Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3746968rwb; Sun, 25 Sep 2022 12:04:05 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6dirpQwI9sUwcsH9WvnZjL2Rnt9gvfGJcCaYSvBfxhgttEOxKTleiuMPDdjGzNaRqw2I0A X-Received: by 2002:a63:3686:0:b0:43c:dab:7c36 with SMTP id d128-20020a633686000000b0043c0dab7c36mr16567697pga.196.1664132645636; Sun, 25 Sep 2022 12:04:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664132645; cv=none; d=google.com; s=arc-20160816; b=INoGZTiLy5lAR/KTtovx4HDDUxy63JA/uD9dtuM0hgnXwF5NGclAR0L+U2v3vYDvtx cVoZW+sC3+1jJt52Unc0vYtsV3zQoxncP28ozFuZcRX6pmI9rwDUX0SAvlu7YRMmzlO6 MQDGLrwWj/btQ8liPnS96A4Ue9fxL0LBLCkiIRkmXU8yW0ki1Y92cG3tPJvXS6xu7EfU e7zCb8wdGPeMC9Xuzw2cjthu3+LKLNIb7YtzPhrc0bnbFrAbE4w34EW88vviqeBHRNQs h8u5rSx8PBLKCyFgWGG/NCC4KlSN7b/4odRmO0/HSpZLmdLTEdWzYtWO+N2mlgXu+qPn Rjkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=BLEZYnPJvJWaZte5frRplYEwxYxAvU3h6r/GMgPChMM=; b=CdXLX0QAyScYWQmv8LtpfaXgTnWPcH/MNP/Tv7ftXYLAyNcwBrMMHtiv4Bn5bW8yij kleJLzhLSza6h3Dwyzu1lREkNDe8OrhfPB6hGQPnUwMZmSX5wXkpdQs5LsLaF3NnSr40 o/boTRt/ejMT8nPUX2ljIvPPdwNjw4obEUVHsdjzYY3ZTuRP/TJbfXDCUOfNR+aHHUUr vAHjDtLklPT6HzOh5oOXHMQkIFguBJJwSiWqXsO02t1gl99AIXXkdJjwCl+xlJSZEVZj OqqeZ/BwdyiZoOSbJRpsFgjaep6ggIL3uftbBr91Jt6hypOXxG1WnTt7DlxO/tZStnPY zNNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=ppeR53xd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w4-20020a656944000000b0043a1c0c5b0csi17505979pgq.704.2022.09.25.12.03.53; Sun, 25 Sep 2022 12:04:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=ppeR53xd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232569AbiIYS2c (ORCPT + 99 others); Sun, 25 Sep 2022 14:28:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231698AbiIYS2a (ORCPT ); Sun, 25 Sep 2022 14:28:30 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 056C9275CC for ; Sun, 25 Sep 2022 11:28:30 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9567B60A55 for ; Sun, 25 Sep 2022 18:28:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B6335C433D6; Sun, 25 Sep 2022 18:28:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1664130509; bh=EHSLcpBjg2pvaVSJ2FIO8Y8QlTy9gtQvI4Xe/G8rgBc=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ppeR53xd3o2yKoI+pE+IT7S1enVQJA3+gwm4sw683pxEW1jqdUEwSQ2QjmmidyPlQ hv/jumPN0eDDupb+er4aYbQiD2xHI2/DvKpTQZje8qZIzgeFjBEFoZ7d6xdeHycyo6 slltRKu7mnMIdeSW0GI8t8/irdtooxdOCUQfZ6ig= Date: Sun, 25 Sep 2022 11:28:26 -0700 From: Andrew Morton To: Liu Shixin Cc: Liu Zixian , Mike Kravetz , Muchun Song , Sidhartha Kumar , John Hubbard , "David Hildenbrand" , Kefeng Wang , , Subject: Re: [PATCH v4] mm: hugetlb: fix UAF in hugetlb_handle_userfault Message-Id: <20220925112826.c3efd2cf438d1bb6329f78ed@linux-foundation.org> In-Reply-To: <20220924034905.2694686-1-liushixin2@huawei.com> References: <20220924034905.2694686-1-liushixin2@huawei.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-10.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 24 Sep 2022 11:49:05 +0800 Liu Shixin wrote: > The vma_lock and hugetlb_fault_mutex are dropped before handling > userfault and reacquire them again after handle_userfault(), but > reacquire the vma_lock could lead to UAF[1,2] due to the following > race, > > hugetlb_fault > hugetlb_no_page > /*unlock vma_lock */ > hugetlb_handle_userfault > handle_userfault > /* unlock mm->mmap_lock*/ > vm_mmap_pgoff > do_mmap > mmap_region > munmap_vma_range > /* clean old vma */ > /* lock vma_lock again <--- UAF */ > /* unlock vma_lock */ > > Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), > let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix > the issue. > Thanks. Turns out that porting all the pending material on top of this change was not a confidence-inspiring activity. So I ended up merging your v3. Please work with Greg on the backporting when he gets on to it? Hopefully that will merely involve sending him this v4.