From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97070C32771 for ; Thu, 22 Sep 2022 01:58:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1E8576B0071; Wed, 21 Sep 2022 21:58:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1714C940008; Wed, 21 Sep 2022 21:58:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 01105940007; Wed, 21 Sep 2022 21:58:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E2BF96B0071 for ; Wed, 21 Sep 2022 21:58:46 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id B7937806DD for ; Thu, 22 Sep 2022 01:58:46 +0000 (UTC) X-FDA: 79938062652.06.3B8EF36 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by imf08.hostedemail.com (Postfix) with ESMTP id D6A0816000E for ; Thu, 22 Sep 2022 01:58:45 +0000 (UTC) Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.53]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4MXz0X74vszHqH1; Thu, 22 Sep 2022 09:56:28 +0800 (CST) Received: from dggpemm100009.china.huawei.com (7.185.36.113) by dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 22 Sep 2022 09:58:39 +0800 Received: from [10.174.179.24] (10.174.179.24) by dggpemm100009.china.huawei.com (7.185.36.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 22 Sep 2022 09:58:38 +0800 Subject: Re: [PATCH] mm: hugetlb: fix UAF in hugetlb_handle_userfault To: Andrew Morton References: <20220921083440.1267903-1-liushixin2@huawei.com> <20220921120748.79f3255fa0a06b182576f497@linux-foundation.org> CC: Liu Zixian , Mike Kravetz , Muchun Song , , , Kefeng Wang From: Liu Shixin Message-ID: Date: Thu, 22 Sep 2022 09:58:38 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20220921120748.79f3255fa0a06b182576f497@linux-foundation.org> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.24] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm100009.china.huawei.com (7.185.36.113) X-CFilter-Loop: Reflected ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663811926; a=rsa-sha256; cv=none; b=lQg4cR+XUL2kR8YSay+2g56ah0QrZN9lIB8/BUKoj6LoM+kBDn7umz/nHVHrzw4PP4GlTy 4A7XZIcoiqHJuG/0/N30RmXux/XyXWvnSxy1JlLgG3C7/qsjhoBO/9dejEduAvyAhc7kCM uE1qT0WARDWqghjZxZzxFoujai6MQcY= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=none; spf=pass (imf08.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1663811926; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MS5vk6lic4FENdZwh2YSYz6XdOk2SBg8pD6ibJmZDl8=; b=uCaFXRojd7/aJZDAoDU+kIlwWd3qWwbD5iQGq09Y9WMts8KdBGLo1XroX+eB4072wPXuw1 QUBtYKfQLxJzFedccaHA+XHoMUh3Pj2YQxMbvOjIE1qVL/7anCG03PMb6CbMMa/OUpjM6J vWwJUUgkDsnlgEoumSEmFoeAbLe8mus= X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: D6A0816000E X-Rspam-User: Authentication-Results: imf08.hostedemail.com; dkim=none; spf=pass (imf08.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com X-Stat-Signature: udxpdtrgs5j3x8b7syyb4ohbd8ah6hb6 X-HE-Tag: 1663811925-458366 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2022/9/22 3:07, Andrew Morton wrote: > On Wed, 21 Sep 2022 16:34:40 +0800 Liu Shixin wrote: > >> The vma_lock and hugetlb_fault_mutex are dropped before handling >> userfault and reacquire them again after handle_userfault(), but >> reacquire the vma_lock could lead to UAF[1] due to the following >> race, >> >> hugetlb_fault >> hugetlb_no_page >> /*unlock vma_lock */ >> hugetlb_handle_userfault >> handle_userfault >> /* unlock mm->mmap_lock*/ >> vm_mmap_pgoff >> do_mmap >> mmap_region >> munmap_vma_range >> /* clean old vma */ >> /* lock vma_lock again <--- UAF */ >> /* unlock vma_lock */ >> >> Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), >> let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix >> the issue. >> >> @@ -5508,17 +5507,12 @@ static inline vm_fault_t hugetlb_handle_userfault(struct vm_area_struct *vma, >> >> /* >> * vma_lock and hugetlb_fault_mutex must be >> - * dropped before handling userfault. Reacquire >> - * after handling fault to make calling code simpler. >> + * dropped before handling userfault. >> */ >> hugetlb_vma_unlock_read(vma); >> hash = hugetlb_fault_mutex_hash(mapping, idx); >> mutex_unlock(&hugetlb_fault_mutex_table[hash]); >> - ret = handle_userfault(&vmf, reason); >> - mutex_lock(&hugetlb_fault_mutex_table[hash]); >> - hugetlb_vma_lock_read(vma); >> - >> - return ret; >> + return handle_userfault(&vmf, reason); >> } > Current code is rather different from this. So if the bug still exists > in current code, please verify this and redo the patch appropriately? > > And hang on to this version to help with the -stable backporting. > > Thanks. > . This patch conflicts with patch series "hugetlb: Use new vma lock for huge pmd sharing synchronization". So I reproduce the problem on next-20220920 and this patch is based on next-20220920 instead of mainline. This problem is existed since v4.11. I will send the stable version later.