From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 479A1C433F5 for ; Sun, 24 Oct 2021 20:12:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 69EC66044F for ; Sun, 24 Oct 2021 20:12:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 69EC66044F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 09B846B006C; Sun, 24 Oct 2021 16:12:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 04C716B0072; Sun, 24 Oct 2021 16:12:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EB0A1940007; Sun, 24 Oct 2021 16:12:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0221.hostedemail.com [216.40.44.221]) by kanga.kvack.org (Postfix) with ESMTP id DBC7F6B006C for ; Sun, 24 Oct 2021 16:12:03 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 7706B180424D3 for ; Sun, 24 Oct 2021 20:12:03 +0000 (UTC) X-FDA: 78732427326.09.B45DDD1 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf01.hostedemail.com (Postfix) with ESMTP id 9AAB15087226 for ; Sun, 24 Oct 2021 20:11:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=RJQdurXKvs7hMco6+dlt3T0Xdny16zyR0j2g0ugIG4Y=; b=e5WOt05knlgal0p+feSq0qQGcW qtAr3FD+few2Cp/Yd7t4osiw/nBrGJINOze+1DS7ZZNfDPeJNob7Pffcxxz73BE8zI+Dht+8cVn4k phPTKwiAoSzrJAa44K0Hu4Ti1GOXi1zuzMo3i1fLdKqbQD4YSin2vfdxaXoTpZEEozMFdX9oO4myR jBUi9DEH706FecX/Uy1LWxg12BrMbtHPOQHfp0ULW4IcFso0gtKvtWzW7JloGDK29bIh98lEL8hsD vP7/Yfl+iMaKFW6pBMXgJarff+iiuXP1mclulzMwbOEq1LU8EUlP+MO2zNZHf7zPLoPt5/ZzcyV78 7VKD51dQ==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mejod-00Fb82-0b; Sun, 24 Oct 2021 20:10:18 +0000 Date: Sun, 24 Oct 2021 21:09:58 +0100 From: Matthew Wilcox To: Linus Torvalds Cc: syzbot , Andrew Morton , jordy@jordyzomer.github.io, jordy@pwning.systems, Linux Kernel Mailing List , Linux-MM , syzkaller-bugs Subject: Re: [syzbot] WARNING: refcount bug in memfd_secret Message-ID: References: <00000000000064451505cf0a3aa2@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Stat-Signature: 7oyfhw5g5qfrxnb8tb7pj1e11i6x4fps X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 9AAB15087226 Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=e5WOt05k; dmarc=none; spf=none (imf01.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org X-HE-Tag: 1635106316-330973 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sun, Oct 24, 2021 at 09:54:22AM -1000, Linus Torvalds wrote: > On Sat, Oct 23, 2021 at 9:35 AM syzbot > wrote: > > > > syzbot found the following issue on: > > > > HEAD commit: 9c0c4d24ac00 Merge tag 'block-5.15-2021-10-22' of git://gi.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=115a0328b00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=59f3ef2b4077575 > > dashboard link: https://syzkaller.appspot.com/bug?extid=75639e6a0331cd61d3e2 > > compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a035c2b00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ae869f300000 > > > > The issue was bisected to: > > > > commit 110860541f443f950c1274f217a1a3e298670a33 > > I think that commit is actually just buggy. > > "secretmem_users" is not actually a reference count. There's no "magic > happens when it goes down to zero". > > It's purely a count of the number of existing users, and incrementing > it from zero is not a probolem at all - it is in fact expected. > > Sure, zero means "we can hibernate", so zero and overflow are somewhat > special, but not special enough to cause these kinds of issues. > > I have reverted this commit in my tree, because honestly, the whole > "try to overflow exactly, and hibernate" threat model just isn't worth > this all. > > If people really care, I can suggest > > - use "atomic_long_t" instead. Let's face it, 32-bit isn't > interesting any more, and 64-bit doesn't overflow. > > - make up some new "atomic_inc_nooverflow()" thing or whatever. > > but for now this is just reverted. There was a separate thread on an earlier version of this report. https://lore.kernel.org/linux-mm/YXU7%2FiRjf9v77gon@casper.infradead.org/ I agree with you and suggested that if anybody really cares (I mean, you need a multi-TB machine to produce this problem) that we simply do what we did with the page refcount: +++ b/mm/secretmem.c @@ -203,6 +203,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags) if (flags & ~(SECRETMEM_FLAGS_MASK | O_CLOEXEC)) return -EINVAL; + if (atomic_read(&secretmem_users) < 0) + return -ENFILE; fd = get_unused_fd_flags(flags & O_CLOEXEC); if (fd < 0) Mike didn't particularly like that answer though.