Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9987138rwl; Wed, 11 Jan 2023 12:47:59 -0800 (PST) X-Google-Smtp-Source: AMrXdXvoTjN3cYW+pspyqW6lep/4fowgGOEn8w+N8j3ot3CGS49LySa99AHDhAe34DwHjGzjKMuF X-Received: by 2002:a17:907:9625:b0:7ad:9455:d57d with SMTP id gb37-20020a170907962500b007ad9455d57dmr71828342ejc.74.1673470079019; Wed, 11 Jan 2023 12:47:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673470079; cv=none; d=google.com; s=arc-20160816; b=XRUQsNEOep3Y5PXb+6XPgKXUd51AwhJiXN+kl9HEG7PrzXSJnHrUEpEBjgKcTCzPxe YCKw4xBdgV7tl57iRBGBLUI40s/8+ZSsncSfyhcj2FV8h1S48qlurSRJNhzB9fL4mqJa RsYpXJ2KbQDRb2Fa6DN0tstv670EEHU2JFM8IpvmR6KJnHOZCSE5oIGan0j0vL05Uxms t337U2n1s9N6r2ujLyhVXcAwlOEFhc+HQw415jFldOhCMxV2MNEYpm0pj/6/n6iSbX+a 55ZxP4kRp6T1neamRj4ZdXduUhrTKgM04WTyvNaqDFV7VsjhTMqbcAK8ScvBfxMRlGwb XkEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0s7NL4TKaIi7w5aidX/B8AlJEfhOE5GT6g2KKEIusiQ=; b=x1ME6H0niqfr7QjfiNVAtZi4bSPHrgjlYF1n2glT3B7x1PiJoDTppjM/uNMbsnbDY5 PB2ozoWeBd35QXaOWfotQJ+2Y91GIEeR9V5V92hS4PmmRtrSLi2dFToLENt949tXmBep 4K8n3JyHppGpfwiVghi1ThVT88RJ1uj1Ac5kHgNCVuCtwE8qzRniuXfThonyWt3kClfO WxidLDqsZAlNr8fCM5IuBfxDCuZWIwLSWHF2xWDYBuqbiyO7pKeeDs27A2ERxrkRqKyD 9hcmSKPN/G8K8AN904JBZfugXwRzz9ZXHhViLfdxTw4vCGbtDrKsOuI1YNuS750T2o+M 0RBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="FLIry7/6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dz22-20020a0564021d5600b0048aa3eebb6dsi17854830edb.611.2023.01.11.12.47.46; Wed, 11 Jan 2023 12:47:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="FLIry7/6"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230197AbjAKURB (ORCPT + 53 others); Wed, 11 Jan 2023 15:17:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235870AbjAKUQx (ORCPT ); Wed, 11 Jan 2023 15:16:53 -0500 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D02AA1A9 for ; Wed, 11 Jan 2023 12:16:52 -0800 (PST) Received: by mail-ed1-x52d.google.com with SMTP id i9so24051199edj.4 for ; Wed, 11 Jan 2023 12:16:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0s7NL4TKaIi7w5aidX/B8AlJEfhOE5GT6g2KKEIusiQ=; b=FLIry7/6rG5x7cD3DYe7jdBkSStNP+8Na3dvj/OvlhhvXJx0Oq5Xh/qrEofMd2d+I5 EUjtvDJ2k3KdCI5hnlkwhQAUFrUeFN5RHHdK/J2MSMseZVbx3jJQ1ijYrQmRATTfcK9x 0zGNeiHkWB6S0ixXsDfgqvHmtlmttzD4X8qvXrregII4wtfL5Aa3TTjfRGpkbJoTaigc Nhq78q72WguqenGX8MP0sZHJY3AwLwilKeME+CaylrxOElFqAaYeLrxY4zeTESwxUgtm XIPE7CG3IzMrUTpCf7cKgdPVrSpfH43islA661d/YlBAVGsUjiA1dihK2GS1VDyvrI9G xU7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0s7NL4TKaIi7w5aidX/B8AlJEfhOE5GT6g2KKEIusiQ=; b=A3/y0p1JgAOIPFWOHols0fCJNqLT0jxnGqNEnA0j/R+qDIRVj0KXIvuag+OsxiDRtF n1aceefgkgRsKSL0ejcPolbSDWFYzYoDoUDQBT6nj5w+ru0B0kxhLmCCRC/Q4FpsEm+j 1YXlFPIBJxO8u6+Q7QM+T9A40V57xivNCDRNYeX9E7yxYSe6pox6RWysZzYnY6zpsGM7 SuKvpEdOYJbfQkUfVWZ+3dh+qJ7XnMKxO+OA3KWgrlmXtztz3yKPx5z3iRfs3snJftbC IvKLJe8t4wDu14ZmbqdC2KgDUL/XzWWoNYC7dDvwxTEpXfne15+6ULuN76XYZOBl7DgF H1kg== X-Gm-Message-State: AFqh2koQvCcXo+rW7jfit/rbiwKOWstq9fL2yWiOdSc9iphNPkHVdClO EgBFCT2TWJyy87lX08DsfH83frbNs5uRQg95ZS2X5Q== X-Received: by 2002:aa7:cd8c:0:b0:483:a754:8788 with SMTP id x12-20020aa7cd8c000000b00483a7548788mr7413946edv.218.1673468210511; Wed, 11 Jan 2023 12:16:50 -0800 (PST) MIME-Version: 1.0 References: <20221104212519.538108-1-sethjenkins@google.com> In-Reply-To: From: Seth Jenkins Date: Wed, 11 Jan 2023 15:16:38 -0500 Message-ID: Subject: Re: [PATCH] aio: fix mremap after fork null-deref To: Jeff Moyer Cc: Alexander Viro , Benjamin LaHaise , linux-fsdevel@vger.kernel.org, linux-aio@kvack.org, linux-kernel@vger.kernel.org, Jann Horn , Pavel Emelyanov , stable@vger.kernel.org, Andrew Morton Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > I wonder if it would be better to not copy the ring mapping on fork. > Something like the below? I think that would be more in line with > expectations (the ring isn't available in the child process). I like this idea a lot, but would this be viewed as subtly changing the userland to kernel interface? If we're okay with this change though, I think it makes sense. On Wed, Jan 11, 2023 at 2:37 PM Jeff Moyer wrote: > > Hi, Seth, > > Seth Jenkins writes: > > > Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced > > a null-deref if mremap is called on an old aio mapping after fork as > > mm->ioctx_table will be set to NULL. > > > > Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring") > > Cc: stable@vger.kernel.org > > Signed-off-by: Seth Jenkins > > --- > > fs/aio.c | 20 +++++++++++--------- > > 1 file changed, 11 insertions(+), 9 deletions(-) > > > > diff --git a/fs/aio.c b/fs/aio.c > > index 5b2ff20ad322..74eae7de7323 100644 > > --- a/fs/aio.c > > +++ b/fs/aio.c > > @@ -361,16 +361,18 @@ static int aio_ring_mremap(struct vm_area_struct *vma) > > spin_lock(&mm->ioctx_lock); > > rcu_read_lock(); > > table = rcu_dereference(mm->ioctx_table); > > - for (i = 0; i < table->nr; i++) { > > - struct kioctx *ctx; > > - > > - ctx = rcu_dereference(table->table[i]); > > - if (ctx && ctx->aio_ring_file == file) { > > - if (!atomic_read(&ctx->dead)) { > > - ctx->user_id = ctx->mmap_base = vma->vm_start; > > - res = 0; > > + if (table) { > > + for (i = 0; i < table->nr; i++) { > > + struct kioctx *ctx; > > + > > + ctx = rcu_dereference(table->table[i]); > > + if (ctx && ctx->aio_ring_file == file) { > > + if (!atomic_read(&ctx->dead)) { > > + ctx->user_id = ctx->mmap_base = vma->vm_start; > > + res = 0; > > + } > > + break; > > } > > - break; > > } > > } > > I wonder if it would be better to not copy the ring mapping on fork. > Something like the below? I think that would be more in line with > expectations (the ring isn't available in the child process). > > -Jeff > > diff --git a/fs/aio.c b/fs/aio.c > index 562916d85cba..dbf3b0749cb4 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -390,7 +390,7 @@ static const struct vm_operations_struct aio_ring_vm_ops = { > > static int aio_ring_mmap(struct file *file, struct vm_area_struct *vma) > { > - vma->vm_flags |= VM_DONTEXPAND; > + vma->vm_flags |= VM_DONTEXPAND|VM_DONTCOPY; > vma->vm_ops = &aio_ring_vm_ops; > return 0; > } >