[PATCH v3] mm: fix vma_start_write_killable() signal handling

[PATCH v3] mm: fix vma_start_write_killable() signal handling

[Matthew Wilcox (Oracle)]

If we get a signal, we need to restore the vm_refcnt.  We don't think
that the refcount can actually be decremented to zero here as it
requires the VMA to be detached, and the vma_mark_detached() uses
TASK_UNINTERRUPTIBLE.  However, that's a bit subtle, so handle it
as if the refcount was zero at the start of this function.

Reported-by: syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com
Fixes: 2197bb60f890 ("mm: add vma_start_write_killable()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
---
 mm/mmap_lock.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c
index e6e5570d1ec7..7421b7ea8001 100644
--- a/mm/mmap_lock.c
+++ b/mm/mmap_lock.c
@@ -74,6 +74,14 @@ static inline int __vma_enter_locked(struct vm_area_struct *vma,
 		   refcount_read(&vma->vm_refcnt) == tgt_refcnt,
 		   state);
 	if (err) {
+		if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
+			/*
+			 * The wait failed, but the last reader went away
+			 * as well.  Tell the caller the VMA is detached.
+			 */
+			WARN_ON_ONCE(!detaching);
+			err = 0;
+		}
 		rwsem_release(&vma->vmlock_dep_map, _RET_IP_);
 		return err;
 	}
-- 
2.47.2

Re: [PATCH v3] mm: fix vma_start_write_killable() signal handling

[Liam R. Howlett]

* Matthew Wilcox (Oracle) <willy@infradead.org> [251127 23:01]:
> If we get a signal, we need to restore the vm_refcnt.  We don't think
> that the refcount can actually be decremented to zero here as it
> requires the VMA to be detached, and the vma_mark_detached() uses
> TASK_UNINTERRUPTIBLE.  However, that's a bit subtle, so handle it
> as if the refcount was zero at the start of this function.
> 
> Reported-by: syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com
> Fixes: 2197bb60f890 ("mm: add vma_start_write_killable()")
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> Reviewed-by: Suren Baghdasaryan <surenb@google.com>
> Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Cc: Liam R. Howlett <Liam.Howlett@oracle.com>

Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>

> ---
>  mm/mmap_lock.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c
> index e6e5570d1ec7..7421b7ea8001 100644
> --- a/mm/mmap_lock.c
> +++ b/mm/mmap_lock.c
> @@ -74,6 +74,14 @@ static inline int __vma_enter_locked(struct vm_area_struct *vma,
>  		   refcount_read(&vma->vm_refcnt) == tgt_refcnt,
>  		   state);
>  	if (err) {
> +		if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
> +			/*
> +			 * The wait failed, but the last reader went away
> +			 * as well.  Tell the caller the VMA is detached.
> +			 */
> +			WARN_ON_ONCE(!detaching);
> +			err = 0;
> +		}
>  		rwsem_release(&vma->vmlock_dep_map, _RET_IP_);
>  		return err;
>  	}
> -- 
> 2.47.2
>