Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2123093imw; Tue, 5 Jul 2022 23:55:52 -0700 (PDT) X-Google-Smtp-Source: AGRyM1up3ApgK2HjO0Joota77ygDE6xvntAfWkG63Tybh486VyEHCUthzAB8tvlzJXK4D9Ph2Spg X-Received: by 2002:a17:90b:38cd:b0:1ef:b4c2:3624 with SMTP id nn13-20020a17090b38cd00b001efb4c23624mr1778191pjb.168.1657090552400; Tue, 05 Jul 2022 23:55:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657090552; cv=none; d=google.com; s=arc-20160816; b=nEwJBBC0zaj9UhIf9nb1B+wqC2KGv/Y5cEX2d8+bJ2Mvgbb3xCexEUOqo1aFiif55W OjiMUCBuue1rMUGae1+jv5eDPa9DAHBUY5hedCnnmNJBUXXelzHn/rR6unFfLxuLCZZL E5Hv2aLYeJsuhKTMlmVg6BIQUEKQe3F7Xy13eWch2s1YC4teCY1XOJFwPETP6m7jwWRh IZ8NJk+Q5jb28QE/szzxZ0l6DhMWgl44hg6SOwd9NVgO+q3IDboMTuEYM9yyMPMmlpu5 WXOCv1lykNm7PIryDUZr/jJzYIHOj2fNM36TQb3TgRMWX3PNOOwzEwXeuGbkwd6DszGH 5W7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=kCyW7Rz/kCtK0q9rvJnlunneCwMCGk7GYz9usDOLjUk=; b=dxeH5XU1mzhvL9EoRzUJ+AXUzC9rz8VnkE7+zeWTiJ6Yf8YnrDygETtnX9S/nqGR5z 10vWEA+prd6mfCDvEtzeVZXdLeJs6LyHf5v7SYwcFM+q1F8Fov8OJVnH02WQwEy2oqmD K8zP5YW8NUIHaZiUiG31B3MAv9INoItpu9OnQ9AjQUoQZGrKEsS1wRLphXk2hqHaqgOu q8XR8lq7FgjwyDqL4WqqvdIDAKl1qXWqeyvIesJKGPwgeEx0TPyHQeLpq+zKnA4ioYi4 SbIJkDMrxFZsVMJ5luTw2GGtN4qK0jrwilSKrj6QEspkq0sI0iYdzD1S8hg1Xz7bw0dr gODg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cx7-20020a17090afd8700b001ef8382fcfesi10993347pjb.94.2022.07.05.23.55.40; Tue, 05 Jul 2022 23:55:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230295AbiGFGr5 (ORCPT + 99 others); Wed, 6 Jul 2022 02:47:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229633AbiGFGr5 (ORCPT ); Wed, 6 Jul 2022 02:47:57 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA05E1B789; Tue, 5 Jul 2022 23:47:55 -0700 (PDT) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Ld97s4mgNzYd0l; Wed, 6 Jul 2022 14:47:05 +0800 (CST) Received: from dggpemm100009.china.huawei.com (7.185.36.113) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 6 Jul 2022 14:47:53 +0800 Received: from [10.174.179.24] (10.174.179.24) by dggpemm100009.china.huawei.com (7.185.36.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Wed, 6 Jul 2022 14:47:53 +0800 Subject: Re: [PATCH 5.15] mm/filemap: fix UAF in find_lock_entries To: Matthew Wilcox References: <20220706032434.579610-1-liushixin2@huawei.com> CC: Greg Kroah-Hartman , Andrew Morton , Jan Kara , William Kucharski , Christoph Hellwig , , From: Liu Shixin Message-ID: <9aa8aa19-b3ba-ab7e-abcb-78b8a65577ce@huawei.com> Date: Wed, 6 Jul 2022 14:47:52 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.24] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm100009.china.huawei.com (7.185.36.113) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/7/6 11:21, Matthew Wilcox wrote: > On Wed, Jul 06, 2022 at 11:24:34AM +0800, Liu Shixin wrote: >> Release refcount after xas_set to fix UAF which may cause panic like this: > I think we can do better. How about this? > > diff --git a/mm/filemap.c b/mm/filemap.c > index 00e391e75880..11ae38cc4fd3 100644 > --- a/mm/filemap.c > +++ b/mm/filemap.c > @@ -2090,7 +2090,9 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start, > > rcu_read_lock(); > while ((page = find_get_entry(&xas, end, XA_PRESENT))) { > + unsigned long next_idx = xas.xa_index + 1; > if (!xa_is_value(page)) { > + next_idx = page->index + thp_nr_pages(page); I noticed that there was a VM_BUG_ON_PAGE before which was deleted by patch 6560e8cd869b ("mm/filemap.c: remove bogus VM_BUG_ON") It seems that page->index and xas.xa_index are not guaranteed to be equal. Therefore, I conservatively retained the PageTransHuge to keep consistent with the original logic :) @@ -2090,7 +2090,11 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start, rcu_read_lock(); while ((page = find_get_entry(&xas, end, XA_PRESENT))) { + unsigned long next_idx = xas.xa_index; + if (!xa_is_value(page)) { + if (PageTransHuge(page)) + next_idx = page->index + thp_nr_pages(page); if (page->index < start) goto put; if (page->index + thp_nr_pages(page) - 1 > end) > if (page->index < start) > goto put; > if (page->index + thp_nr_pages(page) - 1 > end) > @@ -2111,14 +2113,11 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start, > put: > put_page(page); > next: > - if (!xa_is_value(page) && PageTransHuge(page)) { > - unsigned int nr_pages = thp_nr_pages(page); > - > - /* Final THP may cross MAX_LFS_FILESIZE on 32-bit */ > - xas_set(&xas, page->index + nr_pages); > - if (xas.xa_index < nr_pages) > - break; > - } > + /* Final THP may cross MAX_LFS_FILESIZE on 32-bit */ > + if (next_idx < xas.xa_index) > + break; > + if (next_idx != xas.xa_index + 1) > + xas_set(&xas, next_idx); > } > rcu_read_unlock(); > > > . >