm6GWDuDWUIh3baucop5TTlZcfPHjukQtCM9C9khRy17Vpmgi27 pzvVetDRkeG2LTGQRnVxetw9nCssgSw= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=cTwEcR3d; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf24.hostedemail.com: domain of surenb@google.com designates 209.85.219.178 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689871930; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=t5sT590ZNf5oA0ecIubHbzawara7tE0cyX/8/BfRRfw=; b=We3OuDtD3wZfHgZuOuQpr5etTgkOg6SZdMFqUry6YtF5qtj3Al43ht7OvCAzcl4of3XAHR yyC56jr3Ht3Vpg9FvHKUK574gYwN1Gy8j6R/67LV2p/fCBzb7WXgDTYitKqXQj9QsvDP4t jTXBtLhrxOLB3jpBcYeO/GCh5CfS+NU= Received: by mail-yb1-f178.google.com with SMTP id 3f1490d57ef6-cab61f812efso929987276.1 for ; Thu, 20 Jul 2023 09:52:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689871929; x=1690476729; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=t5sT590ZNf5oA0ecIubHbzawara7tE0cyX/8/BfRRfw=; b=cTwEcR3dDZCGUsyyrtSSrQeh5rWfGnkr1t+8OTB+RL3YgGzMu91HyDpRfuy2+70yPC zcz71mVSslyXbkrOo65RGCZTGhoEU+UHsSN1wgfExqgmSFeJa8Si8bZQs13g1Zm4WHJi 4fG1rVaG01sFmeXpaqF3fk1lpBbBRWSdTtTXjTqdJmh+zxXye9sA/rYInfTNKRY6FsRV hZcT8DB2WNr0r9fiOc+SDuZ/uwdUlowEuNH72vUrryxSta8RLu/PJLeJMTsQa6ZgMOX2 eiG/3pSOqFs1DT4+gBRXhrfqJX4UlltbJpI1lAPOhC4Ezq8rey5ypsaJhXvUFxa5h6uE MROg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689871929; x=1690476729; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t5sT590ZNf5oA0ecIubHbzawara7tE0cyX/8/BfRRfw=; b=c/7otQ4zs+WtbGakJzv2C6T7qdCmsYQCU0zJtJnUxnQqiNvutWBKXVZWAL5SqtkO9c RBNK3Pm7iqgEi09xozYnZMYI6eTxMuIhvETCWTmyXV9Fug2Wdf9aa17TJI+tyWQUwOIN qijg5eTEgmYi5UfxsI2L+u1i9CwPyMPxLQ0In8sKzjAPoHAMJleAW82Pb9ZjVBFeiUgR pvVacc5zU6ZpI8fHydwRzCRJqfsm/94SxTWMXffZarzJvqhbYUrN/qtrscQ4O+PvkH7x ZgTGRdDqhh06E2f3Yc2ftfEyxg2022heZA5f3cEU+OZNvpQvl4FPsTPddRMFhDg4OF67 8ZNw== X-Gm-Message-State: ABy/qLYxF95wzwdZ/puPEq17wvTRWjzsjI/2rv9BxInwoGZNqlL+NrGL A8DMlPG9tpF6FYY+W81u49V+I1+zjyrrk8AW2HlI2g== X-Google-Smtp-Source: APBJJlFF0tdRBONYXI2KxFgRqDCV0gM6UX7F2ZUbl1LFnd91UNVb6OC9BBn14dIUliRLGzdYu/Ja61d6mTQ2MkefHlQ= X-Received: by 2002:a25:870f:0:b0:bc3:8c94:8e34 with SMTP id a15-20020a25870f000000b00bc38c948e34mr5909501ybl.26.1689871929420; Thu, 20 Jul 2023 09:52:09 -0700 (PDT) MIME-Version: 1.0 References: <20230720013249.199981-1-jannh@google.com> In-Reply-To: <20230720013249.199981-1-jannh@google.com> From: Suren Baghdasaryan Date: Thu, 20 Jul 2023 09:51:55 -0700 Message-ID: Subject: Re: [PATCH] mm: Don't drop VMA locks in mm_drop_all_locks() To: Jann Horn Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: BE022180016 X-Stat-Signature: 8uk76t7h91efnca9yw7i7gkgi93qfynq X-HE-Tag: 1689871930-798173 X-HE-Meta: U2FsdGVkX1+9IxDEOQexP1QqOyUbPX3s/9g6dLFGvfqWXCPOOYhW+iWys3cEC/meE14OsgloqGIc4X/fNBI0Nvn3KZrfhSS6WF+VZ74JhBGGzxrlsBaN0i58+20wBU0I6TDOPLdKgY9Us1zYU1OnVgRplaHkBW7uyA3REasCfks2DaMRohLYv2I8BCzNZpilxDo157SK6OE7QRwBbC7SnvfEA9TnCKJ5FINhBx1Ipn353Y+pZM2etlz0FHihVEB6VhmLZ8V0ylsPcppsrjlmue9Q0n60/GWWcGUfjk8eZQBPoHwRIuDlCHizY/u9gK/t+SvH+kHTwEKP/WWImMPxgI3TSIz8m3PQ4Enyjkb4+Ao6eYnZyQVaOIeZ2R2zQIopkWJZxUVyS3T2pdkpFS7Hl3aFQ+okgX+SBqi8Op1wMRz6NIMb7gUEONyyGPmNnBfa+iItEloOibX4JVQuv5m1ABBPu6P8p5EAAiaCm3EDNe2OPHDKUgTtY3c/30ISORRrCeyMn18/uBeF/pF3GYCm7+LEOuKIt8Jui3JIpy7n7GUA18Fp8vXzQI2a3wOe47xC7j26RHv8B+VvlLaMkndjvXg7XlXSWJcblzH1uN5IHQ0hpxomIwscCavOjN9wk2V5lAJb8b4eYX3/pISzRHyyJBBJTMh0H8uAdjoQBuIJ0WyYnuE9zgkE4M8mUWpR3LhEilH6D0Y3Y2EDfUwcDJG0asAGCvXIw/PJscKB0ekoJPJNS7DV6wX9LvKus41CN87It49O+OxWmpJ6tR7/0LEuajfj5bfV8ZCKk/X0ngaavIcN5Hvjno48YUcsMmnWrvQr6Wv75jTN+PWfIBkjn6X4PMZIvhqujTOqfwJadXvOHLW/IhT6idpqlwMd4xvs5cSPz3FvBpI5zuf99Jq70Sc45ONo9ne6hDVu8eviO5M4EmM+7Y4y7pCytNXW8U75tBLMxZtiVL6HvZrnGbpvdqS mHiHkxn8 /MpBEpkjVSrPEOQVk9TbxjCfFp3srvGRKwp70FVebX4l8dlmd3tlPCLvCOqQTSRSZFOZTLTyLg8OkENfYND25S+JmhTjCge1N4+7903Mbp4fD/JZogaZWK6TGHNwsws3X3A2hidpUeU1XYcP/qYUIbRjTL5OtibA4QDXMp+IEw4XxSAnzxR5CEiVoIsIAh/keHERr+G96rfMIusYoBsHHku51RQuMSot7/l9OxwXtZcuMRFDROvwayajONma+0ZHcVzt0Q6hhxvxeHLYfqtP9H5xyWws9gzDtwrz5KOEMU32xxJs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.150639, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 19, 2023 at 6:33=E2=80=AFPM Jann Horn wrote: > > Despite its name, mm_drop_all_locks() does not drop _all_ locks; the mmap > lock is held write-locked by the caller, and the caller is responsible fo= r > dropping the mmap lock at a later point (which will also release the VMA > locks). > Calling vma_end_write_all() here is dangerous because the caller might ha= ve > write-locked a VMA with the expectation that it will stay write-locked > until the mmap_lock is released, as usual. > > This _almost_ becomes a problem in the following scenario: > > An anonymous VMA A and an SGX VMA B are mapped adjacent to each other. > Userspace calls munmap() on a range starting at the start address of A an= d > ending in the middle of B. > > Hypothetical call graph with additional notes in brackets: > > do_vmi_align_munmap > [begin first for_each_vma_range loop] > vma_start_write [on VMA A] > vma_mark_detached [on VMA A] > __split_vma [on VMA B] > sgx_vma_open [=3D=3D new->vm_ops->open] > sgx_encl_mm_add > __mmu_notifier_register [luckily THIS CAN'T ACTUALLY HAPPEN] > mm_take_all_locks > mm_drop_all_locks > vma_end_write_all [drops VMA lock taken on VMA A before] > vma_start_write [on VMA B] > vma_mark_detached [on VMA B] > [end first for_each_vma_range loop] > vma_iter_clear_gfp [removes VMAs from maple tree] > mmap_write_downgrade > unmap_region > mmap_read_unlock > > In this hypothetical scenario, while do_vmi_align_munmap() thinks it stil= l > holds a VMA write lock on VMA A, the VMA write lock has actually been > invalidated inside __split_vma(). > > The call from sgx_encl_mm_add() to __mmu_notifier_register() can't > actually happen here, as far as I understand, because we are duplicating = an > existing SGX VMA, but sgx_encl_mm_add() only calls > __mmu_notifier_register() for the first SGX VMA created in a given proces= s. > So this could only happen in fork(), not on munmap(). > But in my view it is just pure luck that this can't happen. > > Also, we wouldn't actually have any bad consequences from this in > do_vmi_align_munmap(), because by the time the bug drops the lock on VMA = A, > we've already marked VMA A as detached, which makes it completely > ineligible for any VMA-locked page faults. > But again, that's just pure luck. > > So remove the vma_end_write_all(), so that VMA write locks are only ever > released on mmap_write_unlock() or mmap_write_downgrade(). Your logic makes sense to be. mm_drop_all_locks() unlocking all VMAs, even the ones which were locked before mm_take_all_locks() seems dangerous. One concern I have is that mm_take_all_locks() and mm_drop_all_locks() become asymmetric with this change: mm_take_all_locks() locks all VMAs but mm_drop_all_locks() does not release them. I think there should be an additional comment explaining this asymmetry. Another side-effect which would be nice to document in a comment is that when mm_take_all_locks() fails after it locked the VMAs, those VMAs will stay locked until mmap_write_unlock/mmap_write_downgrade. This happens because of failure mm_take_all_locks() jumps to perform mm_drop_all_locks() and this will not unlock already locked VMAs. Other than that LGTM. Thanks! > > Fixes: eeff9a5d47f8 ("mm/mmap: prevent pagefault handler from racing with= mmu_notifier registration") > Cc: Suren Baghdasaryan > Signed-off-by: Jann Horn Reviewed-by: Suren Baghdasaryan > --- > mm/mmap.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index 3eda23c9ebe7..1ff354b1e23c 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -3758,7 +3758,6 @@ void mm_drop_all_locks(struct mm_struct *mm) > if (vma->vm_file && vma->vm_file->f_mapping) > vm_unlock_mapping(vma->vm_file->f_mapping); > } > - vma_end_write_all(mm); > > mutex_unlock(&mm_all_locks_mutex); > } > > base-commit: bfa3037d828050896ae52f6467b6ca2489ae6fb1 > -- > 2.41.0.255.g8b1d071c50-goog >