From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 938F4C3DA4A for ; Thu, 8 Aug 2024 19:35:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F3F396B0083; Thu, 8 Aug 2024 15:35:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EEE776B0092; Thu, 8 Aug 2024 15:35:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DB62F6B0095; Thu, 8 Aug 2024 15:35:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id BDD8E6B0083 for ; Thu, 8 Aug 2024 15:35:26 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 6C85412164C for ; Thu, 8 Aug 2024 19:35:26 +0000 (UTC) X-FDA: 82430082252.08.CD8483E Received: from mail-vs1-f54.google.com (mail-vs1-f54.google.com [209.85.217.54]) by imf12.hostedemail.com (Postfix) with ESMTP id 8BD4C40024 for ; Thu, 8 Aug 2024 19:35:24 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="aLA/zyC8"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of reisner.marc@gmail.com designates 209.85.217.54 as permitted sender) smtp.mailfrom=reisner.marc@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723145715; a=rsa-sha256; cv=none; b=P/6YQZMGIky1MU34MrlSDnz8GecLb7INGqrQjJEZ/evo0TQT03NhUMTog+gZPxOK7kX+8M HEDmZNuP5jmCDMmT0a8GSxkP3B6Tqcn44HNrfM9r7ZSXnuwmdlD0tCCOuh5iNdyEssiIW6 clMBYDFU3D3ux+3CfbSCG140j5R74iM= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="aLA/zyC8"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of reisner.marc@gmail.com designates 209.85.217.54 as permitted sender) smtp.mailfrom=reisner.marc@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723145715; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rQekIWHI6IFQnSn3jUyNegWYXItY/ajwXC9dX2BOjZc=; b=KzffbBmjrugYR/6bk9zntmjC+keS6wylRe+XLCLhoqKmpkwNzFereYqaN6jTIk7M8bKsbH ZUMS8Kkb/9Bkh2eIBWmGVlkOmw8WgTnyAi71RAE5A1UK2upnWMOK8KKj7v9OiSrrPUnSsj EuM5vrTQvevkSrkNqwo8Pb4wv/SKXEE= Received: by mail-vs1-f54.google.com with SMTP id ada2fe7eead31-4929d6429c2so461765137.3 for ; Thu, 08 Aug 2024 12:35:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723145723; x=1723750523; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=rQekIWHI6IFQnSn3jUyNegWYXItY/ajwXC9dX2BOjZc=; b=aLA/zyC8gg6shxl8jDOrat1hPdK3EcEnqcasZMaA+DY727egnCaPprDhQId1owo9mJ mdfoO/4QQg4b4OrRsfUju6cLdcvLvpK+U8QPBP7E16zm/8Ca6TVigAGumJab0PJBPMy5 n3b3HsgWj/LQ35A1l22a2pih9RVILENRLKsI2xOZvpXAZEyIagSYAoyz4PWSnOjbTZzZ DthZT7wLfaK5WKsr7Aoz8G+FDi3wJJ24TvYPGyZb2re8FasoGMQvkw71y9L0CrfPk9yJ D8pqWhsNMG5rVPzOzvS0XayGbH7N3/LUNWMbdLUYLhoNuedAU7DiPZ41O2XgGNihuKex tJSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723145723; x=1723750523; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rQekIWHI6IFQnSn3jUyNegWYXItY/ajwXC9dX2BOjZc=; b=Dp6NCtq58AIaXc/0uVhTkS5OHTdqjcIGnfTXTECRh7rxljzaEFDqx0FA0kLhu41qgs o77xMsqNzuarmhZjxfGs8gXboV2N65RrtyGjavsVIIuQ1lvl+WKG78Qy5XwsbqzdzjEx clGcQqowvJVPU0BizIzWgCW1T04y3X8ZyLQkWUJf5j5dIssvqvQYgU52SixZU+tregql wlgLJpprlL+K+Y6SPV7cSTWkBEJ3Cq/eFVuQeFqiMVWwmEARdZjCSoI1a0qfsXusNfrx T0DjRvYU+aKO4KOUzFtPK/+hbKiwKDdJwdmqoTafk1ndJjyjsCRnjBQ7akQVSSGysKYW 3ldw== X-Forwarded-Encrypted: i=1; AJvYcCUM64eCrixYcglWc1/z8cuFA2yjSTqRXiQfAb9cz67RBKXCiDyVIjiw73TVshhe6iQ4zhQkrUFNpiITJbk7ZZB7efg= X-Gm-Message-State: AOJu0YxoAKwzpfvI+3G2bWnVrGQ4MagZNHSvAdkiMaPAfXt5zxolG9uj h+mLBqcAbypujrX2d1VMP4VuiHpOoSO1aM8O6ToVYIMTO2nJY+Xk X-Google-Smtp-Source: AGHT+IEJWjXpKI6YimZlHdKbCCXQPze4wgwHVx02pLRY9GD97dpM+Wy69H7xaMd2QmLin+UF1hubCw== X-Received: by 2002:a05:6102:f0c:b0:48f:40c1:3cd0 with SMTP id ada2fe7eead31-495c5b1f8ecmr3768368137.12.1723145723526; Thu, 08 Aug 2024 12:35:23 -0700 (PDT) Received: from marcreisner.com (marcreisner.com. [104.248.50.13]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bb9c87c487sm69505566d6.131.2024.08.08.12.35.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Aug 2024 12:35:22 -0700 (PDT) Date: Thu, 8 Aug 2024 19:35:21 +0000 From: Marc Reisner To: "Liam R. Howlett" Cc: Kefeng Wang , Paul Moore , akpm@linux-foundation.org, david@redhat.com, linux-mm@kvack.org, omosnace@redhat.com, peterz@infradead.org, selinux@vger.kernel.org, Vlastimil Babka , Lorenzo Stoakes Subject: Re: [PATCH v3 3/4] selinux: use vma_is_initial_stack() and vma_is_initial_heap() Message-ID: References: <7fb19e0a-118d-46a1-8d1b-ab71c545d7ed@huawei.com> <0806d149-905c-49b2-930f-5d6d0f8890c9@huawei.com> <4d2e1d4f-659a-428f-a167-faaaa4eca18a@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Queue-Id: 8BD4C40024 X-Rspamd-Server: rspam01 X-Stat-Signature: qeb3knn18foh55mcxuqojbr3657xeg73 X-HE-Tag: 1723145724-756418 X-HE-Meta: U2FsdGVkX18ivoEloYW+/KM/cARYrz3XRSlxB0xaMD1x0RG/TZwGxa1QnjDz9XhiiGHM03u0tr9f1rh0JbVWsy3Eegnz2En3PtPoTzJ9ilnOYdbYUu29tmz7rEZiz/bGCAsc34tenGEq1pVKYoXjYydYPXNoGlpG9z92K5MeS8xDpFPjeIhLf7El9NI6IhqOMOJBE2oBhijoXx/rDatwNtVK54VnzYN0jTy0QIcXI7p9TO+QNws6Xvfqp18W3DrTvMJ+n4DjXXwBC1TiTzGClmoxXO2HbiODWYbHtczKt+WIPle7yqrE2j76p2LfcR8Nk5opQfk7RbSgIwGYGtGdalBD8ePkWTUdnhlev37ULLWX1EtWJHPHNquyPyS9apRbpEPhWLWHv6S6EG/Lvygv3qWskMkzbe6B1lWnPugZUxIwv7WAofmcy2XQ1VfRQgUiXj06RPRfT0u7NMXCwaF6hM3NvSgl64RRus5kRefpuGZZwvUm7+0GeFeuQi8TDZWo7/zZpbE/gPc9G0EgQckR1i4cW2Wa2cIiDgnYZ09yEK36Wb1TrNFRmw3P/H8t7EYGqvvMNQk/GEcUvnGxtsl/hpmybJ6rLIoM9UTaHO/PdzWA2qZeEBCpBlS7okQVlRU1r2Os1id5l2t3xXrKqN3VN7AdbinNJVFyJWUYs5cv6vfw5EldtOb24VICJ9EkDvXbnSnU2Cq9pDBErvciXL1NVYPdZX6J3gwXRGaDBxRzzSr5I9eXaHyIE+IccSWeC1mk5izp0jdk+JFrYd6MkWIWIH834NCtVYYak5cm3BxRaL+79pqEyd1MuMUlHG/tGYkbdERLUzw7vmA7vFu7hf+spQKq8rgNcWgGNR/0W0uy6s3QoNZHBGpvSnUv6iVcVqAb1pl140xF+UOr0tCL2wp3YprjwaAS/7j5a9mRKnesQDDUBBX+hIm0r8A3FBWQZ0QCwo9arlQXXJyMWBgb37s jCQsZ1Ng Dxr4WZ+glWhK9fJd7mk7hMOAiVrXG9De8J6FOukLUOCZD33n5ftm/M083O37mRXGapZ8x2o2U0N2Nc3R1vz7iexwcH0c41CWsIVS80tbWEGeIpCAFZeItWFq9JwpZ+17qs+lqBhE0B47i0cl3ZvHm5UlNEzA0i9my85CXqGfZpcvingBo2261mcN9GF/la7NwcpihY1bRhs5CC+wX42y9Wuadf4TVv/dbu7N9boHEeQQgtHmj6f/oAu82j4wYp4HGPwxSckXSWCR3kLGlgXqRVT5vu/SYrV2xexTJ0iKXtyEK/CdSYOViJXaEUbhWnGn3G9uzGGi3BKnbm6OE6oH9J/LLMTqKp9Ue1UWfDmeaVrwXcnbqBP16a82Au1dtILer5BoGZX5Jt1Y5EoowvgqdOi9s0Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Aug 08, 2024 at 02:00:09PM -0400, Liam R. Howlett wrote: > Have a look at the mmapstress 3 test in ltp [1]. The tests pokes holes > and mmaps into those holes throughout the brk range. > > [1]. https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/mem/mmapstress/mmapstress03.c In investigating this further, with additional reproducers, I believe that the whole bug is in vma_is_initial_heap(). Here is what I have tested so far: 1. Use only sbrk to allocate heap memory - sbrk(0) returns the start_brk before calling sbrk(increment). Afterwards, sbrk(0) returns start_brk + increment. 2. Use sbrk(0) to obtain start_brk, then request 512 MB of address space from mmap starting at start_brk. mmap allocates 512 MB of address space starting at start_brk and ending at start_brk + 0x20000000. sbrk(0) still returns start_brk. However, /proc/PID/maps flags the mmapped address space with "[heap]" 3. Use sbrk(0) to obtain start_brk, then request 512 MB of address space from mmap starting at start_brk + _SC_PAGESIZE. mmap allocates 512 MB of address space starting at start_brk + _SC_PAGESIZE and ending at start_brk + _SC_PAGESIZE + 0x20000000. sbrk(0) still returns start_brk, and /proc/PID/maps does NOT flag the mmapped address space with "[heap]". I believe that the entire bug may reside in vma_is_initial_heap because /proc/PID/maps also uses vma_is_initial_heap to flag entries with "[heap]" [1]. Also, sbrk(0) is not actually getting updated after a call to mmap, so mmap is not actually allocating heap memory. What do you all think about this patch? If it doesn't have any obvious flaws I can submit it (along with a revert for the revert). diff --git a/include/linux/mm.h b/include/linux/mm.h index c4b238a20b76..1dd588833af8 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -918,7 +918,8 @@ static inline bool vma_is_anonymous(struct vm_area_struct *vma) */ static inline bool vma_is_initial_heap(const struct vm_area_struct *vma) { - return vma->vm_start < vma->vm_mm->brk && + return vma->vm_mm->brk != vma->vm_mm->start_brk && + vma->vm_start < vma->vm_mm->brk && vma->vm_end > vma->vm_mm->start_brk; } -- [1]. https://github.com/torvalds/linux/blob/6a0e38264012809afa24113ee2162dc07f4ed22b/fs/proc/task_mmu.c#L287