Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1147608rwb; Thu, 22 Sep 2022 10:42:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4oLKY1vhU8+hGxTT+CKgZBLP1OlSBwzxD1SX//C20YochR1CsoeADmKihbK12/snq2yNRK X-Received: by 2002:a05:6402:2692:b0:451:6515:1946 with SMTP id w18-20020a056402269200b0045165151946mr4401631edd.417.1663868535596; Thu, 22 Sep 2022 10:42:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1663868535; cv=pass; d=google.com; s=arc-20160816; b=RKkZFjDYM120E59MzFLFHb3iffigBM9DfPL6K5fRAi5taPpEGLMCEqjMcndzVdRlL2 TkUPcZQmonthzWOFH0KqNS4Wke9kcMEjRDc/Ktk9rDNxmjLHZmKTeVgtdFvcLWm1ZEw6 Kd8HOJliqscK2iXHlLnLEiFjB6lICgpIG/vt6AzJ/yb+BTw5/eUIYyrh4oRpZcyPUuoW ZE/SR5eshM/3IA2u/rHBqjWmGQrFk3/9q6ZTwz9L1YcKAV2/VEzN+W9lQM0YuRNRk/rR LI2g/RVwdGL5g81QnAQZAG8YbAYVgAzMggZevOPoGO4i/UFcG3XX5G9NB35acWKCK3lw 6Kkw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:in-reply-to:content-disposition :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=mDJt96ZBBWPl1ujIl6EnZ27/HFxXkpj9Ibhf34S4t1E=; b=EISzop7jDNpdRltyTE9frJD1VnqW8BQydherlVGaCA6oRHFTx5yoMpdj/O9YrkZoYL tYo52Nj7nlukx6tPcLRRq9oFJqMbd0u+IOzenrlZH82VttPggifmXdFk3Y5HBwzUrB3H mEQeX302D+71FXx2NDSt35L7O1yov3JalVp5VMAruKmJihSp5eRhpxRMobnHvf4EpJ1p 5IfJTS6B7RE9le9XonG691sFN3/HF3mHU382ACYnsa8k37dhY5/NHb0JAuhqXctupFb0 rHjuVIkaNn42KYGf0j3CrK9yxVIYiTcHxbM0drltVLYxdMvHlTBkbX0siaNh6qFzeDpD ddOQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=nhJ6Rhg8; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=yxSTe0Ta; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hd8-20020a170907968800b0072a477a55e0si6334988ejc.369.2022.09.22.10.41.48; Thu, 22 Sep 2022 10:42:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=nhJ6Rhg8; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=yxSTe0Ta; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231479AbiIVRTQ (ORCPT + 99 others); Thu, 22 Sep 2022 13:19:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232145AbiIVRTD (ORCPT ); Thu, 22 Sep 2022 13:19:03 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 381BCD2D7B for ; Thu, 22 Sep 2022 10:19:02 -0700 (PDT) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28MH3r34032074; Thu, 22 Sep 2022 17:18:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=corp-2022-7-12; bh=mDJt96ZBBWPl1ujIl6EnZ27/HFxXkpj9Ibhf34S4t1E=; b=nhJ6Rhg8K6AEeLr2iP64AtZ+sTmQOR2RRxJxqyOxDPb3k1OsgLZ7Qvj1JOkTpqlZHUBn 3bY35KzTgjHHIXMVy1SFsJZ8cu6QvCIz7JyyuxQCTLuX8DmCK3fDL5LiUX5bhH8znZyX 2nXQAIGscRIgwxJDvf9DX9qKtByQvWuaMrl1GTnMve7meXRx4dN80CCUnwCelbFce61L YHGzshWVIGteS8DA5ivigNoC8u2xkM+i+zZkSRlzqlTU52b5TR+DiK6XtrrUYqFQKV1k jmr9krdvilztue6px0udHqzLGgWS6h2Hrb5CAH5dCSFaN7YNdtvcOq+xxMm7StMe/Ttp Jw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3jn69kx8fs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 22 Sep 2022 17:18:49 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 28MGEeVZ001802; Thu, 22 Sep 2022 17:18:48 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3jp39t1gd4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 22 Sep 2022 17:18:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZraRmpPpVOzaaM27UbZpSah/WwBYnX1GR67GV2FnDUxlhpnq6MSmzo8txNL/99QhbAUrDbJjH4J8wWGG0olS3vRajqBLB0MwRiGk282gCW6UsTf8VpQ2Vfpwv4Rbx7GOfHFUJWXcKYAJQ2kveSukNLw7FeH5+mgruFLHJev/BxDcnH5dDzbV4C4S6tzahzuEwqN1WQs87PCdZ/eI6RiI3UgSUcNXsf8lI/1Z0AJQDVr7QHCAsoAeCBs8jNvva7Jilq0iy0U5d6d7y+pljwITfiZTcIc97kTLWN4VNAdNF8IwTyvkXVW1LeqCafyzWSV6SLIygAq0Nzd7CMNiPQvduw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mDJt96ZBBWPl1ujIl6EnZ27/HFxXkpj9Ibhf34S4t1E=; b=TQCmXPFjuzq6s5emB+hse7Mc4cMMsT2GX3wC+DgXNN6FTYxdQpcG+QS6BTqFPROjTJvz3DmIWmKLXSOkKVAUidLMiEgtvcTQd0GnRQyTfy75YWvAdnzP78ydvaafsAzgHTpHValBq7EhDhXW3yqz0AyH7VvV1bYyi6DAYOCX6M1ls4pV34L9a8kk9ciODebfU/jUYUh5j1Vz7n7KAdsmxWwddX6JAm0WgEZ+zHn37wKQILba+88Zd4VxFLAKG3GkK9Kc4eVVuqrV3Nsr31VxVUHywLmL58v0uz4UkUseFiNki++i1/jY2D85isH2XlKx/AGumcVsg/yXXVx1h8XyuA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mDJt96ZBBWPl1ujIl6EnZ27/HFxXkpj9Ibhf34S4t1E=; b=yxSTe0TaU2V57V14G/qDRIWbXNlPkSrnKOUL4tjQ0BSqlvPha3mD95YLgUIbmKscbKAo6PPcAm6+Rlxvyei9KlQRPH0NOIMf5jK73m+bYlPXUSgCxSAt2Jd1rexJM0LHKbr4EG4evIMv2ahWH4nLK8PBkckqHj/Tsd8vrdH41BY= Received: from BY5PR10MB4196.namprd10.prod.outlook.com (2603:10b6:a03:20d::23) by PH0PR10MB4503.namprd10.prod.outlook.com (2603:10b6:510:3a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.18; Thu, 22 Sep 2022 17:18:45 +0000 Received: from BY5PR10MB4196.namprd10.prod.outlook.com ([fe80::dfde:308:42fe:6c5a]) by BY5PR10MB4196.namprd10.prod.outlook.com ([fe80::dfde:308:42fe:6c5a%3]) with mapi id 15.20.5654.018; Thu, 22 Sep 2022 17:18:45 +0000 Date: Thu, 22 Sep 2022 10:18:42 -0700 From: Mike Kravetz To: David Hildenbrand , Peter Xu Cc: Liu Shixin , Liu Zixian , Muchun Song , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Kefeng Wang , John Hubbard Subject: Re: [PATCH] mm: hugetlb: fix UAF in hugetlb_handle_userfault Message-ID: References: <20220921083440.1267903-1-liushixin2@huawei.com> <708d1ec7-5c25-5e45-0db8-bd97a64e0db1@redhat.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <708d1ec7-5c25-5e45-0db8-bd97a64e0db1@redhat.com> X-ClientProxiedBy: MW2PR2101CA0027.namprd21.prod.outlook.com (2603:10b6:302:1::40) To BY5PR10MB4196.namprd10.prod.outlook.com (2603:10b6:a03:20d::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BY5PR10MB4196:EE_|PH0PR10MB4503:EE_ X-MS-Office365-Filtering-Correlation-Id: b7c20090-21bc-49dd-f37e-08da9cbe8138 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yqX7p23jUclpujhRZW0GXoSXyHMqASLmrCg3DXeGR0WDYplHKLnlGmZ75Gg0mT0duNn9vxMXnT0WNouCrh+ujpFvTsHYyEfTsoRp9Cja58cQEeRW/5VJ21/UABT6eaEhED8nJHuaLhfNG0c3IVu9kyq/cghzWkSlA6rXtqCj1UbkyqqtxnDM/BvApEDXFq+vx4taqCUkGewIZIcahI0Wj2gHjJJanqfYXU5xZ0X6ceWJCxTrveEjw/CyaYm7cZmd/YlLrzHCJJGAy/BcPyAkRWdIM28HWEZkq/7w4Ubg0ZcdHCoxDYq7+NlYu3x6K6CsW8gMOuVl4LLLGhqpcSSWx89NCyU5fzTQyU/EnBF9VLgaOrCOQgbabOju+6V1u+RMtPs6BXQ1JRg+4RThuiXwiHmAefsK82us9CnhHnYZFqEcbsKGrbPysEqi9nWPiuFtSQFQb+JbBJHnBGT4JLz5Dn//8jl2mUZphLEyyIL/OQye0I9bttpb4oDZlafb+L3O4hG2OgY/wNZramf+1iHDBzoU6i+ZX5b11+1sgyPyd+hQQt8PmgjaYboyTit1VebGRa1jUCmjSkd1wXXUQ+SxhCbo7THBRam8RksWaPSTbQpPqtBxOicvvliqoGtuA2wXe5RMbz4OsekqFfk3fcq+NZ6dE1KoD02rq5iBja/myE5m7sDPvep7Bc9MS+IcJiErCWP1uw/Uacr8ticyVrxQiu5G+fwUzUAt9A0CRS3MR6VmacEUdxWkHxZf0Ihk9qe3 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR10MB4196.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(7916004)(396003)(346002)(39860400002)(376002)(136003)(366004)(451199015)(8936002)(44832011)(66476007)(7416002)(110136005)(54906003)(5660300002)(86362001)(316002)(66556008)(66946007)(8676002)(4326008)(83380400001)(186003)(38100700002)(6666004)(41300700001)(6506007)(53546011)(6486002)(26005)(9686003)(6512007)(478600001)(33716001)(66899012)(2906002)(67856001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?2V2eldos7fwgJqDEKqSjq/vTMDeybr9YrK8bmR8C0Eevss0Qksm25lFCcXYU?= =?us-ascii?Q?W2t6S1s+4ebwKy4aHlLhYaJSckin8Lvj0Dhh8AsomdTRoDeGZ4swXkNJn8l0?= =?us-ascii?Q?BxV5hKp2NM2sHht3lKxZ3kL43/02Y71JIq1Xc8P2215Xx5cAroWe1SyJ+Cr0?= =?us-ascii?Q?4aJvNABDYlzfik4gmqJGjFWNsLniQFZ5ZdUg3g7nFIhJeH0lthN1DyCxx+KZ?= =?us-ascii?Q?hRYiF8lbgCMETxp8k1k3cp0Ge3Oge7YKH9rruCz4aaj06g4ZB9W3/xaoYB3s?= =?us-ascii?Q?SEFJgCMU+WFnn7Xl6im5oyth1jsqoKZTSNmAlJEhj0js0ejyLPwHrRE9kIW0?= =?us-ascii?Q?ALAzDabBdPgNuQgsh7VC9OSWzzirULp9ahWdpb+HTrg8+THAa8kdEMt1LsNq?= =?us-ascii?Q?jkYrPQ4jDZNrYHlHI5HEGB5m3adP6oaBYqKWMycLhT1T0+Q8b9K0R46kaGNd?= =?us-ascii?Q?35FkDqj74wkTrjMgSPbNMep7mh7NMqIc5IVzgleP/Ox7rcTCG+7AI+31+aAM?= =?us-ascii?Q?Q7ZlCIOadgfexLFprp2+pePAqfCBmocnRPiv5w9kmvIF3AssM1ultC/iHard?= =?us-ascii?Q?I57r4X88Wi3vVNUwK1sm8ck0CUEB3aQcz86CmFwpe/BPODALMutPM2V3khvF?= =?us-ascii?Q?JHGvVpIY2zjAAlNA2eR9pbrTGS4zWpy/2JUWHeseQI6DT6deh8TtFc0njldc?= =?us-ascii?Q?8W8cmftFY2X1AsngrFoosckoE867V3YuAbXAEtdl0UMiicINHqZK0cMGNyTy?= =?us-ascii?Q?c3xhvniCAcRrZJVJ4OTQUJlC4Yt2gd4rqASVdQbZIn6fV8oyo1UWY7TS5yXM?= =?us-ascii?Q?IbBaF++ntogyPbCBfvhc8gTB3FHgP6yF42/3LgOQnxsiLsAL4KT7chYY6l57?= =?us-ascii?Q?tmJWbyiIV8pYUk+dVF2AyNooLdi0Cvc/gbI6N/YpbPWyjj51d3tBVjGGo8je?= =?us-ascii?Q?8IYeAqZqjNQmnTTsi6L208+7LwZkgunWCqh4028ipCUq7bErVyr7E95poQk+?= =?us-ascii?Q?Ob77dEo7I9/Ice6BuOxRj1EQXbvATxsj/fWz/yMd15wrDFN4PedKKpANr4m5?= =?us-ascii?Q?oBHL4T5bniG2Q6YUTswcxuGyVplWrx7w42uGBQLXUIg7zlOd8PxAFYBRD6vm?= =?us-ascii?Q?hvNceQwJ8CbAAqGSKtHxP+vSfaFR9Lt67f6LtZFTJvw+VzxN4BF1JpH3H9+p?= =?us-ascii?Q?E6J1Lfc7ZxIFQHa6gA3IEMfEcjpe1jiK1PPBOTDIrwog+XWvqYw/m2TRc+GT?= =?us-ascii?Q?uWuEdpdtW7Llzx8sk5mdU5qyEa1CQZoINqXlaQ7pN39Um6ixAmR+5uB2WbQ0?= =?us-ascii?Q?+3nFSZeP6/Co7f32Tpd49qzj/E+hE6PKgzExcXCdgp089fPWjoMtJmR7YeV5?= =?us-ascii?Q?gLyY2qd4Y16q66JWVNdbuLZVZnhLGxICuAoRjRfqoSvEb53lw5r2Tf/8x87c?= =?us-ascii?Q?3vnPH82ok66QIh7pmsLv1OKaT6mtptkNRqgkb64MZsKC2fRrnAhNAryphEfe?= =?us-ascii?Q?GraO3LmxNOgUaWtrsYYWBzvWs/7vhjiccHuK71p2qta7PttXpblNixAYG0w/?= =?us-ascii?Q?vSaAjF6MKaENkQeTk77IT41Cyz8rcyQ9b2cb+Fatek60BX4PMt2PaWUYRhRr?= =?us-ascii?Q?5w=3D=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b7c20090-21bc-49dd-f37e-08da9cbe8138 X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4196.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Sep 2022 17:18:45.3933 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: YwjYoDthurL7VMbsOPeFu5ywcX5ikawFCqd+fhn8DRrJfxxy8EpdwIAKVdaXjxLabU41VqxnJC9c65x4IP3BvA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB4503 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-22_12,2022-09-22_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=357 adultscore=0 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2209220115 X-Proofpoint-ORIG-GUID: okIIxXQQe2uGPhqULWUTQvAITxIqb34g X-Proofpoint-GUID: okIIxXQQe2uGPhqULWUTQvAITxIqb34g X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/22/22 09:46, David Hildenbrand wrote: > On 22.09.22 01:57, Mike Kravetz wrote: > > On 09/21/22 10:48, Mike Kravetz wrote: > > > On 09/21/22 16:34, Liu Shixin wrote: > > > > The vma_lock and hugetlb_fault_mutex are dropped before handling > > > > userfault and reacquire them again after handle_userfault(), but > > > > reacquire the vma_lock could lead to UAF[1] due to the following > > > > race, > > > > > > > > hugetlb_fault > > > > hugetlb_no_page > > > > /*unlock vma_lock */ > > > > hugetlb_handle_userfault > > > > handle_userfault > > > > /* unlock mm->mmap_lock*/ > > > > vm_mmap_pgoff > > > > do_mmap > > > > mmap_region > > > > munmap_vma_range > > > > /* clean old vma */ > > > > /* lock vma_lock again <--- UAF */ > > > > /* unlock vma_lock */ > > > > > > > > Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), > > > > let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix > > > > the issue. > > > > > > Thank you very much! > > > > > > When I saw this report, the obvious fix was to do something like what you have > > > done below. That looks fine with a few minor comments. > > > > > > One question I have not yet answered is, "Does this same issue apply to > > > follow_hugetlb_page()?". I believe it does. follow_hugetlb_page calls > > > hugetlb_fault which could result in the fault being processed by userfaultfd. > > > If we experience the race above, then the associated vma could no longer be > > > valid when returning from hugetlb_fault. follow_hugetlb_page and callers > > > have a flag (locked) to deal with dropping mmap lock. However, I am not sure > > > if it is handled correctly WRT userfaultfd. I think this needs to be answered > > > before fixing. And, if the follow_hugetlb_page code needs to be fixed it > > > should be done at the same time. > > > > > > > To at least verify this code path, I added userfaultfd handling to the gup_test > > program in kernel selftests. When doing basic gup test on a hugetlb page in > > a userfaultfd registered range, I hit this warning: > > > > [ 6939.867796] FAULT_FLAG_ALLOW_RETRY missing 1 > > [ 6939.871503] CPU: 2 PID: 5720 Comm: gup_test Not tainted 6.0.0-rc6-next-20220921+ #72 > > [ 6939.874562] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014 > > [ 6939.877707] Call Trace: > > [ 6939.878745] > > [ 6939.879779] dump_stack_lvl+0x6c/0x9f > > [ 6939.881199] handle_userfault.cold+0x14/0x1e > > [ 6939.882830] ? find_held_lock+0x2b/0x80 > > [ 6939.884370] ? __mutex_unlock_slowpath+0x45/0x280 > > [ 6939.886145] hugetlb_handle_userfault+0x90/0xf0 > > [ 6939.887936] hugetlb_fault+0xb7e/0xda0 > > [ 6939.889409] ? vprintk_emit+0x118/0x3a0 > > [ 6939.890903] ? _printk+0x58/0x73 > > [ 6939.892279] follow_hugetlb_page.cold+0x59/0x145 > > [ 6939.894116] __get_user_pages+0x146/0x750 > > [ 6939.895580] __gup_longterm_locked+0x3e9/0x680 > > [ 6939.897023] ? seqcount_lockdep_reader_access.constprop.0+0xa5/0xb0 > > [ 6939.898939] ? lockdep_hardirqs_on+0x7d/0x100 > > [ 6939.901243] gup_test_ioctl+0x320/0x6e0 > > [ 6939.902202] __x64_sys_ioctl+0x87/0xc0 > > [ 6939.903220] do_syscall_64+0x38/0x90 > > [ 6939.904233] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > [ 6939.905423] RIP: 0033:0x7fbb53830f7b > > > > This is because userfaultfd is expecting FAULT_FLAG_ALLOW_RETRY which is not > > set in this path. > > Right. Without being able to drop the mmap lock, we cannot continue. And we > don't know if we can drop it without FAULT_FLAG_ALLOW_RETRY. > > FAULT_FLAG_ALLOW_RETRY is only set when we can communicate to the caller > that we dropped the mmap lock [e.g., int *locked parameter]. > > All code paths that pass NULL won't be able to handle -- especially > surprisingly also pin_user_pages_fast() -- cannot trigger usefaultfd and > will result in this warning. > > > A "sane" example is access via /proc/self/mem via ptrace: we don't want to > trigger userfaultfd, but instead simply fail the GUP get/pin. > > > Now, this is just a printed *warning* (not a WARN/BUG/taint) that tells us > that there is a GUP user that isn't prepared for userfaultfd. So it rather > points out a missing GUP adaption -- incomplete userfaultfd support. And we > seem to have plenty of that judging that pin_user_pages_fast_only(). > > Maybe the printed stack trace is a bit too much and makes this look very > scary. > > > > > Adding John, Peter and David on Cc: as they are much more fluent in all the > > fault and FOLL combinations and might have immediate suggestions. It is going > > to take me a little while to figure out: > > 1) How to make sure we get the right flags passed to handle_userfault > > This is a GUP caller problem -- or rather, how GUP has to deal with > userfaultfd. > > > 2) How to modify follow_hugetlb_page as userfaultfd can certainly drop > > mmap_lock. So we can not assume vma still exists upon return. > > Again, we have to communicate to the GUP caller that we dropped the mmap > lock. And that requires GUP caller changes. > Thank you and Peter for replying! The 'good news' is that there does not appear to be a case where userfaultfd (via hugetlb_fault) drops the lock and follow_hugetlb_page is not prepard for the consequences. So, this is not an exposure as in hugetlb_handle_userfault that is in need of an immediate fix. i.e. A fix like that originally proposed here is sufficient. We can think about whether this specific calling sequence needs to be modified. -- Mike Kravetz