* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 17:49 [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding SeongJae Park
@ 2025-06-02 19:20 ` Jann Horn
2025-06-02 19:28 ` Lorenzo Stoakes
2025-06-02 19:38 ` Lorenzo Stoakes
` (3 subsequent siblings)
4 siblings, 1 reply; 9+ messages in thread
From: Jann Horn @ 2025-06-02 19:20 UTC (permalink / raw)
To: SeongJae Park
Cc: Andrew Morton, Liam R. Howlett, David Hildenbrand,
Lorenzo Stoakes, Shakeel Butt, Vlastimil Babka, linux-kernel,
linux-mm, stable, Barry Song
@akpm FYI, this looks like it fixes a security bug in 6.15 (probably
leads to UAF of VMA structs and page tables by racing madvise(...,
MADV_GUARD_INSTALL) with concurrent faults)
On Mon, Jun 2, 2025 at 7:49 PM SeongJae Park <sj@kernel.org> wrote:
> When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> madvise_lock() failure is ignored. Check the failure and abort
> remaining works in the case.
>
> Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> Cc: stable@kernel.org
> Reported-by: Barry Song <21cnbao@gmail.com>
> Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> Signed-off-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Jann Horn <jannh@google.com>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 19:20 ` Jann Horn
@ 2025-06-02 19:28 ` Lorenzo Stoakes
2025-06-02 19:34 ` Jann Horn
0 siblings, 1 reply; 9+ messages in thread
From: Lorenzo Stoakes @ 2025-06-02 19:28 UTC (permalink / raw)
To: Jann Horn
Cc: SeongJae Park, Andrew Morton, Liam R. Howlett, David Hildenbrand,
Shakeel Butt, Vlastimil Babka, linux-kernel, linux-mm, stable,
Barry Song
On Mon, Jun 02, 2025 at 09:20:14PM +0200, Jann Horn wrote:
> @akpm FYI, this looks like it fixes a security bug in 6.15 (probably
> leads to UAF of VMA structs and page tables by racing madvise(...,
> MADV_GUARD_INSTALL) with concurrent faults)
Hmm MADV_GUARD_INSTALL / MADV_GUARD_REMOVE require only a read lock, so
madvise_lock() will be:
if (madvise_need_mmap_write(behavior)) { <--- nope
if (mmap_write_lock_killable(mm))
return -EINTR;
} else {
mmap_read_lock(mm); <---- this branch
}
return 0;
So for guard install, which is the only thing that can return -ERESTARTNOINTR
madvise_lock() ignoring the return value is essentially a no-op no?
Am I missing something?
>
> On Mon, Jun 2, 2025 at 7:49 PM SeongJae Park <sj@kernel.org> wrote:
> > When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> > madvise_lock() failure is ignored. Check the failure and abort
> > remaining works in the case.
> >
> > Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> > Cc: stable@kernel.org
> > Reported-by: Barry Song <21cnbao@gmail.com>
> > Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> > Signed-off-by: SeongJae Park <sj@kernel.org>
>
> Reviewed-by: Jann Horn <jannh@google.com>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 19:28 ` Lorenzo Stoakes
@ 2025-06-02 19:34 ` Jann Horn
2025-06-02 19:37 ` Lorenzo Stoakes
0 siblings, 1 reply; 9+ messages in thread
From: Jann Horn @ 2025-06-02 19:34 UTC (permalink / raw)
To: Lorenzo Stoakes
Cc: SeongJae Park, Andrew Morton, Liam R. Howlett, David Hildenbrand,
Shakeel Butt, Vlastimil Babka, linux-kernel, linux-mm, stable,
Barry Song
On Mon, Jun 2, 2025 at 9:28 PM Lorenzo Stoakes
<lorenzo.stoakes@oracle.com> wrote:
> On Mon, Jun 02, 2025 at 09:20:14PM +0200, Jann Horn wrote:
> > @akpm FYI, this looks like it fixes a security bug in 6.15 (probably
> > leads to UAF of VMA structs and page tables by racing madvise(...,
> > MADV_GUARD_INSTALL) with concurrent faults)
>
> Hmm MADV_GUARD_INSTALL / MADV_GUARD_REMOVE require only a read lock, so
> madvise_lock() will be:
>
>
> if (madvise_need_mmap_write(behavior)) { <--- nope
> if (mmap_write_lock_killable(mm))
> return -EINTR;
> } else {
> mmap_read_lock(mm); <---- this branch
> }
> return 0;
>
> So for guard install, which is the only thing that can return -ERESTARTNOINTR
> madvise_lock() ignoring the return value is essentially a no-op no?
>
> Am I missing something?
... you're right, of course. please ignore my needlessly alarmist comment.
(I think it is surprising that the write lock is killable while the
read lock isn't but that's another story)
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 19:34 ` Jann Horn
@ 2025-06-02 19:37 ` Lorenzo Stoakes
0 siblings, 0 replies; 9+ messages in thread
From: Lorenzo Stoakes @ 2025-06-02 19:37 UTC (permalink / raw)
To: Jann Horn
Cc: SeongJae Park, Andrew Morton, Liam R. Howlett, David Hildenbrand,
Shakeel Butt, Vlastimil Babka, linux-kernel, linux-mm, stable,
Barry Song
On Mon, Jun 02, 2025 at 09:34:55PM +0200, Jann Horn wrote:
> On Mon, Jun 2, 2025 at 9:28 PM Lorenzo Stoakes
> <lorenzo.stoakes@oracle.com> wrote:
> > On Mon, Jun 02, 2025 at 09:20:14PM +0200, Jann Horn wrote:
> > > @akpm FYI, this looks like it fixes a security bug in 6.15 (probably
> > > leads to UAF of VMA structs and page tables by racing madvise(...,
> > > MADV_GUARD_INSTALL) with concurrent faults)
> >
> > Hmm MADV_GUARD_INSTALL / MADV_GUARD_REMOVE require only a read lock, so
> > madvise_lock() will be:
> >
> >
> > if (madvise_need_mmap_write(behavior)) { <--- nope
> > if (mmap_write_lock_killable(mm))
> > return -EINTR;
> > } else {
> > mmap_read_lock(mm); <---- this branch
> > }
> > return 0;
> >
> > So for guard install, which is the only thing that can return -ERESTARTNOINTR
> > madvise_lock() ignoring the return value is essentially a no-op no?
> >
> > Am I missing something?
>
> ... you're right, of course. please ignore my needlessly alarmist comment.
>
> (I think it is surprising that the write lock is killable while the
> read lock isn't but that's another story)
>
Blood pressure drops :P it's still a good spot, we should handle this because in
future we may change this behaviour and we mustn't ignore this kind of code
path.
What was that you were saying on fedi about killable locks ;) a source of pain
indeed :)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 17:49 [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding SeongJae Park
2025-06-02 19:20 ` Jann Horn
@ 2025-06-02 19:38 ` Lorenzo Stoakes
2025-06-02 19:58 ` David Hildenbrand
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Lorenzo Stoakes @ 2025-06-02 19:38 UTC (permalink / raw)
To: SeongJae Park
Cc: Andrew Morton, Liam R. Howlett, David Hildenbrand, Jann Horn,
Shakeel Butt, Vlastimil Babka, linux-kernel, linux-mm, stable,
Barry Song
On Mon, Jun 02, 2025 at 10:49:26AM -0700, SeongJae Park wrote:
> When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> madvise_lock() failure is ignored. Check the failure and abort
> remaining works in the case.
>
> Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> Cc: stable@kernel.org
> Reported-by: Barry Song <21cnbao@gmail.com>
> Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> Signed-off-by: SeongJae Park <sj@kernel.org>
I said it in reply to Jann's ping to Andrew, but to repeat here - I don't think
this actually has any impact in reality for MADV_GUARD_INSTALL / REMOVE, since
those only require read locks, which causes madvise_lock() to always succeed.
However we shouldn't be ignore return values and so it is right we ostensibly
handle this (who knows what might change in future, etc.)
So:
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
> mm/madvise.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/madvise.c b/mm/madvise.c
> index 8433ac9b27e0..5f7a66a1617e 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1881,7 +1881,9 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> /* Drop and reacquire lock to unwind race. */
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
> - madvise_lock(mm, behavior);
> + ret = madvise_lock(mm, behavior);
> + if (ret)
> + goto out;
> madvise_init_tlb(&madv_behavior, mm);
> continue;
> }
> @@ -1892,6 +1894,7 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
>
> +out:
> ret = (total_len - iov_iter_count(iter)) ? : ret;
>
> return ret;
>
> base-commit: d85ea9175e4147e15ff6e3c0e02c6c447ef473c8
> --
> 2.39.5
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 17:49 [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding SeongJae Park
2025-06-02 19:20 ` Jann Horn
2025-06-02 19:38 ` Lorenzo Stoakes
@ 2025-06-02 19:58 ` David Hildenbrand
2025-06-02 20:22 ` Shakeel Butt
2025-06-02 21:30 ` Barry Song
4 siblings, 0 replies; 9+ messages in thread
From: David Hildenbrand @ 2025-06-02 19:58 UTC (permalink / raw)
To: SeongJae Park, Andrew Morton
Cc: Liam R. Howlett, Jann Horn, Lorenzo Stoakes, Shakeel Butt,
Vlastimil Babka, linux-kernel, linux-mm, stable, Barry Song
On 02.06.25 19:49, SeongJae Park wrote:
> When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> madvise_lock() failure is ignored. Check the failure and abort
> remaining works in the case.
>
> Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> Cc: stable@kernel.org
> Reported-by: Barry Song <21cnbao@gmail.com>
> Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> Signed-off-by: SeongJae Park <sj@kernel.org>
> ---
> mm/madvise.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/madvise.c b/mm/madvise.c
> index 8433ac9b27e0..5f7a66a1617e 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1881,7 +1881,9 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> /* Drop and reacquire lock to unwind race. */
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
> - madvise_lock(mm, behavior);
> + ret = madvise_lock(mm, behavior);
> + if (ret)
> + goto out;
> madvise_init_tlb(&madv_behavior, mm);
> continue;
> }
> @@ -1892,6 +1894,7 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
>
> +out:
> ret = (total_len - iov_iter_count(iter)) ? : ret;
Acked-by: David Hildenbrand <david@redhat.com>
--
Cheers,
David / dhildenb
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 17:49 [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding SeongJae Park
` (2 preceding siblings ...)
2025-06-02 19:58 ` David Hildenbrand
@ 2025-06-02 20:22 ` Shakeel Butt
2025-06-02 21:30 ` Barry Song
4 siblings, 0 replies; 9+ messages in thread
From: Shakeel Butt @ 2025-06-02 20:22 UTC (permalink / raw)
To: SeongJae Park
Cc: Andrew Morton, Liam R. Howlett, David Hildenbrand, Jann Horn,
Lorenzo Stoakes, Vlastimil Babka, linux-kernel, linux-mm, stable,
Barry Song
On Mon, Jun 02, 2025 at 10:49:26AM -0700, SeongJae Park wrote:
> When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> madvise_lock() failure is ignored. Check the failure and abort
> remaining works in the case.
>
> Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> Cc: stable@kernel.org
> Reported-by: Barry Song <21cnbao@gmail.com>
> Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> Signed-off-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding
2025-06-02 17:49 [PATCH] mm/madvise: handle madvise_lock() failure during race unwinding SeongJae Park
` (3 preceding siblings ...)
2025-06-02 20:22 ` Shakeel Butt
@ 2025-06-02 21:30 ` Barry Song
4 siblings, 0 replies; 9+ messages in thread
From: Barry Song @ 2025-06-02 21:30 UTC (permalink / raw)
To: SeongJae Park
Cc: Andrew Morton, Liam R. Howlett, David Hildenbrand, Jann Horn,
Lorenzo Stoakes, Shakeel Butt, Vlastimil Babka, linux-kernel,
linux-mm, stable
On Tue, Jun 3, 2025 at 5:49 AM SeongJae Park <sj@kernel.org> wrote:
>
> When unwinding race on -ERESTARTNOINTR handling of process_madvise(),
> madvise_lock() failure is ignored. Check the failure and abort
> remaining works in the case.
>
> Fixes: 4000e3d0a367 ("mm/madvise: remove redundant mmap_lock operations from process_madvise()")
> Cc: stable@kernel.org
> Reported-by: Barry Song <21cnbao@gmail.com>
> Closes: https://lore.kernel.org/CAGsJ_4xJXXO0G+4BizhohSZ4yDteziPw43_uF8nPXPWxUVChzw@mail.gmail.com
> Signed-off-by: SeongJae Park <sj@kernel.org>
LGTM, thanks!
Reviewed-by: Barry Song <baohua@kernel.org>
> ---
> mm/madvise.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/madvise.c b/mm/madvise.c
> index 8433ac9b27e0..5f7a66a1617e 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1881,7 +1881,9 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> /* Drop and reacquire lock to unwind race. */
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
> - madvise_lock(mm, behavior);
> + ret = madvise_lock(mm, behavior);
> + if (ret)
> + goto out;
> madvise_init_tlb(&madv_behavior, mm);
> continue;
> }
> @@ -1892,6 +1894,7 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> madvise_finish_tlb(&madv_behavior);
> madvise_unlock(mm, behavior);
>
> +out:
> ret = (total_len - iov_iter_count(iter)) ? : ret;
>
> return ret;
>
> base-commit: d85ea9175e4147e15ff6e3c0e02c6c447ef473c8
> --
> 2.39.5
^ permalink raw reply [flat|nested] 9+ messages in thread