Re: [PATCH v3] Fixes: null pointer dereference in pfnmap_lockdep_assert

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Peter Xu <peterx@redhat.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: manas18244@iiitd.ac.in, Andrew Morton <akpm@linux-foundation.org>,
	Shuah Khan <skhan@linuxfoundation.org>,
	Anup Sharma <anupnewsmail@gmail.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	syzbot+093d096417e7038a689b@syzkaller.appspotmail.com
Subject: Re: [PATCH v3] Fixes: null pointer dereference in pfnmap_lockdep_assert
Date: Tue, 8 Oct 2024 15:27:54 -0400	[thread overview]
Message-ID: <ZwWHuncchhMyefEe@x1n> (raw)
In-Reply-To: <ZwPg4znfu2yn2Qqw@x1n>

On Mon, Oct 07, 2024 at 09:23:47AM -0400, Peter Xu wrote:
> On Fri, Oct 04, 2024 at 04:17:42PM +0100, Matthew Wilcox wrote:
> > On Fri, Oct 04, 2024 at 07:15:48PM +0530, Manas via B4 Relay wrote:
> > > +++ b/mm/memory.c
> > > @@ -6346,10 +6346,10 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args,
> > >  static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma)
> > >  {
> > >  #ifdef CONFIG_LOCKDEP
> > > -	struct address_space *mapping = vma->vm_file->f_mapping;
> > > +	struct address_space *mapping = vma->vm_file ? vma->vm_file->f_mapping : NULL;
> > 
> > Overly long and complex line.  Much simpler to write:
> > 
> > 	struct address_space *mapping = NULL;
> > 
> > 	if (vma->vm_file)
> > 		mapping = vma->vm_file->f_mapping;
> > 
> > >  	if (mapping)
> > > -		lockdep_assert(lockdep_is_held(&vma->vm_file->f_mapping->i_mmap_rwsem) ||
> > > +		lockdep_assert(lockdep_is_held(&mapping->i_mmap_rwsem) ||
> > >  			       lockdep_is_held(&vma->vm_mm->mmap_lock));
> > >  	else
> > >  		lockdep_assert(lockdep_is_held(&vma->vm_mm->mmap_lock));
> > 
> > This one should have been lockdep_assert_held(&vma->vm_mm->mmap_lock).
> > 
> > I'm not sure that the previous one is correct.  The
> > lockdep_assert_held() macro is pretty careful about checking
> > LOCK_STATE_NOT_HELD to avoid the LOCK_STATE_UNKNOWN possibility.
> > But I'll leave that for Peter to fix.
> 
> Indeed..
> 
> Then looks like we could have quite a few other places in Linux that can
> have used this wrong.. when the assert wants to check against either of the
> two locks (one mutex or rcu read lock, for example) is held.
> 
> I'll send a patch after this one lands.

Just to follow this up and leave a record: I had a closer look today and
then quickly I found above should be all fine (similar to all kernel usages
like this, for example, rcu_dereference_check()).

The trick is LOCK_STATE_NOT_HELD is defined as 0:

#define LOCK_STATE_UNKNOWN	-1
#define LOCK_STATE_NOT_HELD	0
#define LOCK_STATE_HELD		1

So this:

#define lockdep_assert_held(l)		\
	lockdep_assert(lockdep_is_held(l) != LOCK_STATE_NOT_HELD)

Is the same to:

#define lockdep_assert_held(l)		\
	lockdep_assert(lockdep_is_held(l))

The lockdep_assert() was introduced exactly for such >1 lock assertion use
cases, in this commit:

commit d19c81378829e5d774c951219c5a973965b9202c
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Mon Aug 2 18:59:56 2021 +0800

    locking/lockdep: Provide lockdep_assert{,_once}() helpers

    Extract lockdep_assert{,_once}() helpers to more easily write composite
    assertions like, for example:

            lockdep_assert(lockdep_is_held(&drm_device.master_mutex) ||
                           lockdep_is_held(&drm_file.master_lookup_lock));

Thanks,

-- 
Peter Xu

     prev parent reply	other threads:[~2024-10-08 19:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-04 13:45 Manas via B4 Relay
2024-10-04 13:47 ` Manas
2024-10-04 15:17 ` Matthew Wilcox
2024-10-04 17:40   ` Manas
2024-10-07 13:23   ` Peter Xu
2024-10-08 19:27     ` Peter Xu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZwWHuncchhMyefEe@x1n \
    --to=peterx@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=anupnewsmail@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=manas18244@iiitd.ac.in \
    --cc=skhan@linuxfoundation.org \
    --cc=syzbot+093d096417e7038a689b@syzkaller.appspotmail.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox