From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5923CC00528 for ; Thu, 27 Jul 2023 18:17:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D0D8F6B0075; Thu, 27 Jul 2023 14:17:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C966F6B0078; Thu, 27 Jul 2023 14:17:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B10276B007B; Thu, 27 Jul 2023 14:17:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 98FF36B0075 for ; Thu, 27 Jul 2023 14:17:19 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 5507BB2BC0 for ; Thu, 27 Jul 2023 18:17:19 +0000 (UTC) X-FDA: 81058198998.25.57BE0AF Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf27.hostedemail.com (Postfix) with ESMTP id C641040015 for ; Thu, 27 Jul 2023 18:17:14 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=JVbI90yG; spf=none (imf27.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690481835; a=rsa-sha256; cv=none; b=agmndy/T01Hxqak+yOVXJz6EEG0Zh/WBZX0Ip+Sk6NjhF74vefjEIpp5tW59vL/ivkqFK0 3OfkJqTDOohFsohfirh/bV6OhEqAPXGEiRJgImY9/kgsZkw+xvOVLgPFIDKDA7cJyUpUYi s4mheTtAvsoBVBw/7NPWJUy6ymBEqw8= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=JVbI90yG; spf=none (imf27.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690481835; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Fi3QSFBo0i0/xtPE6s5L0fNHLLy9eZMDhKUHdEl8qzk=; b=Jrxm+MbceRhycxwAO8sWtMIDoqw1yV7wAGuCJmFOwzUBG/BDfL9Bwv/q+jzsVRUt8yfC3G eNsIpQANkFP/7yTRfDXwUtBB8G3vpTLT0VRtUUgw+J+Z2c/toMh2Tftwl2ck/IurcL+NQM OfNkQ0DihdbMFmKdqDMBTORPHFv79Qo= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description; bh=Fi3QSFBo0i0/xtPE6s5L0fNHLLy9eZMDhKUHdEl8qzk=; b=JVbI90yGsrseV1uSb8iSHT5aaM a0duvEPMgF6vIDJ/N+QoAsOwhxq/ObRT0lq52bbyI/4ULZ7ZXTpmdLB+7Lr5dIOS8V6pymSZSqNRY Xv8ca92Ur3sfqyJTw/KKGbikxTwA/9HuOnfpz7Hrj4OH6Iww6My2uKEcI+ITrN/fACLWlbKQCb5Rc Jp+SDx+8dWcomnoQ3X9hwyA28khtlwMD7sBiQifvAuDczKbylnLB5/aGoFCaQRxutnPGDDeIZKhBL jcpWWsLZtBRsMOUPL4Kmwn7PvNo/yOMXOYCsCZRtOTol7nTqnX8tpMglgFusHgYbclF46xiGlAZGf L7URkahg==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1qP5Xu-007kTL-FL; Thu, 27 Jul 2023 18:17:06 +0000 Date: Thu, 27 Jul 2023 19:17:06 +0100 From: Matthew Wilcox To: Jann Horn Cc: Suren Baghdasaryan , "Liam R. Howlett" , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (2) Message-ID: References: <000000000000607ff905ffc8e477@google.com> <0000000000000aeb7f06015e5cbd@google.com> <20230727164757.e2di75xjybxncohn@revolver> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: C641040015 X-Stat-Signature: z8iymxyumbf6xs9c1t81ambek3n6j68k X-Rspam-User: X-HE-Tag: 1690481834-227743 X-HE-Meta: U2FsdGVkX1/94lgB2XtVHhrX2RA6dXHHlSKBYwk94ax59THwBvWvqcTCcHEWWa9EpCils+ikF2clk4YpyNs5E12YKf2p7QrTc+u12WFbBCQmPHa1P2RJ6MsfPwv3BkQfH+QuSfm8GEZ3vh2/f8zGYVxlAjk0L+NmJRtNdA/R2QxBBBsQ9yNZt7k+xVgfjeqN+XeNjQz32fKLA2gA6D4FVyr6McD/L/z6IHQKiOGh1A9RWLJgjmAbyh+zNlNTAP5Zqv7dzCHP7pUOjOoXXOSrSwLMyJkUsazohvdhMeY4SFyAj4ovuMuwXWjOCyc3xM89mfM5+8Uf56jrFfP+r+Kic+z7l70acboHXhJHNbg966mQPeXeC8ag8wGNwWDVmR0qd9p/qUJvbmJF4sjnlqHEmHohew+077+C+xdH8WoPUozV19DaFLtsIrXV5tGL1AxYCyeRi+V+MdjZEnnL6WwKmbDoc1IHmAmurY+Stv01yfTWiGgkLr5amNV94LYg/OUTDa3Gq8I8vdC4tXsn+L7xcD0e3Ksv7ah6gIb/CIUa4ps/nMSA6SOvvwFgZ0BaW+hdj1HA1/NK21iAeW/MJXzdaO14OUuiIs2isUxnPorZ7rgb6gohfu2W4wqRgLRduivB+kzU424geDcPjFGZtbOf+a7Y9lvvF6++C+FJt5ljH1sz+/u4SDOV/IFik7nxuKX6lNGL/5o4RQdJXTbDDmSRiKvdIwfs885HaP2eTsxBnrRT9FVUzynbwstJuy24xPyWLDbTDVnJnQoftETVJWj7gb0VQ1rtA9KnWvFYnJlls4qFwhWuZwgj+Lfde8ivotRLUuWG1F3o1nrk8fPBia9lsJkC9iwKxCArCjgrsDTm1KsM5Vata7b7LGTzZ96VOVv/cBZPvH250eIfeAp4jjYp3eQFUlEcshuNQMwE4T/52TWBJGiUAKyRypvlwqeMu4I10CAKDZ1TmONC/knl4Yq qQVpdiAM loBG3Ox/TfsnkTOD6862CAmHpX408ZoB8B0vykwkLd+KVpdq7DbrOAWKYZxSFr1DuMaxtk6wt28j7rkpfl1bZ3vZoh1hQl/LqbZd8lwOOcQRW3r9CQoWAkdFJ0H/fYAh/+yg2U2tPXmXYKebfU1Xpz4dcTFw/6yrlJTcPS1aoIT1f9JpNt2dh95s8/hmnqUwbhA1ZUY8DGTSYEryoLLPII6K4TtbGN323shGK3HSbdFCwdfGTHbxZSJKMlFaiwlmabTBjOqlW2tqaVqZwWOzGvfjBhlZ3K7Q8bq5o0xnxSUJwT5Dv3oTVTESffm3cTDU+HPlkVfe0e685BT/vYoa82RWQPbSFGwdsX1pRhnU0yJWwDLYs9hZHMutQ4hYvbCnxlEEsN75VLdTj1jygO4gTK22slA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jul 27, 2023 at 07:59:33PM +0200, Jann Horn wrote: > On Thu, Jul 27, 2023 at 7:22 PM Suren Baghdasaryan wrote: > > Hmm. lock_vma_under_rcu() specifically checks for vma->anon_vma==NULL > > condition (see [1]) to avoid going into find_mergeable_anon_vma() (a > > check inside anon_vma_prepare() should prevent that). So, it should > > fall back to mmap_lock'ing. > > This syzkaller report applies to a tree with Willy's in-progress patch > series, where lock_vma_under_rcu() only checks for vma->anon_vma if > vma_is_anonymous() is true - it permits private non-anonymous VMAs > (which require an anon_vma for handling write faults) even if they > don't have an anon_vma. > > The commit bisected by syzkaller > (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a52f58b34afe095ebc5823684eb264404dad6f7b) > removes the vma_is_anonymous() check in handle_pte_fault(), so it lets > us reach do_wp_page() with a non-anonymous private VMA without > anon_vma, even though that requires allocation of an anon_vma. > > So I think this is pretty clearly an issue with Willy's in-progress > patch series that syzkaller blamed correctly. Agreed. What do we think the right solution is? Option 1: +++ b/mm/memory.c @@ -3197,6 +3197,12 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf) struct mmu_notifier_range range; int ret; + if (!vma->anon_vma) { + // check if there are other things to undo here + vma_end_read(vmf->vma); + return VM_FAULT_RETRY; + } + delayacct_wpcopy_start(); Option 2: @@ -5581,7 +5587,8 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, goto inval; /* find_mergeable_anon_vma uses adjacent vmas which are not locked */ - if (vma_is_anonymous(vma) && !vma->anon_vma) + if ((vma_is_anonymous(vma) || + vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) && !vma->anon_vma) goto inval; The problem with option 2 is that we don't know whether this is a write fault or not, so we'll handle read faults on private file mappings under the mmap_lock UNTIL somebody writes to the mapping, which might be never. That seems like a bad idea. We could pass FAULT_FLAG_WRITE into lock_vma_under_rcu(), but that also seems like a bad idea. I dunno. Three bad ideas. Anyone think of a good one?