Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp9202470rwr; Thu, 11 May 2023 11:20:36 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5pXaOt7gQm6xlvVvuozWFBUdEtUYti7Fo5RsgSllo4wKsAu7xH7HAySjQPlmzoxiMWy23W X-Received: by 2002:a05:6a00:ccc:b0:643:9cc0:a3be with SMTP id b12-20020a056a000ccc00b006439cc0a3bemr28351709pfv.5.1683829236058; Thu, 11 May 2023 11:20:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683829236; cv=none; d=google.com; s=arc-20160816; b=0yXbVAIV0rPs751JeKEaGGyVav2jizOspzRU/4rWFLG5gLdtt49fRnlTffrfXNsRH9 KgYD3ooYddJyCpaeNNGN6KsIvcWceMmX0bElRUuFl+gsFCl/5wavKZWLXfKvxoIZIiOz II4lh79F1d6NGL68Rily9eV/N5lXLrgmpuzP0supHJusOhSiISO9IBJSm10ctKrRcDsd bQT2f1bLkdw9HMmq/MUKY82vjKu2IfRCg2KGlSn2GbN5WIF9PjouGvPwMgmY+XTxHPpc cMJRgYgqQIhIXC3Vhsc3otNqsaYPrl7tZtjAXoA+l1dNpCry0v/8dXut89DH3sN/dqjS CnLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=eNWOWMTtSya0T8qp8rVOMjrQplNvnwAPoLY4mrPXzN0=; b=GLFElifHl4fiHXGUYhnbeg0Ubmkz97dkRzYiZRSodvmNhBHj3cxj8/CVj9+fStfRyP S3eq7xoYDfkSmKrI7HtxyN/Dx+vN6jn2LhZH71XRLvvStYDUcC/oWapnKVqioDPHl9k/ 592MxQi49FK67GQAZxkzXukgNu3UAfnHkqftSpXKrLjhK2U5nDcIYwH0BnMoud1eq7p7 7ookL/qGW5fG0WFFjRsw9z9R/D7+RoAo2r5m9PUhOu3sRDyi4cnEkxgSmZzJBV8YtSBf 7TwXUQ5HLf1rLFIZGAeGid0bW2wtNPkIZ8WfqmbVeRN7P0MrCpm6+B4OzU7KM67S9KI6 BPWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=C4U73fyS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u187-20020a6379c4000000b005034a5a0a58si7011470pgc.434.2023.05.11.11.20.23; Thu, 11 May 2023 11:20:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=C4U73fyS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239068AbjEKSJj (ORCPT + 99 others); Thu, 11 May 2023 14:09:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239109AbjEKSJg (ORCPT ); Thu, 11 May 2023 14:09:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6928D040 for ; Thu, 11 May 2023 11:09:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4A9C46507B for ; Thu, 11 May 2023 18:08:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76498C4339B; Thu, 11 May 2023 18:08:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1683828522; bh=a8GH8ffv6Io2e/3QEMAqEjxKKcU+R60IoxJKxKD750o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=C4U73fySzrXnlvzjnI/BrXsv5SsdVqE5i7WZ1lYPG/0jlvKIENfxAVa5z+u+NE+no 1wyOUqO38EXmCK7yHRBGCiWTO4bPifTc3J6/KXWW5ZrgRZgvSG8HUMMmo2a72oYsBs uXaS4sW6Yfdvg3+qJTjFh/mXviCTMXmr2Px8HfjmNtHTLW2At1FOwLxQZ20VNmL3vM V6OpWU9T6f7LhITV3uECj07+H5guXFa6c6OFp25UzwokNEXQw7w8RilSnAVq2wxRH2 hVZxptbP3IBk73F3q+lIDIoQZk0aaEZ19w9r1QDf2NcxFkJL1ERGJK5k9MziiYMgWX qHiLmGyQsYVfQ== Date: Thu, 11 May 2023 11:08:41 -0700 From: Mike Rapoport To: Lorenzo Stoakes Cc: Mark Rutland , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , "Liam R . Howlett" , Vlastimil Babka , Peter Xu Subject: Re: [PATCH] mm/mmap/vma_merge: always check invariants Message-ID: <20230511180841.GE4135@kernel.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (adding Peter) On Wed, May 10, 2023 at 09:26:10AM -0700, Lorenzo Stoakes wrote: > On Wed, May 10, 2023 at 05:17:49PM +0100, Mark Rutland wrote: > > On Wed, May 10, 2023 at 09:04:44AM -0700, Lorenzo Stoakes wrote: > > > On Wed, May 10, 2023 at 03:15:51PM +0100, Mark Rutland wrote: > > > > Hi, > > > > > > > > On Sun, Apr 30, 2023 at 09:19:17PM +0100, Lorenzo Stoakes wrote: > > > > > We may still have inconsistent input parameters even if we choose not to > > > > > merge and the vma_merge() invariant checks are useful for checking this > > > > > with no production runtime cost (these are only relevant when > > > > > CONFIG_DEBUG_VM is specified). > > > > > > > > > > Therefore, perform these checks regardless of whether we merge. > > > > > > > > > > This is relevant, as a recent issue (addressed in commit "mm/mempolicy: > > > > > Correctly update prev when policy is equal on mbind") in the mbind logic > > > > > was only picked up in the 6.2.y stable branch where these assertions are > > > > > performed prior to determining mergeability. > > > > > > > > > > Had this remained the same in mainline this issue may have been picked up > > > > > faster, so moving forward let's always check them. > > > > > > > > > > Signed-off-by: Lorenzo Stoakes > > > > > --- > > > > > mm/mmap.c | 10 +++++----- > > > > > 1 file changed, 5 insertions(+), 5 deletions(-) > > > > > > > > > > diff --git a/mm/mmap.c b/mm/mmap.c > > > > > index 5522130ae606..13678edaa22c 100644 > > > > > --- a/mm/mmap.c > > > > > +++ b/mm/mmap.c > > > > > @@ -960,17 +960,17 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, > > > > > merge_next = true; > > > > > } > > > > > > > > > > + /* Verify some invariant that must be enforced by the caller. */ > > > > > + VM_WARN_ON(prev && addr <= prev->vm_start); > > > > > + VM_WARN_ON(curr && (addr != curr->vm_start || end > curr->vm_end)); > > > > > + VM_WARN_ON(addr >= end); > > > > > + > > > > > > > > I'm seeing this fire a lot when fuzzing v6.4-rc1 on arm64 using Syzkaller. > > > > > > > > > > Thanks, from the line I suspect addr != curr->vm_start, but need to look > > > into the repro, at lsf/mm so a bit time lagged :) > > > > No problem; FWIW I can confirm your theory, the reproducer is causing: > > > > addr > curr->vm_start > > > > ... confirmed the the following hack, log below. > > Awesome thanks for that! Just been firing up qemu to do this. > > Cases 5-8 should really have addr == curr->vm_start, I wonder if it's > another case but curr is being set incorrectly, it should in theory not be > the case. AFAIU, it's a case of "adjust vma, but don't merge, because prev is not compatible". Looks like uffd first attempts to merge compatible the newly registered range with adjacent vmas relying on that there won't be no merge when addr != curr->vm_start and only after the merge attempt it splits the edges. I think that moving the split in fs/userfaultfd.c:1495 (as of v6.4-rc1) before vma_merge() will be the right fix. > (See [1] for a visualisation of merge cases as a handy reference) > > Of course userfaultfd might be the offender here and might be relying on no > merge case arising but passing dodgy parameters. > > [1]:https://ljs.io/merge_cases.png You really should put it into Documentation/mm ;-) > > > > | diff --git a/mm/mmap.c b/mm/mmap.c > > | index 13678edaa22c..2cdebba15719 100644 > > | --- a/mm/mmap.c > > | +++ b/mm/mmap.c > > | @@ -961,9 +961,21 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, > > | } > > | > > | /* Verify some invariant that must be enforced by the caller. */ > > | - VM_WARN_ON(prev && addr <= prev->vm_start); > > | - VM_WARN_ON(curr && (addr != curr->vm_start || end > curr->vm_end)); > > | - VM_WARN_ON(addr >= end); > > | + VM_WARN(prev && addr <= prev->vm_start, > > | + "addr = 0x%016lx, prev->vm_start = 0x%016lx\n", > > | + addr, prev->vm_start); > > | + > > | + VM_WARN(curr && addr != curr->vm_start, > > | + "addr = 0x%016lx, curr->vm_start = 0x%016lx\n", > > | + addr, curr->vm_start); > > | + > > | + VM_WARN(curr && addr > curr->vm_end, > > | + "addr = 0x%016lx, curr->vm_end = 0x%016lx\n", > > | + addr, curr->vm_end); > > | + > > | + VM_WARN(addr >= end, > > | + "addr = 0x%016lx, end = 0x%016lx\n", > > | + addr, end); > > | > > | if (!merge_prev && !merge_next) > > | return NULL; /* Not mergeable. */ > > > > ... with that applied, running the reproducer results in: > > > > | addr = 0x0000ffff99dc2000, curr->vm_start = 0x0000ffff99db2000 > > | WARNING: CPU: 0 PID: 163 at mm/mmap.c:968 vma_merge+0x3d4/0x1260 > > > > ... i.e. addr > curr->vm_start > > > > Thanks, > > Mark. >