Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Suren Baghdasaryan <surenb@google.com>
To: Carlos Llamas <cmllamas@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	 Michal Hocko <mhocko@suse.com>,
	Guenter Roeck <groeck@chromium.org>,
	 Douglas Anderson <dianders@chromium.org>,
	Christian Brauner <brauner@kernel.org>,
	 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-mm@kvack.org
Subject: Re: BUG in binder_vma_close() at mmap_assert_locked() in stable v5.15
Date: Thu, 8 Sep 2022 15:33:52 -0700	[thread overview]
Message-ID: <CAJuCfpEtQKb3UKuWBxE+S=PrcYyLRe1jF8ashjAXm+9kxAuERg@mail.gmail.com> (raw)
In-Reply-To: <YxpQaio7xm3z9TUw@google.com>

On Thu, Sep 8, 2022 at 1:28 PM Carlos Llamas <cmllamas@google.com> wrote:
>
> Hi,
>
> I've received several reports of a mmap_assert_locked() BUG triggering
> at binder_alloc_vma_close() in the v5.15 stable tree. This makes sense
> as the following two commits were recently picked for stable:
>
> a43cfc87caaf ("android: binder: stop saving a pointer to the VMA")
> b0cab80ecd54 ("android: binder: fix lockdep check on clearing vma")
>
> In such commits mmap_asserts are added to binder_alloc_set_vma() which
> is called back from vma->vm_ops->close() and file->f_op->mmap().
>
> However, mmap_locking was only added to the exit_mmap() path in commit
> f798a1d4f94d ("mm: fix use-after-free bug when mm->mmap is reused after
> being freed") and since this patch doesn't exist in v5.15 stable tree
> undoubtedly it leads to the following BUG:
>
>         kernel BUG at include/linux/mmap_lock.h:156!
>         Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
>         [...]
>         Call trace:
>         binder_alloc_vma_close+0x14c/0x150
>         binder_vma_close+0xa4/0x184
>         remove_vma+0xa4/0x108
>         exit_mmap+0x320/0x424
>         __mmput+0xb4/0x2b4
>         mmput+0x8c/0xb0
>         exit_mm+0x51c/0x6c8
>         do_exit+0x488/0x1bf4
>         do_group_exit+0x118/0x270
>         [...]
>
> Note that I have removed such asserts from the binder driver here:
> https://lore.kernel.org/all/20220829201254.1814484-5-cmllamas@google.com/
> as a random driver didn't seem to me like the appropriate place to
> validate the mm stack locking. Since this patch is not going to the
> stable trees, the asserts still exist in v5.15.
>
> So, what is the proper fix for this v5.15 BUG? Should f798a1d4f94d
> be picked for v5.15 stable? Or should binder be fixed instead?

IIUC, the binder patches are backported to 5.15 kernel and they expect
mmap_lock to be held during remove_vma() operation in exit_mmap().
However in 5.15 kernel that assumption is incorrect. In that case IMHO
the backport needs to drop that invalid expectation.
Thanks,
Suren.

>
> Thanks,
> --
> Carlos Llamas

next prev parent reply	other threads:[~2022-09-08 22:34 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-08 20:28 Carlos Llamas
2022-09-08 22:33 ` Suren Baghdasaryan [this message]
2022-09-09 19:35   ` Carlos Llamas
2022-09-09 20:03     ` Suren Baghdasaryan
2022-09-12 19:11       ` Carlos Llamas
2022-09-13  6:36         ` Liam Howlett
2022-09-23 20:50           ` Carlos Llamas
2022-09-28 23:21             ` Suren Baghdasaryan
2022-09-29 14:39               ` Carlos Llamas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJuCfpEtQKb3UKuWBxE+S=PrcYyLRe1jF8ashjAXm+9kxAuERg@mail.gmail.com' \
    --to=surenb@google.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=dianders@chromium.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox