* Re: [tip:x86/urgent] x86/mpx: Fix recursive munmap() corruption
[not found] <tip-508b8482ea2227ba8695d1cf8311166a455c2ae0@git.kernel.org>
@ 2019-04-18 18:29 ` Sasha Levin
2019-04-18 19:06 ` Dave Hansen
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2019-04-18 18:29 UTC (permalink / raw)
To: Sasha Levin, tip-bot for Dave Hansen, linux-tip-commits
Cc: dave.hansen, tglx, mhocko, ,
Michal Hocko, Vlastimil Babka, Andy Lutomirski, Andrew Morton,
linux-mm, stable, stable
Hi,
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag,
fixing commit: 1de4fa14ee25 x86, mpx: Cleanup unused bound tables.
The bot has tested the following trees: v5.0.8, v4.19.35, v4.14.112, v4.9.169, v4.4.178.
v5.0.8: Build OK!
v4.19.35: Failed to apply! Possible dependencies:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
v4.14.112: Failed to apply! Possible dependencies:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
v4.9.169: Failed to apply! Possible dependencies:
010426079ec1 ("sched/headers: Prepare for new header dependencies before moving more code to <linux/sched/mm.h>")
1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
39bc88e5e38e ("arm64: Disable TTBR0_EL1 during normal kernel execution")
3f07c0144132 ("sched/headers: Prepare for new header dependencies before moving code to <linux/sched/signal.h>")
44b04912fa72 ("x86/mpx: Do not allow MPX if we have mappings above 47-bit")
6a0b41d1e23d ("x86/mm: Introduce arch_rnd() to compute 32/64 mmap random base")
7c0f6ba682b9 ("Replace <asm/uaccess.h> with <linux/uaccess.h> globally")
8f3e474f3cea ("x86/mm: Add task_size parameter to mmap_base()")
9cf09d68b89a ("arm64: xen: Enable user access before a privcmd hvc call")
bd38967d406f ("arm64: Factor out PAN enabling/disabling into separate uaccess_* macros")
e13b73dd9c80 ("x86/hugetlb: Adjust to the new native/compat mmap bases")
v4.4.178: Failed to apply! Possible dependencies:
1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
2b5e869ecfcb ("MIPS: ELF: Interpret the NAN2008 file header flag")
2ed02dd415ae ("MIPS: Use a union to access the ELF file header")
44b04912fa72 ("x86/mpx: Do not allow MPX if we have mappings above 47-bit")
5fa393c85719 ("MIPS: Break down cacheops.h definitions")
694977006a7b ("MIPS: Use enums to make asm/pgtable-bits.h readable")
745f35587846 ("MIPS: mm: Unify pte_page definition")
780602d740fc ("MIPS: mm: Standardise on _PAGE_NO_READ, drop _PAGE_READ")
7939469da29a ("MIPS64: signal: Fix o32 sigaction syscall")
7b2cb64f91f2 ("MIPS: mm: Fix MIPS32 36b physical addressing (alchemy, netlogic)")
8f3e474f3cea ("x86/mm: Add task_size parameter to mmap_base()")
97f2645f358b ("tree-wide: replace config_enabled() with IS_ENABLED()")
9e08f57d684a ("x86: mm: support ARCH_MMAP_RND_BITS")
a60ae81e5e59 ("MIPS: CM: Fix mips_cm_max_vp_width for UP kernels")
b1b4fad5cc67 ("MIPS: seccomp: Support compat with both O32 and N32")
b27873702b06 ("mips, thp: remove infrastructure for handling splitting PMDs")
b2edcfc81401 ("MIPS: Loongson: Add Loongson-3A R2 basic support")
d07e22597d1d ("mm: mmap: add new /proc tunable for mmap_base ASLR")
e13b73dd9c80 ("x86/hugetlb: Adjust to the new native/compat mmap bases")
How should we proceed with this patch?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [tip:x86/urgent] x86/mpx: Fix recursive munmap() corruption
2019-04-18 18:29 ` [tip:x86/urgent] x86/mpx: Fix recursive munmap() corruption Sasha Levin
@ 2019-04-18 19:06 ` Dave Hansen
2019-04-18 19:19 ` Thomas Gleixner
0 siblings, 1 reply; 3+ messages in thread
From: Dave Hansen @ 2019-04-18 19:06 UTC (permalink / raw)
To: Sasha Levin, tip-bot for Dave Hansen, linux-tip-commits
Cc: dave.hansen, tglx, mhocko, Vlastimil Babka, Andy Lutomirski,
Andrew Morton, linux-mm, stable
On 4/18/19 11:29 AM, Sasha Levin wrote:
> This commit has been processed because it contains a "Fixes:" tag,
> fixing commit: 1de4fa14ee25 x86, mpx: Cleanup unused bound tables.
>
> The bot has tested the following trees: v5.0.8, v4.19.35, v4.14.112, v4.9.169, v4.4.178.
>
> v5.0.8: Build OK!
> v4.19.35: Failed to apply! Possible dependencies:
> dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
I probably should have looked more closely at the state of the code
before dd2283f2605e. A more correct Fixes: would probably have referred
to dd2283f2605e. *It* appears to be the root cause rather than the
original MPX code that I called out.
The pre-dd2283f2605e code does this:
> /*
> * Remove the vma's, and unmap the actual pages
> */
> detach_vmas_to_be_unmapped(mm, vma, prev, end);
> unmap_region(mm, vma, prev, start, end);
>
> arch_unmap(mm, vma, start, end);
>
> /* Fix up all other VM information */
> remove_vma_list(mm, vma);
But, this is actually safe. arch_unmap() can't see 'vma' in the rbtree
because it's been detached, so it can't do anything to 'vma' that might
be unsafe for remove_vma_list()'s use of 'vma'.
The bug in dd2283f2605e was moving unmap_region() to the after arch_unmap().
I confirmed this by running the reproducer on v4.19.35. It did not
trigger anything there, even with a bunch of debugging enabled which
detected the issue in 5.0.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [tip:x86/urgent] x86/mpx: Fix recursive munmap() corruption
2019-04-18 19:06 ` Dave Hansen
@ 2019-04-18 19:19 ` Thomas Gleixner
0 siblings, 0 replies; 3+ messages in thread
From: Thomas Gleixner @ 2019-04-18 19:19 UTC (permalink / raw)
To: Dave Hansen
Cc: Sasha Levin, tip-bot for Dave Hansen, linux-tip-commits,
dave.hansen, mhocko, Vlastimil Babka, Andy Lutomirski,
Andrew Morton, linux-mm, stable
On Thu, 18 Apr 2019, Dave Hansen wrote:
> On 4/18/19 11:29 AM, Sasha Levin wrote:
> > This commit has been processed because it contains a "Fixes:" tag,
> > fixing commit: 1de4fa14ee25 x86, mpx: Cleanup unused bound tables.
> >
> > The bot has tested the following trees: v5.0.8, v4.19.35, v4.14.112, v4.9.169, v4.4.178.
> >
> > v5.0.8: Build OK!
> > v4.19.35: Failed to apply! Possible dependencies:
> > dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
>
> I probably should have looked more closely at the state of the code
> before dd2283f2605e. A more correct Fixes: would probably have referred
> to dd2283f2605e. *It* appears to be the root cause rather than the
> original MPX code that I called out.
>
> The pre-dd2283f2605e code does this:
>
> > /*
> > * Remove the vma's, and unmap the actual pages
> > */
> > detach_vmas_to_be_unmapped(mm, vma, prev, end);
> > unmap_region(mm, vma, prev, start, end);
> >
> > arch_unmap(mm, vma, start, end);
> >
> > /* Fix up all other VM information */
> > remove_vma_list(mm, vma);
>
> But, this is actually safe. arch_unmap() can't see 'vma' in the rbtree
> because it's been detached, so it can't do anything to 'vma' that might
> be unsafe for remove_vma_list()'s use of 'vma'.
>
> The bug in dd2283f2605e was moving unmap_region() to the after arch_unmap().
>
> I confirmed this by running the reproducer on v4.19.35. It did not
> trigger anything there, even with a bunch of debugging enabled which
> detected the issue in 5.0.
I'l amend the commit to avoid further confusion.
Thanks,
tglx
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-18 19:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <tip-508b8482ea2227ba8695d1cf8311166a455c2ae0@git.kernel.org>
2019-04-18 18:29 ` [tip:x86/urgent] x86/mpx: Fix recursive munmap() corruption Sasha Levin
2019-04-18 19:06 ` Dave Hansen
2019-04-18 19:19 ` Thomas Gleixner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox