From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AEE88E7734B for ; Fri, 29 Sep 2023 22:45:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 46EF88D0105; Fri, 29 Sep 2023 18:45:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 41FA68D006D; Fri, 29 Sep 2023 18:45:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2E6E38D0105; Fri, 29 Sep 2023 18:45:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 1F5678D006D for ; Fri, 29 Sep 2023 18:45:08 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id A2982403BA for ; Fri, 29 Sep 2023 22:45:07 +0000 (UTC) X-FDA: 81291117054.23.689FA5A Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by imf12.hostedemail.com (Postfix) with ESMTP id CEF0840011 for ; Fri, 29 Sep 2023 22:45:05 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=gEmwGdkI; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=lstoakes@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1696027505; a=rsa-sha256; cv=none; b=xYYShWD6MEp8kacckQLlDOuEUgVsReZ/cHEIBAUVqXBVjwrknywtObestDYfNX5sjuSkp6 IOfF+8TPEyNBpiitiLMwHBwXeefF+mSTYSrp+u+RhKCDTsY3hcPGSQ7Lr2EkqbLWNvN0uv NWqrPj0BpRWzHkkzmqd6BsMn0R91JMU= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=gEmwGdkI; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf12.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=lstoakes@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1696027505; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=W3AZdgAbXxIxX67W7zXRgmBiBYYg4CVuMev8xbcA4Ww=; b=Komt38upwsNRgeDvhBeDd04MDHOIuueSzE3lG9tBI8HERaLKnjpUK601DwAa79tkjPX9Wi qks5Q/E6f5UVNFMWW3cRCAN+B3G7MucZ63pHdoeSJ/F1SkVbROu5INrFy9hvXFt2krllkF yDq83doptdo2Y7GG5tKl3yofr1ta+RU= Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-32483535e51so2467548f8f.0 for ; Fri, 29 Sep 2023 15:45:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696027504; x=1696632304; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=W3AZdgAbXxIxX67W7zXRgmBiBYYg4CVuMev8xbcA4Ww=; b=gEmwGdkISpAheV2GjamIGfNqK5B1HzDkJwDSwHJwAdoAc4P4cAybMcOQ4eKdUNW4Wx mpHHnWXnM+vK6lPlKXRU7owf8z8nylZQyM18Cjfq+zXK9j/BX8YRZ6PLpP/RTjyXhM89 tQ2qy3Q5CLUeE5x2q7UNwe3+ZO4eGBRKlEVulNfLE063nWqCo9e7k+wF6oFMPS3Nc/AX nE/ePrB3AC9/kyTkspluKuYMh94QBrTe/0dFgWFIubZlcd92F/c+JRWKLuWV+RsV5NqR Thb4SwtKnjU5U1YymQK7luedAtXVpwLWheZe02jiAp+JBFiGpw6a95h5R504TVMcgAl2 AaGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696027504; x=1696632304; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=W3AZdgAbXxIxX67W7zXRgmBiBYYg4CVuMev8xbcA4Ww=; b=akrIc7SFwjwiBSpAdABmNCmEFxBKA+qMypUYbUX7ImtPNlmDmHEW/IyXU17xSr2g3X j5PVZYSLcjNeNMm891+zxjWig4tH+Tq7lfNvXLGwKuxJgxGt8HVKVl8u5n5sdN68igBf FlmQSFoKkbagoNTRyWIu3DK2YpH+Nks9kHhkguv3in7wWAxMLLR+4A/LNpCHX7Gux9eL qpsiLltd8y9OO9XPZra/bLZN/ThpeV4QSxb0M5qsfDVqwVtBsgarsLe2S3HQ5vL59CEj Rp23vENb3OIKhDhfGaFElrlPlXerr1RVGFb0XT3HyXkreX2I6J/m0XT2Er3e20SlTaj0 GSoA== X-Gm-Message-State: AOJu0Yx2TLjLfQtjiINrtjwLnP3h9LNk1dwH5sbhwp+aNLDR8m0k+9l/ WW9Bu7DWehVdhqOBs8ShYy0= X-Google-Smtp-Source: AGHT+IE7CcZqMJ7N9YJVqzwtt5ORehS/NU44ZxNTap0IgZfOtNwcEvBT3dyN1LAr+OdK1fJUX8oVOw== X-Received: by 2002:adf:db48:0:b0:319:6327:6adb with SMTP id f8-20020adfdb48000000b0031963276adbmr4718831wrj.70.1696027503939; Fri, 29 Sep 2023 15:45:03 -0700 (PDT) Received: from localhost ([2a00:23c5:dc8c:8701:1663:9a35:5a7b:1d76]) by smtp.gmail.com with ESMTPSA id z15-20020a5d4d0f000000b00324ae863ac1sm3544532wrt.35.2023.09.29.15.45.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Sep 2023 15:45:02 -0700 (PDT) Date: Fri, 29 Sep 2023 23:45:02 +0100 From: Lorenzo Stoakes To: "Liam R. Howlett" Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Yikebaer Aizezi Subject: Re: [PATCH] mm/mempolicy: Fix set_mempolicy_home_node() previous VMA pointer Message-ID: References: <20230928172432.2246534-1-Liam.Howlett@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230928172432.2246534-1-Liam.Howlett@oracle.com> X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: CEF0840011 X-Stat-Signature: 1tfi4bsoauf9j8hb9jh5bshqnzeczrad X-HE-Tag: 1696027505-593791 X-HE-Meta: U2FsdGVkX1+OcKqS6bznJcOSG1yLKkHYcw+jxJXjMDMI88/ta4LiII+InMEcF1nAWcz4JIuGQ3kkdi+upcgTV0BS8Pq6wTFFMhxO8W4t8rfaUByCKI41LQrXgleEcqTjgwDLhV9vBpaBmJOck7F0ftwuOHh5FMGDqgnTsjgnidwNWP3m1UmxxlSfkjSU7DJLl09xujlD/VWhEgPBGf0kGI2cIumd+TxL40gFmpEZvMklCkaware0U6d5B6PvfLxV7VEiNbJPDc2ThZc3a7Om6CJ4NVZhOft0evlt+n5CqX5uYBRs/IvRPamMVRPH1VWVRhxUHrlP0KwLmHyJXWCivX7MPnt1UGHuFEVv0wfJwcdf/nqB7eXfQJeNVZaE+M4bXUSpYDQwr7ZNkVKDbhef4KtwgBVkuxzV/P3sOZ7WRyHI6Vo4MaK6rE9JSIRUs+w33VS8Ls+2RHIqGUUV97d0CMTz0RqRL6+LLNjalZZb8Q3/WqY23SxrtBK8tKKeK5+wUxPxUX7nxFU4ozOOrX0pMB7N5+SMfGdpkXA7gKAu5yyWns6xjLe+fQbzLprqYKI9YsrDUgN+vU6pRdp3uaYlX6rSmvVmjKKXIXKVS0d2ds//CtUUlZ4K1NiakMWOFFxapDAbd84CwCbtT3gijZj84DFQ8AO4Vi1UDAeWqj/Fc4kIztpQ7EDWzIXLXr6RWTECnPji1FHraSgkMbBqcKcH46nsyUBqNoqjV7t0aE9rGnQs8jLTjl4Z6JTkSb6suP1RvK8I14IVNQ5BAARECMRmltGp9xC1Yu5730r8v8snChGV+Qh6N6T6hgF3JaaDfnuwm9Bu2i7UlRvIQudPIz2r5winhicsp8Ew1/Tmu2HEH38PHSYLa1+iwjkpMvWXXjVXK2cmoiinX0mOxQB7gdIfEnVCRggLKHMcidH2PXGsdSj4CmdYVnzn1hWgu25U/VTjNRcO2HHN0xEFFD2T5xC HDMOZGdy xGDwHVEXd9kwT0bx2JK2TekNTkOPwjRX6w6ltuMnjZ0n6uXS131JUUTjGBigodLM3oYG/jwjVzoYKoXBrhXlFLQsiEcPGiUXSwofCEe0bmwSsn3Pv3u3ukAY9tEktrrM6IFnvPhp9DF3A3jdKtOq4g0nYkzq7z8Y2/EwquizP5FFyK4GaYVrn5yCEEs2l2JX6sqoGg8q9O7QTYwqNWFkSMaJJEATbKLQSs3T+ULJ0QNMRDTs2/Lv/r8oj7lBZfC9mUcsojWeoq6wgNgVfUUxpu+LLL4IlJyvP7eT0V5OEGamyJudSkYKBE6lUEMIF7+mJ8GZux5BPdmYDZzS1ywMOZ5Bep2K7lHKm6bmQc4O6SGbALkW5N+1U34cNRb67o5CeOny8yzjNOg0cNrLyiERsR7nEuRKi/lUALSQ8TZ/E2ax9h90vGsJ7xgAF8FILWJkH1bTchsDe5WrA0sD7bjjY+LNoujt8HgdQf6pgteNobFvSMR6phNqOQyF+0+Dk/v/BeLOgokSR9b80Zao= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Sep 28, 2023 at 01:24:32PM -0400, Liam R. Howlett wrote: > The two users of mbind_range() are expecting that mbind_range() will > update the pointer to the previous VMA, or return an error. However, > set_mempolicy_home_node() does not call mbind_range() if there is no VMA > policy. The fix is to update the pointer to the previous VMA prior to > continuing iterating the VMAs when there is no policy. > > Users may experience a WARN_ON() during VMA policy updates when updating > a range of VMAs on the home node. > > Reported-by: Yikebaer Aizezi > Closes: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/ > Link: https://lore.kernel.org/linux-mm/CALcu4rbT+fMVNaO_F2izaCT+e7jzcAciFkOvk21HGJsmLcUuwQ@mail.gmail.com/ > Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") > Cc: stable@vger.kernel.org > Cc: Lorenzo Stoakes > Signed-off-by: Liam R. Howlett > --- > mm/mempolicy.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > > For completeness, here is the syzbot reproducer so that it is available > from the mailing list: > > #define _GNU_SOURCE > > #include > #include > #include > #include > #include > #include > #include > #include > > #ifndef __NR_set_mempolicy_home_node > #define __NR_set_mempolicy_home_node 450 > #endif > > int main(void) > { > syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); > > *(uint64_t*)0x20000000 = 0xffffffffffffff81; > syscall(__NR_mbind, /*addr=*/0x20ffa000ul, /*len=*/0x4000ul, /*mode=*/2ul, /*nodemask=*/0x20000000ul, /*maxnode=*/7ul, /*flags=*/0ul); > syscall(__NR_mbind, /*addr=*/0x20ff9000ul, /*len=*/0x3000ul, /*mode=*/0ul, /*nodemask=*/0ul, /*maxnode=*/0ul, /*flags=*/0ul); > syscall(__NR_set_mempolicy_home_node, /*addr=*/0x20ffa000ul, /*len=*/0x4000ul, /*home_node=*/0ul, /*flags=*/0ul); > return 0; > } > > diff --git a/mm/mempolicy.c b/mm/mempolicy.c > index 42b5567e3773..717d93c175f2 100644 > --- a/mm/mempolicy.c > +++ b/mm/mempolicy.c > @@ -1544,8 +1544,10 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le > * the home node for vmas we already updated before. > */ > old = vma_policy(vma); > - if (!old) > + if (!old) { > + prev = vma; > continue; > + } > if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) { > err = -EOPNOTSUPP; > break; > -- > 2.40.1 > It feels a bit like the prev assignment is in the wrong place, however looking at mbind_range() it's because of the possible merge that this is so I guess. Just a pity the two bits get separated, as obviously it is at this upper loop where the assignment of prev is most meaningful. But definitely looks correct, Reviewed-by: Lorenzo Stoakes