Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp5368540rwb; Tue, 17 Jan 2023 12:46:45 -0800 (PST) X-Google-Smtp-Source: AMrXdXvb6XFyMWA/FxtB4Lg1wM0NhWW11CQcW84mHYJKZoIYU+v33YfzuLZX2VipwB9OwlB+aZMp X-Received: by 2002:aa7:c9ca:0:b0:49e:28c1:936c with SMTP id i10-20020aa7c9ca000000b0049e28c1936cmr4352342edt.26.1673988405105; Tue, 17 Jan 2023 12:46:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673988405; cv=none; d=google.com; s=arc-20160816; b=OibxfemelOT33PCORyu1eAwZLDZFL43oU7RykXC3s2+13z3GtzVe0ocwBNvA38tN/b ivZAZEJh9S6biOaxicCLA/sUiYy8boLKOQO+IpklVEnICi5JdusStbPhodCvLEJ6eYJT OYYNu7i+G8xTSNcqkPYWpAT5TNTvKLEbYTVZHzLjEdcmgoa++pDQ/SEKEhYpqkVUJDqJ ROqQUcCs5GI5LX2/rCOchN0IS/b7/0jwfF3b5KFBYsJkI1PcExw9RiQJwhHEhGBVnncK e2KJF4jUbKedYEDi3Isa2MY6Fzd35wvnQBHC+L0rA+IAHSLsc9CepeMLQIiQsPOXn0IS bG2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=o9Hdj8QPwgoLtzgu1a6fFRPHYufPYi+sScK/Y793cIbe7ceuar22ZJNx7IMjV5UikX HtxVi2K/7EIsS6cx2Pu62wsnst/dDnSb7M+XezpeliYQ3H6l9rhH5bVoV4wQJcDJIne+ iCNQfTlkDOIAHRYn2nmdWRpQGANMDqzK/3ZDZYPFydraear0Lq83Cr4lB+fEuqJfLawQ x2WEsSY6S4i4/47E8DayzcqyvFCGIP6AtH0e5QH0xMnkTa2V9NbYZocuP1Osmw2egX8D /FrYZHyKGrQJOHb4UBFnn7Hejlraf4glYwP9TMIr35lL5yH8U+MmKJSuwFxtOf/OGvH+ naZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=M82Qd6AI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c89-20020a509fe2000000b0046b3055748csi14973143edf.75.2023.01.17.12.46.33; Tue, 17 Jan 2023 12:46:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=M82Qd6AI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232550AbjAQUZP (ORCPT + 47 others); Tue, 17 Jan 2023 15:25:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233644AbjAQUV1 (ORCPT ); Tue, 17 Jan 2023 15:21:27 -0500 Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D1A95CE5F for ; Tue, 17 Jan 2023 11:13:32 -0800 (PST) Received: by mail-io1-xd33.google.com with SMTP id j1so7089591iob.6 for ; Tue, 17 Jan 2023 11:13:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=M82Qd6AI0hYaULrWAi7eXudgqNOdBArrqWl8NUWMhweZ1mgAI2BOdntQuu6w6SxKp3 uPJGFLbnFvsoOAWbhlp5NMRCHg+Ij7ymAgzX0aOEZfRkK1FUl2Sw7+1qzFBooxTHNDFH QwP5WpHzLvBQvF6ibc3RcXcXxlP0nI86XHv6uJSb+9THDwwqwYrQ5yeOi9sTFLXgYRRW ucAECxKZmfng297NPeMfRzYIf4RRtEH/TGcdtzC4B45Z7WI2Rn9YTRlrTOKIM3kJaq0P Vgk2T1bWc1Hp06NcNbnlU8lfB32azU1uJViZMnpHy9r0yXJ2JHPoMOPAq+kDhSVl3qrN 7/LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=4EWWeJqN2zos9Z+4XytpCh/SXadJQtmcdQabISMOj1sKHqJ19As+2S2ALzWgbnf3oD OwhXOtG372exQo4UhYqiHaUOICcwIBMb0Ex9bpOaGG3pS8gh1cL+o18PeY7RkZBIwhzt XDSe4wDdu0dKzAOsIxaTe7ZVj7Lp6DnKoY8pk6395w28P+aplQUrBli6czWcJyTRA+nM VlVWknG+GuPGCYWMMjmSOmbDLK71ZAJFHfpMkUvuvNhzL7jN7uKXbby1dLzFvg3/wxPN NcN9QS1RtipQlKWQ38sJ8zyzAjgzW7pB76UAE9odutCjxmw/cGnEh62pOsI2xmexDzK/ 0G1Q== X-Gm-Message-State: AFqh2kpfnrYA2tTa8XqBQvMnO3Z7wQuXxHY8ki46yuQaSj54oTRQmLM8 LmajotL+CTL4OmZtUeznvoZHCSitdsNNrRbgAAesnA== X-Received: by 2002:a5d:945a:0:b0:6e3:2350:744c with SMTP id x26-20020a5d945a000000b006e32350744cmr199633ior.2.1673982805815; Tue, 17 Jan 2023 11:13:25 -0800 (PST) MIME-Version: 1.0 References: <20230111133351.807024-1-jannh@google.com> In-Reply-To: <20230111133351.807024-1-jannh@google.com> From: Jann Horn Date: Tue, 17 Jan 2023 20:12:49 +0100 Message-ID: Subject: Re: [PATCH] mm/khugepaged: Fix ->anon_vma race To: Andrew Morton Cc: "Kirill A. Shutemov" , "Zach O'Keefe" , linux-kernel@vger.kernel.org, David Hildenbrand , Yang Shi , linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 11, 2023 at 2:33 PM Jann Horn wrote: > If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires > it to be locked. retract_page_tables() bails out if an ->anon_vma is > attached, but does this check before holding the mmap lock (as the comment > above the check explains). @akpm please replace the commit message with the following, and maybe also add a "Link:" entry pointing to https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_POneSDF+A@mail.gmail.com/ for the reproducer. If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merge an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.