Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp590651pxb; Tue, 15 Feb 2022 23:05:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJxaB1ONjhYnL6RAGnFC4Ed9eY8l564enQVLf+JJikr0FT+qDcV1ircDE17Esr5C8zgedTy8 X-Received: by 2002:a05:6a00:2484:b0:4df:c6b0:2ffb with SMTP id c4-20020a056a00248400b004dfc6b02ffbmr1327430pfv.49.1644995112743; Tue, 15 Feb 2022 23:05:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644995112; cv=none; d=google.com; s=arc-20160816; b=HOiFIDbynOl+yPZ9wCaWWY47/48A854eXYuqcL4OoZULE/Q++Df+pQleVjybKtIsFO JEWpAkVuiznN1VHDgx9H6jj9gF2GQ3rMGJn+zVAvz4kgg+FhFt2AZOsElbJcCzk8QPbK mjwjz2EpM7c47qA0rw4gveJtEQymAdr9/oJ5va0mqHP4ONpgMhchpUi9DoGO1vxq6QyJ HJIrEsO16xSsKxEFX56spqrAjRPKJalGb59bRGBOuFDiEyMsWp4frjcBdU3AibK76qhl ZnT/rv/TqJ388QP4q0MnbWJeCUYVfVjmajk7p+Y8XtE1M3ZXkK2sz2qWbBScQVoLLXFj POEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gjy1DWGz7XMDH1BVnGlNmPqU6Y1sHqvEGxu0Y9G5LwE=; b=llC+9j/lpWQjieBgdLeRE0rtYzywKjGgEnh/VrBCERWT9oiyRdW6CObCebfZJHLBPz Wq8DE6FrJnRer9nosZMBMn/kLU6GKBTbRB+AI519jUnqE976gRvB7HhD234dHK9wzfgk f5VxOXjNiI24bjhGhi5Pf7YwRZBSK35oB9NWMEoVlV+m/Q6UeaBYBIhw5/Uj0lyPVjQB lzbfw/vrueVB6xHKERuR8SOCm/ExvQiJgL/6ZI1s8K4n6G5qgEX3geCtpNs/jti2uiEV 3hZ1FPUmLy6KWYaQJzqkjczAOWsBnqgZ9f/eYj5rBahHprPCzjS+Qlrt8rny+JjJUGK0 w0iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=YAfAKx8G; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id i70si4656356pge.332.2022.02.15.23.05.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Feb 2022 23:05:12 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=YAfAKx8G; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 914DFB0A67; Tue, 15 Feb 2022 22:42:39 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236324AbiBOXDS (ORCPT + 99 others); Tue, 15 Feb 2022 18:03:18 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:38058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232085AbiBOXDR (ORCPT ); Tue, 15 Feb 2022 18:03:17 -0500 Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0D03E3891 for ; Tue, 15 Feb 2022 15:03:06 -0800 (PST) Received: by mail-yb1-xb2b.google.com with SMTP id v63so624436ybv.10 for ; Tue, 15 Feb 2022 15:03:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gjy1DWGz7XMDH1BVnGlNmPqU6Y1sHqvEGxu0Y9G5LwE=; b=YAfAKx8GfcP8pKWJ/+OaPew1pdZLZ3ylsnE/dzBsOpm4cp915NUYmh7icmSDjFfOUd ha5chsYk5oiJYANFAhOqhGgV6nMVs8G1lXG4P6zVHNtKdlM18pZitMDO0kPBa85PSTNx C/1aMzhLjFLNx3mzKbQfVYvryIbhkD1vSk71+yGZh3BItb86gNOvR9el5KbQuPBD7kfZ MVKR9q6TIsa6/+BNqnJOjzx0DZsezswCva3Ux0+hKNWk5cVWPEG4yItC5mdZQnkIC1Ob sV2HBPa3OQEsn2Vwf+W4Qi1rkDDkipKFtE9k1CYS0iH8x/jUaDmEHT6FR4UO+9Gu8YD6 XTFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gjy1DWGz7XMDH1BVnGlNmPqU6Y1sHqvEGxu0Y9G5LwE=; b=txgmX4jG2+sGZMFQGaPczffdj1+kiwMpH3t8yHeiETFzQFx5wnGFRcr+2IsyMQtClO wR9nNi4PsQoP9XRt0FLFvvkycooZL6DkeRfFZlPaqv0CaqGuLim7xBkvmG93n3H90BWX 50/l3MrrK/92Iq94XNDXlZ2CqE8mHUgRNrjvpODho8/TqKrmGMVX6SKKrS+SMGO7mGvB +3cGezKtZ+9alLrgFujFS5M3x+JDuFJfgCXa9LVq92MylKDd5fFYhEoniMlOuRVeUjs4 6n8f1YOV10m5W2luu2KW355NCtZcK+rrzdHapwry2XFy5mcNw1bExzYFKe+hMr7fqCVY 3YOA== X-Gm-Message-State: AOAM531mTTGRrEEtVQRGuV3B+Qy3ySFpHHS2kQ5zERb5qauY48Tw4VrT XQRyDWzaCvS9KKTa6oU2uJA4RlfM8ItkA3wsBHKMqA== X-Received: by 2002:a0d:ca57:: with SMTP id m84mr1138094ywd.293.1644966185851; Tue, 15 Feb 2022 15:03:05 -0800 (PST) MIME-Version: 1.0 References: <20220211013032.623763-1-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 15 Feb 2022 15:02:54 -0800 Message-ID: Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used after vma is freed To: Michal Hocko Cc: Andrew Morton , Colin Cross , Sumit Semwal , Dave Hansen , Kees Cook , Matthew Wilcox , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , "Eric W. Biederman" , Christian Brauner , legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, Chris Hyser , Davidlohr Bueso , Peter Collingbourne , caoxiaofeng@yulong.com, David Hildenbrand , Cyrill Gorcunov , linux-mm , LKML , kernel-team , syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko wrote: > > One thing I was considering is to check agains ref counte overflo (a > deep process chain with many vmas could grow really high. ref_count > interface doesn't provide any easy way to check for overflows as far as > I could see from a quick glance so I gave up there but the logic would > be really straightforward. We just create a new anon_vma_name with the same > content and use it when duplicating if the usage grow really > (arbitrarily) high. I went over proposed changes. I see a couple small required fixes (resetting the name to NULL seems to be missing and I think dup_vma_anon_name needs some tweaking) but overall quite straight-forward. I'll post a separate patch to do this refactoring. The original patch is fixing the UAF issue, so I don't want to mix it with refactoring. Please let me know if you see an issue with separating it that way. Thanks, Suren. > -- > Michal Hocko > SUSE Labs