From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5E81EC4332F
	for <linux-mm@archiver.kernel.org>; Wed, 12 Oct 2022 09:41:28 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 73F126B0071; Wed, 12 Oct 2022 05:41:27 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6EE3C6B0073; Wed, 12 Oct 2022 05:41:27 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5B6456B0074; Wed, 12 Oct 2022 05:41:27 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 431286B0071
	for <linux-mm@kvack.org>; Wed, 12 Oct 2022 05:41:27 -0400 (EDT)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id 0093B1601F5
	for <linux-mm@kvack.org>; Wed, 12 Oct 2022 09:41:26 +0000 (UTC)
X-FDA: 80011804614.24.2B2171D
Received: from mail-yb1-f176.google.com (mail-yb1-f176.google.com [209.85.219.176])
	by imf21.hostedemail.com (Postfix) with ESMTP id 9C4231C0020
	for <linux-mm@kvack.org>; Wed, 12 Oct 2022 09:41:25 +0000 (UTC)
Received: by mail-yb1-f176.google.com with SMTP id e20so19420731ybh.2
        for <linux-mm@kvack.org>; Wed, 12 Oct 2022 02:41:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=QO5UAtsbTOA2QtV51cL1r5mzkqKAD5U2QTqmHsarUI4=;
        b=MfZbYK3iHyCKKWuayMmcfb0qHNyba5LF4B5+66v9+iP4VN+eS1Cx94qouCzQH4x5fN
         B10gmdNgerz27I2ZQ6CcoN+6mK9JLJ2IfMkkGQGBGxSFnDTc2yagQ1/SjBYPpKI61uCy
         WVSWpnkMe4h+4d0VzB/28xJ6kZA2Iz0WGEAVMqtwk9PAD2BWOLNmPybg4TUCXWKBYXTj
         d1hJREGBY2LVdPH1LqZKbkJvL529GXshPxv6MEv6J7YWU0+9wcy7egS1v/HTz634ZLnt
         cwS6bZZvdm/hE3oAmQnvlQUEyxsZwX0rVKX6Hm1joB9ChVaD5BX7Xz6Jc+CjB0ETSJbE
         fd4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=QO5UAtsbTOA2QtV51cL1r5mzkqKAD5U2QTqmHsarUI4=;
        b=7uz/4aKu55NQfNNy+hw7EK/USsvQXuSWA0MElni9OKO53Bf6QsHn9pre1RIZ8enpT7
         A/3PSBpBIpdgfh04p3AwkhYlP33tSY++NRRiieE59mjuawPh6ZI6JxeibaEzVdMJTrf8
         oVJuJ8SVNYDbIlpJHklKKcIn/aGdzP2DUbMMuPiDRt66o8qXmkdYzFDcRzqbJRUmAy8Z
         ci8SnEZblMNE4wUw4DZ069SHq0Tqjl0/3ORR+H579kQyHoUZKecVttWo6JC+rzt6Zrkp
         4OvCIvdNiOkf56GS7dxy4wB/PEujD47PwJ7p/zvWMJ58SqSqAKv7EFOMTAlHYgkRnM2q
         B9tA==
X-Gm-Message-State: ACrzQf3wIYnmH2r6YA1mgpGIY1jZnW9oRWxMlFF0OudDJTsq+UZiGV7M
	15DrWN8TdNmkCCdcX+yCBl8VJvsIc9RMJlf+ulA=
X-Google-Smtp-Source: AMsMyM4zzhrpbPSbHUdsO+t9d+lTwYMUO9IV3rHROF7KFdsTtEIQDhlEpD3PTbKR/c8IiciPKdofHwUcXneCwSwnILg=
X-Received: by 2002:a25:2415:0:b0:6be:5349:91c2 with SMTP id
 k21-20020a252415000000b006be534991c2mr28368390ybk.318.1665567684634; Wed, 12
 Oct 2022 02:41:24 -0700 (PDT)
MIME-Version: 1.0
References: <20221011203621.1446507-1-Liam.Howlett@oracle.com>
In-Reply-To: <20221011203621.1446507-1-Liam.Howlett@oracle.com>
From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Date: Wed, 12 Oct 2022 11:41:13 +0200
Message-ID: <CAKXUXMzVb_gMUOEZJbrysphVqAGD0yN=3A5+N348adrs8q1asQ@mail.gmail.com>
Subject: Re: [PATCH] mmap: Fix copy_vma() failure path
To: Liam Howlett <liam.howlett@oracle.com>
Cc: "maple-tree@lists.infradead.org" <maple-tree@lists.infradead.org>, 
	"linux-mm@kvack.org" <linux-mm@kvack.org>, 
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Andrew Morton <akpm@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1665567685;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=QO5UAtsbTOA2QtV51cL1r5mzkqKAD5U2QTqmHsarUI4=;
	b=RR9QqpRa99on9o19h3PsOTKg3DlC05LSotMMp1jEi/TYTfPPcelolYguoPvDTmVD7CxoWt
	6ECdvsUJa4wgsULxRWWVOZHQnbOgqI3XsvWXLAlYIYUUZttckuKwpN9INBlGypa619uGit
	mbtTmTcrDSdHmBqYY1I5xJLfuVTsZOc=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=MfZbYK3i;
	spf=pass (imf21.hostedemail.com: domain of lukas.bulwahn@gmail.com designates 209.85.219.176 as permitted sender) smtp.mailfrom=lukas.bulwahn@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1665567685; a=rsa-sha256;
	cv=none;
	b=TmBLF9OY7M+bq2B6BPSSEWi0PulhcT8Z6QhYbCbeaOonZ9cpTURY4xJeef2TrKELfSTXvy
	GnEx0NdWFRjhrDDZTyp1AUtcuHQISzPDuqGVJhXO3gXv/e3Xuc1TwC3SzCELG3CLYt6/nt
	zDvwUrdnE/7Q70ZIan3jnYAiJw3gNy8=
X-Stat-Signature: qds5w8os859fty9x7eyginij56tggbci
X-Rspamd-Queue-Id: 9C4231C0020
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=MfZbYK3i;
	spf=pass (imf21.hostedemail.com: domain of lukas.bulwahn@gmail.com designates 209.85.219.176 as permitted sender) smtp.mailfrom=lukas.bulwahn@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
X-Rspam-User: 
X-Rspamd-Server: rspam09
X-HE-Tag: 1665567685-276844
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Oct 11, 2022 at 10:36 PM Liam Howlett <liam.howlett@oracle.com> wrote:
>
> The anon vma was not unlinked and the file was not closed in the failure
> path when the machine runs out of memory during the maple tree
> modification.  This caused a memory leak of the anon vma chain and vma
> since neither would be freed.
>
> Reported-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
> Fixes: 524e00b36e8c (mm: remove rb tree.)
> Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
> ---

Here my detailed test report:

First, I ran the reproducer
https://elisa-builder-00.iol.unh.edu/syzkaller-next/report?id=3113810b9abd3dfeb581759df93d3171d1a90f18
on the latest commit from Linus' tree, i.e., commit 49da07006239.
This resulted in the following kernel crash report on x86_64 defconfig
+ syzkaller-recommended debug features:

[  632.446911] kmemleak: 2 new suspected memory leaks (see
/sys/kernel/debug/kmemleak)
[  642.194797] kmemleak: 2 new suspected memory leaks (see
/sys/kernel/debug/kmemleak)

BUG: memory leak
unreferenced object 0xffff88800eab3220 (size 208):
  comm "a.out", pid 411, jiffies 4295289355 (age 20.054s)
  hex dump (first 32 bytes):
    20 32 ab 0e 80 88 ff ff 00 00 00 00 00 00 00 00   2..............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000006344da94>] __anon_vma_prepare+0x288/0x520
    [<0000000079cb6e3d>] __handle_mm_fault+0x1672/0x1a90
    [<000000003165d13e>] handle_mm_fault+0x177/0x520
    [<00000000d502ed60>] __get_user_pages+0x696/0x13b0
    [<000000000c44f161>] populate_vma_page_range+0x242/0x320
    [<00000000429a417a>] __mm_populate+0x1c6/0x3b0
    [<00000000988f9924>] do_mlock+0x3ad/0x6f0
    [<0000000099ba0e21>] __x64_sys_mlock2+0xba/0x100
    [<00000000a302ea0e>] do_syscall_64+0x3a/0x90
    [<0000000069487f88>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88800ef27ba0 (size 64):
  comm "a.out", pid 411, jiffies 4295289357 (age 20.053s)
  hex dump (first 32 bytes):
    30 3c 94 09 80 88 ff ff 20 32 ab 0e 80 88 ff ff  0<...... 2......
    78 3c 94 09 80 88 ff ff 78 3c 94 09 80 88 ff ff  x<......x<......
  backtrace:
    [<00000000ecf2fb6f>] anon_vma_clone+0xd3/0x590
    [<00000000e1cdd897>] copy_vma+0x3ea/0x7f0
    [<00000000ef59b15d>] move_vma.isra.48+0x8e6/0xf40
    [<00000000cf84e8ba>] mremap_to.isra.49+0x4d0/0x6c0
    [<00000000cf08a1f8>] __x64_sys_mremap+0x9cc/0xf20
    [<00000000a302ea0e>] do_syscall_64+0x3a/0x90
    [<0000000069487f88>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88800df86330 (size 208):
  comm "a.out", pid 412, jiffies 4295296993 (age 12.417s)
  hex dump (first 32 bytes):
    30 63 f8 0d 80 88 ff ff 00 00 00 00 00 00 00 00  0c..............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000006344da94>] __anon_vma_prepare+0x288/0x520
    [<0000000079cb6e3d>] __handle_mm_fault+0x1672/0x1a90
    [<000000003165d13e>] handle_mm_fault+0x177/0x520
    [<00000000d502ed60>] __get_user_pages+0x696/0x13b0
    [<000000000c44f161>] populate_vma_page_range+0x242/0x320
    [<00000000429a417a>] __mm_populate+0x1c6/0x3b0
    [<00000000988f9924>] do_mlock+0x3ad/0x6f0
    [<0000000099ba0e21>] __x64_sys_mlock2+0xba/0x100
    [<00000000a302ea0e>] do_syscall_64+0x3a/0x90
    [<0000000069487f88>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff888015235180 (size 64):
  comm "a.out", pid 412, jiffies 4295296995 (age 12.415s)
  hex dump (first 32 bytes):
    00 fd 57 0d 80 88 ff ff 30 63 f8 0d 80 88 ff ff  ..W.....0c......
    48 fd 57 0d 80 88 ff ff 48 fd 57 0d 80 88 ff ff  H.W.....H.W.....
  backtrace:
    [<00000000ecf2fb6f>] anon_vma_clone+0xd3/0x590
    [<00000000e1cdd897>] copy_vma+0x3ea/0x7f0
    [<00000000ef59b15d>] move_vma.isra.48+0x8e6/0xf40
    [<00000000cf84e8ba>] mremap_to.isra.49+0x4d0/0x6c0
    [<00000000cf08a1f8>] __x64_sys_mremap+0x9cc/0xf20
    [<00000000a302ea0e>] do_syscall_64+0x3a/0x90
    [<0000000069487f88>] entry_SYSCALL_64_after_hwframe+0x63/0xcd


This is just as expected and as I reported it to Liam.

Then, I applied this patch here, rebuilt the kernel and re-ran the
reproducer. After roughly running the reproducer for 15 minutes, it
did not show any kernel crash report. So, the patch seems to have
solved the reported issue.

Tested-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>

Thanks, Liam.

Lukas