Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
From:   Liam Howlett <liam.howlett@oracle.com>
To:     Suren Baghdasaryan <surenb@google.com>
CC:     Matthew Wilcox <willy@infradead.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        "mhocko@kernel.org" <mhocko@kernel.org>,
        "mhocko@suse.com" <mhocko@suse.com>,
        "shy828301@gmail.com" <shy828301@gmail.com>,
        "rientjes@google.com" <rientjes@google.com>,
        "hannes@cmpxchg.org" <hannes@cmpxchg.org>,
        "guro@fb.com" <guro@fb.com>, "riel@surriel.com" <riel@surriel.com>,
        "minchan@kernel.org" <minchan@kernel.org>,
        "kirill@shutemov.name" <kirill@shutemov.name>,
        "aarcange@redhat.com" <aarcange@redhat.com>,
        "brauner@kernel.org" <brauner@kernel.org>,
        "christian@brauner.io" <christian@brauner.io>,
        "hch@infradead.org" <hch@infradead.org>,
        "oleg@redhat.com" <oleg@redhat.com>,
        "david@redhat.com" <david@redhat.com>,
        "jannh@google.com" <jannh@google.com>,
        "shakeelb@google.com" <shakeelb@google.com>,
        "luto@kernel.org" <luto@kernel.org>,
        "christian.brauner@ubuntu.com" <christian.brauner@ubuntu.com>,
        "fweimer@redhat.com" <fweimer@redhat.com>,
        "jengelh@inai.de" <jengelh@inai.de>,
        "timmurray@google.com" <timmurray@google.com>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "kernel-team@android.com" <kernel-team@android.com>,
        "syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com" 
        <syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com>
Subject: Re: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused
 after being freed
Thread-Topic: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused
 after being freed
Thread-Index: AQHYIqlYsobTZLgdX0GF48T/8G2rKqyjuEyAgAABMACAABh/AIAVFxAAgAAJZ4CAAGLHAA==
Date:   Thu, 10 Mar 2022 22:22:12 +0000
Message-ID: <20220310222206.dttvvlgfqysrcl2s@revolver>
References: <20220215201922.1908156-1-surenb@google.com>
 <20220224201859.a38299b6c9d52cb51e6738ea@linux-foundation.org>
 <YhhZsv+czqQPKvvN@casper.infradead.org>
 <CAJuCfpEUro2jxmx-AB2A-mVcNxz6s3oAyow1sEXY5RyPP+83dA@mail.gmail.com>
 <20220310155454.g6lt54yxel3ixnp3@revolver>
 <CAJuCfpHk+1snrPx-_qvj=kjSOS+o=L90evAQ1gD5hj6XxB=a3g@mail.gmail.com>
In-Reply-To: <CAJuCfpHk+1snrPx-_qvj=kjSOS+o=L90evAQ1gD5hj6XxB=a3g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?zJwOF5kzpp6tg2HlZZT8WQGRs52JXp+DCZx1cR3m91UQwNREkbVzF0A4tEY4?=
 =?us-ascii?Q?APYErvV1t4cmNRJ4Ykoj5ljN5VPMiHCokt3ih5O+dEpqz/oPmZCx1JN1R7MJ?=
 =?us-ascii?Q?7l93AuWlaXAOPVYlGnqds59py3e0tKVsh/PHKZraoa2pKl4mrNNIoE7fBDKA?=
 =?us-ascii?Q?ubAyG1VTOYIhhjm1pwVhTfwEZVsI7xEb6CkR3XYPqmrVn9CaFjaTMyX1oaFy?=
 =?us-ascii?Q?1fL+fNRw33A11Ueclg2+zsTrKwT086s5er1kFYkjAC7A8mdz/mHkmiIlj+Qo?=
 =?us-ascii?Q?BGiQXRRq+ATlnAcvo1Y+KGagGtMm8whPefBrg61c1p3E2JlOPWhPJnJw4GNj?=
 =?us-ascii?Q?ewUknDqgX1QOi26aWQ+Sg8PSHIdNwPsX099ZNsDsBN9kzaDVWSaWhINUlstC?=
 =?us-ascii?Q?K3iWtesgBT9jql/TroopOU11j1B3cx3AOUoDn4SoW9FYKoqDyxjbezAm04HM?=
 =?us-ascii?Q?DW/PtqF0gWq/T52b/CzNG+9ryqdBCTJpBmQ96b7I6zdDxZEyx6jFi3RaN0Jl?=
 =?us-ascii?Q?8OnK6pxUl7ORUiIc+FMHDg37W6skh8GeiFHQVPkkpO773L8RmKdLvqT8sxC4?=
 =?us-ascii?Q?0hK7P2UFWLkXY/wIpGoxbubXc+Mu6Z5p7iCZbDPihS3lCRNMilRXsN26RKJt?=
 =?us-ascii?Q?DdIXfGDI0b5X8v8Ho5aviJmuY0RGgOePxGmMQPy42cjQE3PpdSPnWXqjoPC3?=
 =?us-ascii?Q?jylMZDx8VfVQ0okrrmLMp5BC3laM7ix61nsSKtjdZv38q8ui5edCK6izLM/C?=
 =?us-ascii?Q?O9Qzl647s2KvB/VNDVatME8i9cZTab8g5Lzf4flFrhLVGJYA9LNm7G1MF6EH?=
 =?us-ascii?Q?XiuXN9QU53kqfMGh9+oWtoJGgRC0F9kPkJTfEL/SmTCb+/ixXLmDxM/IOlN1?=
 =?us-ascii?Q?S9YmWIaZV1atlbdo8jXWnBkpKEnCmPYtP84wDGAflsCQECSmjeKRMBX8SxF8?=
 =?us-ascii?Q?Yis/Exx69vJON13eSvzOqiZMS6t/TZ0FWtXhnjYge2+q3xFrbct2OKrjVafK?=
 =?us-ascii?Q?T2M5DbmRSezJDaifCp2fgZC+bnWulOMTw0ooNqEhW+stUDjpTe7Bc/7oWM6A?=
 =?us-ascii?Q?9g6q7VmRbNQ5BqEwSpfCzO/eR7ySA1x3s17GAxXnO4Xrexl0VAh/Ry12nFMn?=
 =?us-ascii?Q?IpE9voqIfUsaEE0kvQfRdYTB6bM3C4EETeE36ThvNIkmD6DH7oz+QlCP2uF8?=
 =?us-ascii?Q?tf3fyu+Np6bPf4djXFnYkET+xwHmGt0c9tDl1SAFLp4EQFFfCY9+Yu70Om17?=
 =?us-ascii?Q?BWH8B2pih8FENX87deyrpcDWT/ezt/Enka3SYwPbH/aDqQrc1dOF0RvIxgLk?=
 =?us-ascii?Q?UBXCddCJEWpxgen3acbB+T8mx874vEOlsusw+u9O8t7aA1sKLX95AUybEquW?=
 =?us-ascii?Q?YrAlkc9YFSCZiW3X59GnEZTTs9AM42HDCbS//I0Rz95Yh1o97dpI8GGfGRlc?=
 =?us-ascii?Q?/xG+XHRA2WM8ecxhuf64g9Zrl51rfpafKrIMx6tKpWZt8gIpC6TyKLDk/p7u?=
 =?us-ascii?Q?zvamyPknC0Iujt0WSWGJJo5lvYurtIWiLs4NFJYXQpWkaSIbpDW7AhC+sCPp?=
 =?us-ascii?Q?BAcd1FuwazLVtcx0URe02l+eH6Bdhx8p/KtD1dIORImkEvnCFcNoqeBGOTMU?=
 =?us-ascii?Q?iNQXf1rhZ4tyWgxiiArmLq8=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <17F08AC8CCD0134995A1E9C9EE9A4FBF@namprd10.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR10MB3022.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 72924642-e35c-4b84-c863-08da02e46c83
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2022 22:22:12.1940
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pJqOixGQ5ImW8cwDpRMOZJUZ2PTonMiM+N7i+n3aPmb9coepPpAxMf1KC40gD5giAuIJxM0iBfN2k7IrZS25sg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1001MB2079
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10282 signatures=692556
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0
 phishscore=0 bulkscore=0 adultscore=0 malwarescore=0 suspectscore=0
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2202240000 definitions=main-2203100111
X-Proofpoint-ORIG-GUID: zb1Du8HXOByisbhEUUWiqJrzggE-aPZG
X-Proofpoint-GUID: zb1Du8HXOByisbhEUUWiqJrzggE-aPZG
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

* Suren Baghdasaryan <surenb@google.com> [220310 11:28]:
> On Thu, Mar 10, 2022 at 7:55 AM Liam Howlett <liam.howlett@oracle.com> wr=
ote:
> >
> > * Suren Baghdasaryan <surenb@google.com> [220225 00:51]:
> > > On Thu, Feb 24, 2022 at 8:23 PM Matthew Wilcox <willy@infradead.org> =
wrote:
> > > >
> > > > On Thu, Feb 24, 2022 at 08:18:59PM -0800, Andrew Morton wrote:
> > > > > On Tue, 15 Feb 2022 12:19:22 -0800 Suren Baghdasaryan <surenb@goo=
gle.com> wrote:
> > > > >
> > > > > > After exit_mmap frees all vmas in the mm, mm->mmap needs to be =
reset,
> > > > > > otherwise it points to a vma that was freed and when reused lea=
ds to
> > > > > > a use-after-free bug.
> > > > > >
> > > > > > ...
> > > > > >
> > > > > > --- a/mm/mmap.c
> > > > > > +++ b/mm/mmap.c
> > > > > > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm)
> > > > > >             vma =3D remove_vma(vma);
> > > > > >             cond_resched();
> > > > > >     }
> > > > > > +   mm->mmap =3D NULL;
> > > > > >     mmap_write_unlock(mm);
> > > > > >     vm_unacct_memory(nr_accounted);
> > > > > >  }
> > > > >
> > > > > After the Maple tree patches, mm_struct.mmap doesn't exist.  So I=
'll
> > > > > revert this fix as part of merging the maple-tree parts of linux-=
next.
> > > > > I'll be sending this fix to Linus this week.
> > > > >
> > > > > All of which means that the thusly-resolved Maple tree patches mi=
ght
> > > > > reintroduce this use-after-free bug.
> > > >
> > > > I don't think so?  The problem is that VMAs are (currently) part of
> > > > two data structures -- the rbtree and the linked list.  remove_vma(=
)
> > > > only removes VMAs from the rbtree; it doesn't set mm->mmap to NULL.
> > > >
> > > > With maple tree, the linked list goes away.  remove_vma() removes V=
MAs
> > > > from the maple tree.  So anyone looking to iterate over all VMAs ha=
s to
> > > > go and look in the maple tree for them ... and there's nothing ther=
e.
> > >
> > > Yes, I think you are right. With maple trees we don't need this fix.
> >
> >
> > Yes, this is correct.  The maple tree removes the entire linked list...
> > but since the mm is unstable in the exit_mmap(), I had added the
> > destruction of the maple tree there.  Maybe this is the wrong place to
> > be destroying the tree tracking the VMAs (althought this patch partiall=
y
> > destroys the VMA tracking linked list), but it brought my attention to
> > the race that this patch solves and the process_mrelease() function.
> > Couldn't this be avoided by using mmget_not_zero() instead of mmgrab()
> > in process_mrelease()?
>=20
> That's what we were doing before [1]. That unfortunately has a problem
> of process_mrelease possibly calling the last mmput and being blocked
> on IO completion in exit_aio.

Oh, I see. Thanks.


> The race between exit_mmap and
> process_mrelease is solved by using mmap_lock.

I think an important part of the race fix isn't just the lock holding
but the setting of the start of the linked list to NULL above.  That
means the code in __oom_reap_task_mm() via process_mrelease() will
continue to execute but iterate for zero VMAs.

> I think by destroying the maple tree in exit_mmap before the
> mmap_write_unlock call, you keep things working and functionality
> intact. Is there any reason this can't be done?

Yes, unfortunately.  If MMF_OOM_SKIP is not set, then process_mrelease()
will call __oom_reap_task_mm() which will get a null pointer dereference
or a use after free in the vma iterator as it tries to iterate the maple
tree.  I think the best plan is to set MMF_OOM_SKIP unconditionally
when the mmap_write_lock() is acquired.  Doing so will ensure nothing
will try to gain memory by reaping a task that no longer has memory to
yield - or at least won't shortly.  If we do use MMF_OOM_SKIP in such a
way, then I think it is safe to quickly drop the lock?

Also, should process_mrelease() be setting MMF_OOM_VICTIM on this mm?
It would enable the fast path on a race with exit_mmap() - thought that
may not be desirable?

>=20
> [1] ba535c1caf3ee78a ("mm/oom_kill: allow process_mrelease to run
> under mmap_lock protection")
>=20
> > That would ensure we aren't stepping on an
> > exit_mmap() and potentially the locking change in exit_mmap() wouldn't
> > be needed either?  Logically, I view this as process_mrelease() having
> > issue with the fact that the mmaps are no longer stable in tear down
> > regardless of the data structure that is used.
> >
> > Thanks,
> > Liam
> >
> > --
> > To unsubscribe from this group and stop receiving emails from it, send =
an email to kernel-team+unsubscribe@android.com.
> >=