From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1F72C54EE9 for ; Mon, 19 Sep 2022 08:29:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 528466B0074; Mon, 19 Sep 2022 04:29:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4B0E4940008; Mon, 19 Sep 2022 04:29:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 32A7D940007; Mon, 19 Sep 2022 04:29:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 1C6BF6B0074 for ; Mon, 19 Sep 2022 04:29:48 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 8B3A5A0160 for ; Mon, 19 Sep 2022 08:29:47 +0000 (UTC) X-FDA: 79928161614.14.A5F8B36 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) by imf23.hostedemail.com (Postfix) with ESMTP id 55368140002 for ; Mon, 19 Sep 2022 08:29:47 +0000 (UTC) Received: by mail-ej1-f42.google.com with SMTP id y17so57681156ejo.6 for ; Mon, 19 Sep 2022 01:29:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:from:to:cc:subject:date; bh=xoymz8faVzT0wsOgDh8GpMXHhgQOtJ4iGMWiJ5WcE5M=; b=Lm7BO126imBfW2p86+6dSuKs+lWUTMbm5eMgm9pFu/j9M/kqYbL3JPu1nJiCf2uXr4 I7IjQVG8rbtLB0O7vzXFYE+FtBv2dj5kEBIvcsHegeo10YjZOcoRy1WxnAtjcEC/iNDW LcZ876QNCiVqfZB64ohts2NklO+0MWD4dVJ/IzGNrK5jBfbQMOHyIOKpjO4KZqmvbhZZ wUdEFhlwl+rhhZZ3tSlF8mb5iHWsovbVUpVkoOGA/EKZVYlXfCdv2ngNkltl17K4xVE6 tXMXyO/wJ7y8GipOINg2yZTi0v86atZT9vywEtsJ82Dsk6Aw4RVBVqeYs5+x1cRDgJyy 0rEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:x-gm-message-state:from:to:cc:subject:date; bh=xoymz8faVzT0wsOgDh8GpMXHhgQOtJ4iGMWiJ5WcE5M=; b=aictWvVAzpV7Glp1W2Ma9PR3NrE5PKnN2ltsLqVBmFLC6lx4wuL8rX1dHKnw/urvgb 0mP8PlS75FLeTQgDicEL+vqE3Vs8z9ltj7yzI9EOPPP+u/sxuxRFcFdp3LbBq3/lDBMX LPbbzobNA/HWpO0b+Dz3uSX8DmZCHLyqU+I67VewW5QFQqaqbXHUh8O6GHT3VYXC2HU0 io9PnmfAeS77b7ZpJ5Z0cVCfZySo/HXVxQViDU7tiXQV/V/qdPyG+HQXuo1ndY9+Ber6 8jscL3R5gERAzZm15AxlDryy9L57VKY/Tls9j5iIqkM3uIueipGtzjjk08UytHgC5RvM COsQ== X-Gm-Message-State: ACrzQf280MkJD+jNG0g8Z8SmAhsfJQBDfLbDAY3M34v7iARgZlXnI97U +7ofVH3QeSBr1QBmBwbDhdk= X-Google-Smtp-Source: AMsMyM7YDpMsT8S/fBs/dBZJOSrjXi9Pb8U6bCYB3DP/597jg0tInZfxP8MG7aCnJ70pWKg7ildXhA== X-Received: by 2002:a17:906:ee86:b0:741:89bc:27a1 with SMTP id wt6-20020a170906ee8600b0074189bc27a1mr12414411ejb.725.1663576185705; Mon, 19 Sep 2022 01:29:45 -0700 (PDT) Received: from pc636 ([155.137.26.201]) by smtp.gmail.com with ESMTPSA id s15-20020a1709067b8f00b00775f6081a87sm2271881ejo.121.2022.09.19.01.29.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Sep 2022 01:29:45 -0700 (PDT) From: Uladzislau Rezki X-Google-Original-From: Uladzislau Rezki Date: Mon, 19 Sep 2022 10:29:43 +0200 To: Matthew Wilcox , Kees Cook Cc: Kees Cook , Uladzislau Rezki , Andrew Morton , Yu Zhao , dev@der-flo.net, linux-mm@kvack.org, linux-hardening@vger.kernel.org, Peter Zijlstra , Ingo Molnar , linux-kernel@vger.kernel.org, x86@kernel.org, linux-perf-users@vger.kernel.org, linux-arch@vger.kernel.org Subject: Re: [PATCH 3/3] usercopy: Add find_vmap_area_try() to avoid deadlocks Message-ID: References: <20220916135953.1320601-1-keescook@chromium.org> <20220916135953.1320601-4-keescook@chromium.org> <202209160805.CA47B2D673@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663576187; a=rsa-sha256; cv=none; b=Yil+pembPfhrGg4rPWI9DjDJnflAbybx0C0fm1dKYdhmlv31V/KhY6eFXxyW4FkxiVzqeo mjYGM548SOmlyx8atuPjzv2zROUVvcNoqCGJWKsskH44krEPLVwfz7jk53lxETEXIyShyy Qx49x8tWdjqaTlLv/GjhdbmGTyfObiU= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Lm7BO126; spf=pass (imf23.hostedemail.com: domain of urezki@gmail.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=urezki@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1663576187; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=xoymz8faVzT0wsOgDh8GpMXHhgQOtJ4iGMWiJ5WcE5M=; b=NuUkyeD5iC+c5V253bXroIZO0yOfB2ducH752VumGIPpm3AJof9DW+vTmgr3gLSJxm2pQp witNmRYpsh7ClyRhCr6UwVEv/NZdiypdsKj8W7Qhko6pG20OXsNNrI+cmR7zUopt+ewY/A ydTVQAIFwI+8HbDIngN7ETdVkINV6II= X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 55368140002 Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Lm7BO126; spf=pass (imf23.hostedemail.com: domain of urezki@gmail.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=urezki@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-Stat-Signature: fpwt4wjgpuc7xhre6rsx9aogduqcrurr X-HE-Tag: 1663576187-44927 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 16, 2022 at 08:15:24PM +0100, Matthew Wilcox wrote: > On Fri, Sep 16, 2022 at 08:09:16AM -0700, Kees Cook wrote: > > On Fri, Sep 16, 2022 at 03:46:07PM +0100, Matthew Wilcox wrote: > > > On Fri, Sep 16, 2022 at 06:59:57AM -0700, Kees Cook wrote: > > > > The check_object_size() checks under CONFIG_HARDENED_USERCOPY need to be > > > > more defensive against running from interrupt context. Use a best-effort > > > > check for VMAP areas when running in interrupt context > > > > > > I had something more like this in mind: > > > > Yeah, I like -EAGAIN. I'd like to keep the interrupt test to choose lock > > vs trylock, otherwise it's trivial to bypass the hardening test by having > > all the other CPUs beating on the spinlock. > > I was thinking about this: > > +++ b/mm/vmalloc.c > @@ -1844,12 +1844,19 @@ > { > struct vmap_area *va; > > - if (!spin_lock(&vmap_area_lock)) > - return ERR_PTR(-EAGAIN); > + /* > + * It's safe to walk the rbtree under the RCU lock, but we may > + * incorrectly find no vmap_area if the tree is being modified. > + */ > + rcu_read_lock(); > va = __find_vmap_area(addr, &vmap_area_root); > - spin_unlock(&vmap_area_lock); > + if (!va && in_interrupt()) > + va = ERR_PTR(-EAGAIN); > + rcu_read_unlock(); > > - return va; > + if (va) > + return va; > + return find_vmap_area(addr); > } > > /*** Per cpu kva allocator ***/ > > ... but I don't think that works since vmap_areas aren't freed by RCU, > and I think they're reused without going through an RCU cycle. > Right you are. It should be freed via RCU-core. So wrapping by rcu_* is useless here. > > So here's attempt #4, which actually compiles, and is, I think, what you > had in mind. > > diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h > index 096d48aa3437..2b7c52e76856 100644 > --- a/include/linux/vmalloc.h > +++ b/include/linux/vmalloc.h > @@ -215,7 +215,7 @@ extern struct vm_struct *__get_vm_area_caller(unsigned long size, > void free_vm_area(struct vm_struct *area); > extern struct vm_struct *remove_vm_area(const void *addr); > extern struct vm_struct *find_vm_area(const void *addr); > -struct vmap_area *find_vmap_area(unsigned long addr); > +struct vmap_area *find_vmap_area_try(unsigned long addr); > > static inline bool is_vm_area_hugepages(const void *addr) > { > diff --git a/mm/usercopy.c b/mm/usercopy.c > index c1ee15a98633..e0fb605c1b38 100644 > --- a/mm/usercopy.c > +++ b/mm/usercopy.c > @@ -173,7 +173,11 @@ static inline void check_heap_object(const void *ptr, unsigned long n, > } > > if (is_vmalloc_addr(ptr)) { > - struct vmap_area *area = find_vmap_area(addr); > + struct vmap_area *area = find_vmap_area_try(addr); > + > + /* We may be in NMI context */ > + if (area == ERR_PTR(-EAGAIN)) > + return; > > if (!area) > usercopy_abort("vmalloc", "no area", to_user, 0, n); > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index dd6cdb201195..c47b3b5d1c2d 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -1829,7 +1829,7 @@ static void free_unmap_vmap_area(struct vmap_area *va) > free_vmap_area_noflush(va); > } > > -struct vmap_area *find_vmap_area(unsigned long addr) > +static struct vmap_area *find_vmap_area(unsigned long addr) > { > struct vmap_area *va; > > @@ -1840,6 +1840,26 @@ struct vmap_area *find_vmap_area(unsigned long addr) > return va; > } > > +/* > + * The vmap_area_lock is not interrupt-safe, and we can end up here from > + * NMI context, so it's not worth even trying to make it IRQ-safe. > + */ > +struct vmap_area *find_vmap_area_try(unsigned long addr) > +{ > + struct vmap_area *va; > + > + if (in_interrupt()) { > + if (!spin_trylock(&vmap_area_lock)) > + return ERR_PTR(-EAGAIN); > + } else { > + spin_lock(&vmap_area_lock); > + } > + va = __find_vmap_area(addr, &vmap_area_root); > + spin_unlock(&vmap_area_lock); > + > + return va; > +} > + > If we look at it other way around. There is a user that tries to access the tree from IRQ context. Can we just extend the find_vmap_area() with? - in_interrupt(); - use trylock if so. -- Uladzislau Rezki