Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp1585929rwb; Wed, 26 Jul 2023 15:13:12 -0700 (PDT) X-Google-Smtp-Source: APBJJlHEUVT0VO9m2JMLv5ZFIX1OfVIo+8Vf2alnI4fyZ9UqsiHDhiB/9C2wPwMQBXLb0Nn2dUff X-Received: by 2002:a05:6402:348b:b0:51e:2e6f:70fb with SMTP id v11-20020a056402348b00b0051e2e6f70fbmr508672edc.6.1690409591863; Wed, 26 Jul 2023 15:13:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690409591; cv=none; d=google.com; s=arc-20160816; b=K3Wd/KFfV+y1EIPHggjqZArgeSnGKin9CMY6l/ZgLk56hLaoXMi0IzU0CWRRGQUSXZ bG3vXykkcrm00ySQTh/h0T712i4x9FuS1gcAlt5K283w4QlTJ+TCxHgVHgRNzKVIGtXA 5MGs0j1RJ5U74TSaaiSKbMTj+EUISC3KwqGSsfioTs2iFCP69bmRBJHseGZspLSrpJ4L BvSiq4st4PJsTh9+mhXs0TDLpxpbzbgA5GtobSdL4stnWhhF74kRm+FlatWlQ+9snDch NHBLlyF9F6Az5JDQ7xsGCRIIGuhSiNoIOYEiJormcpbldk9DjlTbC3pDKzFvQDpe9qd0 WuLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; fh=IAK7/NUXpmFCFFs4u+m8lmVry1nkcuogAbo8NG3GKUQ=; b=W7iFQVuX+1e5bEG1sARdjxbZI94JG47pRQ2Nwq1hPjVahdZNpDQBC7X1ymo15JhpgT VgGmZLBewwdmBzRh/BEhyURdOOeOuEfa9wCwimnyIVLDLLREQXbZdxXsigEgBz7mWBAJ SuztWYyxs3fZScl3bY3+c7xydFe4S0tDlPZTDcT2JP32jH5R0UbK+QfFlanKHfidoIcA 1pzRFgRWmbiYYlKGBJwkbh4L2rt154DBpYEMLUJmQNhFP8bvv1WDlwaf4TBhqRD1QzhZ U/H4i3mPCjhKhfOyX0KWisqTdQNlwmDTJWTWnDpQSKfF1+8sayoRACxEfG5j4NV37Oap 4zGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="Q9/Uar7k"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ca10-20020aa7cd6a000000b0051df544225csi9681839edb.540.2023.07.26.15.12.36; Wed, 26 Jul 2023 15:13:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="Q9/Uar7k"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229694AbjGZVmW (ORCPT + 99 others); Wed, 26 Jul 2023 17:42:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229448AbjGZVmV (ORCPT ); Wed, 26 Jul 2023 17:42:21 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 803112118 for ; Wed, 26 Jul 2023 14:42:20 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3fbd33a1819so9345e9.1 for ; Wed, 26 Jul 2023 14:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690407739; x=1691012539; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; b=Q9/Uar7kbm/fDXXNdNUkPT5MjHTU9yfaxCVi/uxAavCHvr3IT/3ZNnNLg+MKNI4YL6 Jtc5XHBGRhprCUa7Wk6WQmejjG0NDu9cV5Jl8+aE7wB3c8OAnz7ap2exn/MqswefA4XL kv7hkNyM/nXCsMkoGDG5RM7C0cZoo6eeAiJh1yG5nLHSJlTIADJmTSPVlHieAXb+uKz1 nLGVDL9fQWFk5IioJvDjH8qhSTVsD0MsA2l82mK5JKp9ClqnxkLhy2we8kb2loP9P7bG EvNtUrP2FWKznSA+DFmTees7h3R0e1W56zyPM7IcYaQAA87Pqtl/wrV2rhsq2WHbNRyj W+EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690407739; x=1691012539; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=F181xJ+n7Njx8QINZmeQ5WSTONEtBtx60R4njTyAO6w=; b=AjTuZw1qoewhxDjZo8FPPybYdLaUM+rwC2Rk0SLYCFUrRk6nwHEPEfx/dC29vq6aEy OlohBYZMU+ki4LFjqHniQv0aq9sttV+4VjsYwrJ2pcFOcW4O80MEeB6AlJZKcuk7y5P2 s4URuYxub5yHC8shkiUPNBwwgM+3r7UCOu8VkS2V9fo0ob+raHXxPApDwaV1HWXDM/AS YwUbTNFbk/G45GImNnqZxlz1G8fTKKDtBHCkBy8Hn0QbsLbwFL/3IYUwNZ+iDohtCKTE btLUUJCs6rlwUl4zG/5cac7RPBjH2NcRPCDMuf66iw3YKJHsb3qtXubB4kkfroxmHUQX m/fQ== X-Gm-Message-State: ABy/qLbqfU/Gb8TQUGAxUqc4wE/Cv/i06LvEDGWbt5FxTOnaRfJGDVNA iOtT0RadQObuXRT2VQJJ6iuOog== X-Received: by 2002:a05:600c:1ca1:b0:3f1:9a3d:4f7f with SMTP id k33-20020a05600c1ca100b003f19a3d4f7fmr5322wms.1.1690407738850; Wed, 26 Jul 2023 14:42:18 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:e8c:2042:5dec:b586]) by smtp.gmail.com with ESMTPSA id q9-20020a1ce909000000b003fc04d13242sm3047945wmc.0.2023.07.26.14.42.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 14:42:17 -0700 (PDT) From: Jann Horn To: Andrew Morton Cc: Linus Torvalds , Peter Zijlstra , Suren Baghdasaryan , Matthew Wilcox , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alan Stern , Andrea Parri , Will Deacon , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes Subject: [PATCH 0/2] fix vma->anon_vma check for per-VMA locking; fix anon_vma memory ordering Date: Wed, 26 Jul 2023 23:41:01 +0200 Message-ID: <20230726214103.3261108-1-jannh@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! Patch 1 here is a straightforward fix for a race in per-VMA locking code that can lead to use-after-free; I hope we can get this one into mainline and stable quickly. Patch 2 is a fix for what I believe is a longstanding memory ordering issue in how vma->anon_vma is used across the MM subsystem; I expect that this one will have to go through a few iterations of review and potentially rewrites, because memory ordering is tricky. (If someone else wants to take over patch 2, I would be very happy.) These patches don't really belong together all that much, I'm just sending them as a series because they'd otherwise conflict. I am CCing: - Suren because patch 1 touches his code - Matthew Wilcox because he is also currently working on per-VMA locking stuff - all the maintainers/reviewers for the Kernel Memory Consistency Model so they can help figure out the READ_ONCE() vs smp_load_acquire() thing - people involved in the previous discussion on the security list Jann Horn (2): mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock mm: Fix anon_vma memory ordering include/linux/rmap.h | 15 ++++++++++++++- mm/huge_memory.c | 4 +++- mm/khugepaged.c | 2 +- mm/ksm.c | 16 +++++++++++----- mm/memory.c | 32 ++++++++++++++++++++------------ mm/mmap.c | 13 ++++++++++--- mm/rmap.c | 6 ++++-- mm/swapfile.c | 3 ++- 8 files changed, 65 insertions(+), 26 deletions(-) base-commit: 20ea1e7d13c1b544fe67c4a8dc3943bb1ab33e6f -- 2.41.0.487.g6d72f3e995-goog